Merge branch 'release_v4.28.0' into 'develop'

Release Branch : v4.28.0

See merge request threat-research/security_content!1446

detections/application/splunk_authentication_token_exposure_in_debug_log.yml

@@ -0,0 +1,54 @@
+name: Splunk Authentication Token Exposure in Debug Log
+id: 9a67e749-d291-40dd-8376-d422e7ecf8b5
+version: 1
+date: '2024-03-18'
+author: Rod Soto, Chase Franklin
+type: TTP
+status: production
+data_source: []
+description: This detection search finds exposed authentication tokens in debug logs. This issue occurs in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, which may be affected by a vulnerability where JsonWebTokens can be exposed if the log level is set to DEBUG. 
+search: '`splunkd` component=JsonWebToken log_level=DEBUG eventtype="splunkd-log" event_message="Validating token:*" 
+  | rex "Validating token: (?<token>.*)\.$" 
+  | search token!=None 
+  | stats count min(_time) as firstTime max(_time) as lastTime values(log_level) as log_level values(event_message) as event_message by index, sourcetype, host, token 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `splunk_authentication_token_exposure_in_debug_log_filter`'
+how_to_implement: Requires access to internal Splunk indexes. 
+known_false_positives: Only applies to affected versions of Splunk Enterprise below 9.2.1, 9.1.4, and 9.0.9
+references:
+- https://advisory.splunk.com/advisories/SVD-2024-0301
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: endpoint
+  confidence: 100
+  cve:
+  - CVE-2024-29945
+  impact: 50
+  message: Possible JsonWebToken exposure, please investigate affected $host$
+  mitre_attack_id:
+  - T1654
+  observable:
+  - name: host
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Cloud
+  required_fields:
+  - component
+  - log_level
+  - eventtype
+  - event_message 
+  - host
+  risk_score: 50
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1654/splunk/jsonwebtokenplaintokensvd_splunkd.log
+    source: /opt/splunk/var/log/splunk/splunkd.log
+    sourcetype: splunkd
+    custom_index: _internal

detections/application/splunk_command_and_scripting_interpreter_risky_commands.yml

@@ -48,13 +48,15 @@ known_false_positives: False positives will be present until properly filtered b
 references:
 - https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning
 - https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json
+- https://advisory.splunk.com/advisories/SVD-2024-0302
 tags:
   analytic_story:
   - Splunk Vulnerabilities
   asset_type: Web Server
   confidence: 40
   cve:
   - CVE-2022-32154
+  - CVE-2024-29946
   impact: 50
   message: A risky Splunk command has ran by $user$ and should be reviewed.
   mitre_attack_id:

detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml

@@ -34,7 +34,7 @@ references:
 tags:
   analytic_story:
   - Compromised User Account
-  - AWS Identity and Access Management Account
+  - AWS Identity and Access Management Account Takeover
   asset_type: AWS Account
   confidence: 60
   impact: 70

detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml

@@ -1,10 +1,10 @@
 name: Gsuite Outbound Email With Attachment To External Domain
 id: dc4dc3a8-ff54-11eb-8bf7-acde48001122
-version: 1
-date: '2021-08-17'
+version: 2
+date: '2024-03-25'
 author: Teoderick Contreras, Stanislav Miskovic, Splunk
 status: production
-type: Anomaly
+type: Hunting
 description: This search is to detect a suspicious outbound e-mail from internal email
   to external email domain. This can be a good hunting query to monitor insider or
   outbound email traffic for not common domain e-mail. The idea is to parse the domain
@@ -33,11 +33,15 @@ tags:
   asset_type: GSuite
   confidence: 30
   impact: 30
-  message: suspicious email from $source.address$ to $destination{}.address$
+  message: Suspicious email from $src_domain_list$ to $dest_domain$
   mitre_attack_id:
   - T1048.003
   - T1048
   observable:
+  - name: src_domain_list
+    type: Email Address
+    role:
+    - Victim
   - name: dest_domain
     type: IP Address
     role:
@@ -48,6 +52,12 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
+  - source.from_header_address
+  - destination.address
+  - num_message_attachments
+  - dest_domain 
+  - phase 
+  - severity
   risk_score: 9
   security_domain: endpoint
 tests:

detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml

@@ -1,7 +1,7 @@
 name: Detect Excessive Account Lockouts From Endpoint
 id: c026e3dd-7e18-4abb-8f41-929e836efe74
-version: 7
-date: '2024-02-14'
+version: 8
+date: '2024-03-19'
 author: David Dorsey, Splunk
 status: production
 type: Anomaly
@@ -32,7 +32,7 @@ known_false_positives: It's possible that a widely used system, such as a kiosk,
 references: []
 tags:
   analytic_story:
-  - Account Monitoring and Controls
+  - Active Directory Password Spraying
   asset_type: Windows
   confidence: 60
   impact: 60

