Skip to content

Commit

Permalink
conflcits
Browse files Browse the repository at this point in the history
  • Loading branch information
research-bot committed Oct 28, 2024
2 parents be939a9 + c000869 commit c830423
Show file tree
Hide file tree
Showing 1,611 changed files with 6,746 additions and 12,588 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,12 @@ references:
- https://github.com/airbus-cert/CVE-2024-4040
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
drilldown_searches:
- name: View the detection results for $dest$
search: '%original_detection_search% | search dest = $dest$'
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $dest$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,10 +76,10 @@ tags:
- Authentication.user
- Authentication.src
security_domain: access
manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion.
manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion.
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log
source: azure:monitor:aad
sourcetype: azure:monitor:aad
sourcetype: azure:monitor:aad
19 changes: 3 additions & 16 deletions detections/application/detect_new_login_attempts_to_routers.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,23 +5,10 @@ date: '2024-10-17'
author: Bhavin Patel, Splunk
status: experimental
type: TTP
description: The following analytic identifies new login attempts to routers. It leverages
authentication logs from the ES Assets and Identity Framework, focusing on assets
categorized as routers. The detection flags connections that have not been observed
in the past 30 days. This activity is significant because unauthorized access to
routers can lead to network disruptions or data interception. If confirmed malicious,
attackers could gain control over network traffic, potentially leading to data breaches
or further network compromise.
description: The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise.
data_source: []
search: '| tstats `security_content_summariesonly` count earliest(_time) as earliest
latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router
by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(),
"-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)`
| `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter`'
how_to_implement: To successfully implement this search, you must ensure the network
router devices are categorized as "router" in the Assets and identity table. You
must also populate the Authentication data model with logs related to users authenticating
to routing infrastructure.
search: '| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter`'
how_to_implement: To successfully implement this search, you must ensure the network router devices are categorized as "router" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.
known_false_positives: Legitimate router connections may appear as new connections
references: []
tags:
Expand Down
8 changes: 4 additions & 4 deletions detections/application/detect_password_spray_attempts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,12 +47,12 @@ known_false_positives: Unknown
references:
- https://attack.mitre.org/techniques/T1110/003/
drilldown_searches:
- name: View the detection results for $sourcetype$
search: '%original_detection_search% | search sourcetype = $sourcetype$'
- name: View the detection results for - "$sourcetype$"
search: '%original_detection_search% | search sourcetype = "$sourcetype$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $sourcetype$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($sourcetype$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- name: View risk events for the last 7 days for - "$sourcetype$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$sourcetype$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
Expand Down
31 changes: 4 additions & 27 deletions detections/application/email_attachments_with_lots_of_spaces.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,37 +5,14 @@ date: '2024-10-17'
author: David Dorsey, Splunk
status: experimental
type: Anomaly
description: The following analytic detects email attachments with an unusually high
number of spaces in their file names, which is a common tactic used by attackers
to obfuscate file extensions. It leverages the Email data model to identify attachments
where the ratio of spaces to the total file name length exceeds 10%. This behavior
is significant as it may indicate an attempt to bypass security filters and deliver
malicious payloads. If confirmed malicious, this activity could lead to the execution
of harmful code or unauthorized access to sensitive information within the recipient's
environment.
description: The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment.
data_source: []
search: '| tstats `security_content_summariesonly` count values(All_Email.recipient)
as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email
where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")`
| eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio
>= 0.1 | rex field=recipient_address "(?<recipient_user>.*)@" | `email_attachments_with_lots_of_spaces_filter`'
how_to_implement: 'You need to ingest data from emails. Specifically, the sender''s
address and the file names of any attachments must be mapped to the Email data model.
The threshold ratio is set to 10%, but this value can be configured to suit each
environment.
search: '| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address "(?<recipient_user>.*)@" | `email_attachments_with_lots_of_spaces_filter`'
how_to_implement: 'You need to ingest data from emails. Specifically, the sender''s address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment.
**Splunk Phantom Playbook Integration**
If Splunk Phantom is also configured in your environment, a playbook called "Suspicious
Email Attachment Investigate and Delete" can be configured to run when any results
are found by this detection search. To use this integration, install the Phantom
App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname
to the "Phantom Instance" field in the Adaptive Response Actions when configuring
this detection search. The notable event will be sent to Phantom and the playbook
will gather further information about the file attachment and its network behaviors.
If Phantom finds malicious behavior and an analyst approves of the results, the
email will be deleted from the user''s inbox.'
If Splunk Phantom is also configured in your environment, a playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user''s inbox.'
known_false_positives: None at this time
references: []
tags:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,32 +5,12 @@ date: '2024-10-17'
author: Bhavin Patel, Splunk
status: experimental
type: TTP
description: The following analytic detects email files (.pst or .ost) being created
outside the standard Outlook directories. It leverages the Endpoint.Filesystem data
model to identify file creation events and filters for email files not located in
"C:\Users\*\My Documents\Outlook Files\*" or "C:\Users\*\AppData\Local\Microsoft\Outlook*".
This activity is significant as it may indicate data exfiltration or unauthorized
access to email data. If confirmed malicious, an attacker could potentially access
sensitive email content, leading to data breaches or further exploitation within
the network.
description: The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in "C:\Users\*\My Documents\Outlook Files\*" or "C:\Users\*\AppData\Local\Microsoft\Outlook*". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network.
data_source:
- Sysmon EventID 11
search: '| tstats `security_content_summariesonly` count values(Filesystem.file_path)
as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path
!= "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*"
by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest
| `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
`email_files_written_outside_of_the_outlook_directory_filter`'
how_to_implement: To successfully implement this search, you must be ingesting data
that records the file-system activity from your hosts to populate the Endpoint.Filesystem
data model node. This is typically populated via endpoint detection-and-response
product, such as Carbon Black, or by other endpoint data sources, such as Sysmon.
The data used for this search is typically generated via logs that report file-system
reads and writes.
known_false_positives: Administrators and users sometimes prefer backing up their
email data by moving the email files into a different folder. These attempts will
be detected by the search.
search: '| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter`'
how_to_implement: To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.
known_false_positives: Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.
references: []
tags:
analytic_story:
Expand Down
Loading

0 comments on commit c830423

Please sign in to comment.