-
Notifications
You must be signed in to change notification settings - Fork 375
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
12 changed files
with
465 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
64 changes: 64 additions & 0 deletions
64
detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| name: Windows New Custom Security Descriptor Set On EventLog Channel | ||
| id: c0e5dd5a-2117-41d5-a04c-82a762a86a38 | ||
| version: 1 | ||
| date: '2024-12-06' | ||
| author: Nasreddine Bencherchali, Michael Haag, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the "CustomSD" value within the "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>\CustomSD" path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs. | ||
| data_source: | ||
| - Sysmon EventID 13 | ||
| search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Services\\Eventlog\\*" AND Registry.registry_value_name=CustomSD BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_custom_security_descriptor_set_on_eventlog_channel_filter`' | ||
| how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 | ||
| known_false_positives: None identified, setting up the "CustomSD" value is considered a legacy option and shouldn't be a common activity. | ||
| references: | ||
| - https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy | ||
| - https://attack.mitre.org/techniques/T1562/002/ | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$dest$" and "$user$" | ||
| search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$dest$" and "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| tags: | ||
| analytic_story: | ||
| - LockBit Ransomware | ||
| - Defense Evasion or Unauthorized Access Via SDDL Tampering | ||
| asset_type: Endpoint | ||
| confidence: 80 | ||
| impact: 80 | ||
| message: modified/added/deleted registry entry $registry_path$ in $dest$ | ||
| mitre_attack_id: | ||
| - T1562.002 | ||
| observable: | ||
| - name: dest | ||
| type: Hostname | ||
| role: | ||
| - Victim | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - _time | ||
| - Registry.dest | ||
| - Registry.registry_value_name | ||
| - Registry.registry_key_name | ||
| - Registry.registry_path | ||
| - Registry.registry_value_data | ||
| - Registry.process_guid | ||
| risk_score: 64 | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log | ||
| source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
| sourcetype: XmlWinEventLog |
75 changes: 75 additions & 0 deletions
75
detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| name: Windows New Deny Permission Set On Service SD Via Sc.EXE | ||
| id: d0f6a5e5-dbfd-46e1-8bd5-2e2905947c33 | ||
| version: 1 | ||
| date: '2024-12-05' | ||
| author: Nasreddine Bencherchali, Michael Haag, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects changes in a service security descriptor where a new deny ace has been added. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the "sc.exe" binary with the "sdset" flag targeting any service and adding a dedicated deny ace. If confirmed malicious, this could allow an attacker to escalate their privileges, blind defenses and more. | ||
| data_source: | ||
| - Sysmon EventID 1 | ||
| - Windows Event Log Security 4688 | ||
| - CrowdStrike ProcessRollup2 | ||
| search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process="*sdset *" Processes.process="*(D;*" Processes.process IN ("*;IU*", "*;S-1-5-4*", "*;SU*", "*;S-1-5-6*", "*;BA*", "*;S-1-5-32-544*", "*;SY*", "*;S-1-5-18*", "*;WD*", "*;S-1-1-0*", "*;AU*", "*;S-1-5-11*", "*;LS*", "*;S-1-5-19*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_deny_permission_set_on_service_sd_via_sc_exe_filter`' | ||
| how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. | ||
| known_false_positives: None identified. Attempts to add deny aces to services, especially security-related services should be immediately investigated. | ||
| references: | ||
| - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ | ||
| - https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf | ||
| - https://attack.mitre.org/techniques/T1564/ | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$user$" and "$dest$" | ||
| search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$user$" and "$dest$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| tags: | ||
| analytic_story: | ||
| - Defense Evasion or Unauthorized Access Via SDDL Tampering | ||
| asset_type: Endpoint | ||
| confidence: 50 | ||
| impact: 60 | ||
| message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. | ||
| mitre_attack_id: | ||
| - T1564 | ||
| observable: | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| - name: dest | ||
| type: Hostname | ||
| role: | ||
| - Victim | ||
| - name: process_name | ||
| type: Process | ||
| role: | ||
| - Attacker | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - _time | ||
| - Processes.dest | ||
| - Processes.user | ||
| - Processes.parent_process_name | ||
| - Processes.parent_process | ||
| - Processes.original_file_name | ||
| - Processes.process_name | ||
| - Processes.process | ||
| - Processes.process_id | ||
| - Processes.parent_process_path | ||
| - Processes.process_path | ||
| - Processes.parent_process_id | ||
| risk_score: 30 | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log | ||
| source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
| sourcetype: XmlWinEventLog |
64 changes: 64 additions & 0 deletions
64
detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| name: Windows New EventLog ChannelAccess Registry Value Set | ||
| id: 16eb11bc-ef42-42e8-9d0c-d21e0fa15725 | ||
| version: 1 | ||
| date: '2024-12-06' | ||
| author: Nasreddine Bencherchali, Michael Haag, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the "CustomSD" value within the "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>\CustomSD" path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs. | ||
| data_source: | ||
| - Sysmon EventID 13 | ||
| search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*", "*\Microsoft\Windows\EventLog\*") AND Registry.registry_value_name=ChannelAccess BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_eventlog_channelaccess_registry_value_set_filter`' | ||
| how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 | ||
| known_false_positives: False positives may be triggered from newly installed event providers or windows updates, new "ChannelAccess" values must be investigated. | ||
| references: | ||
| - https://web.archive.org/web/20220710181255/https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness | ||
| - https://attack.mitre.org/techniques/T1562/002/ | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$dest$" and "$user$" | ||
| search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$dest$" and "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| tags: | ||
| analytic_story: | ||
| - LockBit Ransomware | ||
| - Defense Evasion or Unauthorized Access Via SDDL Tampering | ||
| asset_type: Endpoint | ||
| confidence: 50 | ||
| impact: 60 | ||
| message: modified/added/deleted registry entry $registry_path$ in $dest$ | ||
| mitre_attack_id: | ||
| - T1562.002 | ||
| observable: | ||
| - name: dest | ||
| type: Hostname | ||
| role: | ||
| - Victim | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - _time | ||
| - Registry.dest | ||
| - Registry.registry_value_name | ||
| - Registry.registry_key_name | ||
| - Registry.registry_path | ||
| - Registry.registry_value_data | ||
| - Registry.process_guid | ||
| risk_score: 30 | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log | ||
| source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
| sourcetype: XmlWinEventLog |
Oops, something went wrong.