detections/endpoint/detect_excessive_user_account_lockouts.yml

@@ -1,7 +1,7 @@
 name: Detect Excessive User Account Lockouts
 id: 95a7f9a5-6096-437e-a19e-86f42ac609bd
-version: 4
-date: '2022-08-25'
+version: 5
+date: '2024-03-19'
 author: David Dorsey, Splunk
 status: production
 type: Anomaly
@@ -22,7 +22,7 @@ known_false_positives: It is possible that a legitimate user is experiencing an
 references: []
 tags:
   analytic_story:
-  - Account Monitoring and Controls
+  - Active Directory Password Spraying
   asset_type: Windows
   confidence: 60
   impact: 60

detections/endpoint/short_lived_windows_accounts.yml

@@ -1,7 +1,7 @@
 name: Short Lived Windows Accounts
 id: b25f6f62-0782-43c1-b403-083231ffd97d
-version: 2
-date: '2020-07-06'
+version: 3
+date: '2024-03-19'
 author: David Dorsey, Splunk
 status: production
 type: TTP
@@ -23,7 +23,7 @@ known_false_positives: It is possible that an administrator created and deleted
 references: []
 tags:
   analytic_story:
-  - Account Monitoring and Controls
+  - Active Directory Lateral Movement
   asset_type: Windows
   confidence: 90
   impact: 70

detections/endpoint/windows_create_local_account.yml

@@ -1,7 +1,7 @@
 name: Windows Create Local Account
 id: 3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb
-version: 1
-date: '2022-10-05'
+version: 2
+date: '2024-03-19'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -24,7 +24,7 @@ references:
 - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
 tags:
   analytic_story:
-  - Account Monitoring and Controls
+  - Active Directory Password Spraying
   asset_type: Endpoint
   confidence: 90
   impact: 20

pipeline/.generate.yml

@@ -15,7 +15,7 @@ generate_escu:
     - poetry install
   script:
     - >
-      if [[ "$CI_COMMIT_TAG" =~ ^4\.[0-9]+\.[0-9]+$ ]]; then
+      if [[ "$CI_COMMIT_TAG" =~ ^v?[1-9]\.[0-9]+\.[0-9]+$ ]]; then
         echo "Tagged build - Enabling Enrichment"
         poetry run contentctl -p ../ --enable_enrichment build
       else
@@ -24,7 +24,7 @@ generate_escu:
       fi
     - cd ..
     - mkdir artifacts
-    - mv dist/DA-ESS-ContentUpdate-latest.tar.gz artifacts/
+    - mv dist/DA-ESS-ContentUpdate-* artifacts/
 
 generate_ba:
   stage: generate
@@ -43,7 +43,7 @@ generate_ba:
     - poetry install
   script:
     - |
-      if [[ "$CI_COMMIT_TAG" =~ ^4\.[0-9]+\.[0-9]+$ ]]; then
+      if [[ "$CI_COMMIT_TAG" =~ ^v?[1-9]\.[0-9]+\.[0-9]+$ ]]; then
         poetry run contentctl -p ../ --enable_enrichment build -t ssa
         cd .. 
         mkdir artifacts
@@ -72,7 +72,7 @@ generate_api:
     - poetry install
   script:
     - >
-      if [[ "$CI_COMMIT_TAG" =~ ^4\.[0-9]+\.[0-9]+$ ]]; then
+      if [[ "$CI_COMMIT_TAG" =~ ^v?[1-9]\.[0-9]+\.[0-9]+$ ]]; then
         poetry run contentctl -p ../ --enable_enrichment build -t api
       else
         poetry run contentctl -p ../ build -t api

pipeline/.release.yml

@@ -88,8 +88,11 @@ attack_range_escu_app:
 push_sse_json_to_artifactory:
   stage: release
   needs:
-    - app_inspect
+    - github_push_develop
   before_script:
+    - 'NEW_VERSION=$(echo $CI_COMMIT_TAG | sed "s/^v//")'
+    - 'echo "Updating contentctl.yml version: $NEW_VERSION"'
+    - 'sed -i "s/version: [0-9]*\.[0-9]*\.[0-9]*/version: $NEW_VERSION/" contentctl.yml'
     - pip3 install poetry
     - git submodule update --init contentctl
     - cd contentctl
@@ -101,7 +104,7 @@ push_sse_json_to_artifactory:
   script:
     - creds-helper init
     - eval $(creds-helper artifactory --eval $ARTIFACTORY_GENERIC_WRITE_ROLE)
-    - curl -u $ARTIFACTORY_AUTHORIZATION -X PUT $ARTIFACTORY_BASE_URL/generic/threat-research-security-content/$CI_COMMIT_TAG/sse.tar.gz -T sse.tar.gz
+    - curl -u $ARTIFACTORY_AUTHORIZATION -X PUT $ARTIFACTORY_BASE_URL/generic/threat-research-security-content/$CI_COMMIT_TAG/$CI_PIPELINE_ID/sse.tar.gz -T sse.tar.gz
   rules:
     - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/'
 
@@ -116,6 +119,7 @@ trigger_downstream_sse_json_release:
   variables:
     UPSTREAM_ESCU_VERSION: $CI_COMMIT_TAG
     IS_DOWNSTREAM_SSE_JSON_RELEASE: "True"
+    PARENT_PIPELINE_ID: $CI_PIPELINE_ID
   trigger:
     project: securitycontent/security-content-automation
     branch: main
@@ -148,6 +152,10 @@ update_gitlab_dist:
       - artifacts/*
     expire_in: 14 days
   before_script:
+    - 'echo "Current CI_COMMIT_TAG: $CI_COMMIT_TAG"'
+    - 'NEW_VERSION=$(echo $CI_COMMIT_TAG | sed "s/^v//")'
+    - 'echo "Updating contentctl.yml version: $NEW_VERSION"'
+    - 'sed -i "s/version: [0-9]*\.[0-9]*\.[0-9]*/version: $NEW_VERSION/" contentctl.yml'
     - pip3 install poetry
     - git submodule update --init contentctl
     - cd contentctl
@@ -164,10 +172,7 @@ update_gitlab_dist:
     - git remote set-url origin https://PUSH_DIST_VIA_CI:[email protected]/threat-research/security_content.git
     - git fetch --all
     - git checkout develop
-    - 'echo "Current CI_COMMIT_TAG: $CI_COMMIT_TAG"'
-    - 'NEW_VERSION=$(echo $CI_COMMIT_TAG | sed "s/^v//")'
-    - 'echo "Updating contentctl.yml version: $NEW_VERSION"'
-    - 'sed -i "s/version: [0-9]*\.[0-9]*\.[0-9]*/version: $NEW_VERSION/" contentctl.yml'
+    - git add contentctl.yml
     - git add dist/api/*
     - git add dist/DA-ESS-ContentUpdate/*
     - git add dist/ssa/*
@@ -206,6 +211,10 @@ github_push_develop:
     - git checkout -b $BRANCH
     - git config merge.submodule ignore
     - git merge github_origin/develop -X theirs || true
+    # Update contentctl.yml version after merge with theirs
+    - 'NEW_VERSION=$(echo $CI_COMMIT_TAG | sed "s/^v//")'
+    - 'echo "Updating contentctl.yml version: $NEW_VERSION"'
+    - 'sed -i "s/version: [0-9]*\.[0-9]*\.[0-9]*/version: $NEW_VERSION/" contentctl.yml'
     - cd contentctl && git checkout main && cd ..
     - git add contentctl
     - cd contentctl/

pipeline/.validate.yml

@@ -8,7 +8,7 @@ validate_escu:
     - poetry install
   script:
     - >
-      if [[ "$CI_COMMIT_TAG" =~ ^4\.[0-9]+\.[0-9]+$ ]]; then
+      if [[ "$CI_COMMIT_TAG" =~ ^v?[1-9]\.[0-9]+\.[0-9]+$ ]]; then
         echo "Tagged build - Enabling Enrichment"
         poetry run contentctl -p ../ --enable_enrichment validate
       else
@@ -26,7 +26,7 @@ validate_ba:
     - poetry install
   script:
      - >
-      if [[ "$CI_COMMIT_TAG" =~ ^4\.[0-9]+\.[0-9]+$ ]]; then
+      if [[ "$CI_COMMIT_TAG" =~ ^v?[1-9]\.[0-9]+\.[0-9]+$ ]]; then
         echo "Tagged build - Enabling Enrichment"
         poetry run contentctl -p ../ --enable_enrichment validate -t ssa
       else

playbooks/Active_Directory_Enable_Account_Dispatch.yml

@@ -9,9 +9,9 @@ playbook: Active_Directory_Enable_Account_Dispatch
 how_to_implement: This automatic playbook requires the "enable_account" tag be present on each input playbook you want to launch.
 references: []
 app_list: 
-  - microsoft_ad_ldap
-  - azure_ad_graph
-  - aws_iam
+  - AD LDAP
+  - Azure AD Graph
+  - AWS IAM
 tags:
   platform_tags:
     - user