Skip to content

Commit

Permalink
Branch was auto-updated.
Browse files Browse the repository at this point in the history
  • Loading branch information
patel-bhavin authored Jul 23, 2024
2 parents 8c0f4fd + e2ba6ac commit ee3215a
Show file tree
Hide file tree
Showing 10 changed files with 40 additions and 30 deletions.
7 changes: 4 additions & 3 deletions detections/endpoint/disable_logs_using_wevtutil.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Disable Logs Using WevtUtil
id: 236e7c8e-c9d9-11eb-a824-acde48001122
version: 2
date: '2024-05-13'
version: 3
date: '2024-07-23'
author: Teoderick Contreras, Splunk
status: production
type: TTP
Expand Down Expand Up @@ -41,7 +41,7 @@ tags:
asset_type: Endpoint
confidence: 80
impact: 30
message: WevtUtil.exe used to disable Event Logging on $dest
message: WevtUtil.exe used to disable Event Logging on $dest$
mitre_attack_id:
- T1070
- T1070.001
Expand Down Expand Up @@ -73,3 +73,4 @@ tests:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
# version bumped by pre-commit hook
7 changes: 4 additions & 3 deletions detections/endpoint/disable_windows_behavior_monitoring.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Disable Windows Behavior Monitoring
id: 79439cae-9200-11eb-a4d3-acde48001122
version: 6
date: '2024-05-18'
version: 7
date: '2024-07-23'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: TTP
Expand Down Expand Up @@ -48,7 +48,7 @@ tags:
asset_type: Endpoint
confidence: 100
impact: 40
message: Windows Defender real time behavior monitoring disabled on $dest
message: Windows Defender real time behavior monitoring disabled on $dest$
mitre_attack_id:
- T1562.001
- T1562
Expand Down Expand Up @@ -78,3 +78,4 @@ tests:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
# version bumped by pre-commit hook
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via DCOM and PowerShell
id: d4f42098-4680-11ec-ad07-3e22fbd008af
version: 2
date: '2024-05-20'
version: 3
date: '2024-07-23'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand Down Expand Up @@ -42,7 +42,7 @@ tags:
asset_type: Endpoint
confidence: 70
impact: 90
message: A process was started on a remote endpoint from $dest by abusing DCOM using
message: A process was started on a remote endpoint from $dest$ by abusing DCOM using
PowerShell.exe
mitre_attack_id:
- T1021
Expand Down Expand Up @@ -78,3 +78,4 @@ tests:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
# version bumped by pre-commit hook
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via WinRM and PowerShell
id: ba24cda8-4716-11ec-8009-3e22fbd008af
version: 2
date: '2024-05-14'
version: 3
date: '2024-07-23'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand Down Expand Up @@ -42,7 +42,7 @@ tags:
asset_type: Endpoint
confidence: 50
impact: 90
message: A process was started on a remote endpoint from $dest by abusing WinRM
message: A process was started on a remote endpoint from $dest$ by abusing WinRM
using PowerShell.exe
mitre_attack_id:
- T1021
Expand Down Expand Up @@ -78,3 +78,4 @@ tests:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
# version bumped by pre-commit hook
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via WinRM and Winrs
id: 0dd296a2-4338-11ec-ba02-3e22fbd008af
version: 2
date: '2024-05-16'
version: 3
date: '2024-07-23'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand Down Expand Up @@ -42,7 +42,7 @@ tags:
asset_type: Endpoint
confidence: 60
impact: 90
message: A process was started on a remote endpoint from $dest
message: A process was started on a remote endpoint from $dest$
mitre_attack_id:
- T1021
- T1021.006
Expand Down Expand Up @@ -77,3 +77,4 @@ tests:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
# version bumped by pre-commit hook
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Scheduled Task Creation on Remote Endpoint using At
id: 4be54858-432f-11ec-8209-3e22fbd008af
version: 2
date: '2024-05-24'
version: 3
date: '2024-07-23'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand Down Expand Up @@ -43,7 +43,7 @@ tags:
asset_type: Endpoint
confidence: 60
impact: 90
message: A Windows Scheduled Task was created on a remote endpoint from $dest
message: A Windows Scheduled Task was created on a remote endpoint from $dest$
mitre_attack_id:
- T1053
- T1053.002
Expand Down Expand Up @@ -78,3 +78,4 @@ tests:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
# version bumped by pre-commit hook
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Scheduled Task Initiation on Remote Endpoint
id: 95cf4608-4302-11ec-8194-3e22fbd008af
version: 2
date: '2024-05-25'
version: 3
date: '2024-07-23'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand Down Expand Up @@ -42,7 +42,7 @@ tags:
asset_type: Endpoint
confidence: 60
impact: 90
message: A Windows Scheduled Task was ran on a remote endpoint from $dest
message: A Windows Scheduled Task was ran on a remote endpoint from $dest$
mitre_attack_id:
- T1053
- T1053.005
Expand Down Expand Up @@ -77,3 +77,4 @@ tests:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
# version bumped by pre-commit hook
7 changes: 4 additions & 3 deletions detections/endpoint/windows_new_inprocserver32_added.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Windows New InProcServer32 Added
id: 0fa86e31-0f73-4ec7-9ca3-dc88e117f1db
version: 2
date: '2024-05-13'
version: 3
date: '2024-07-23'
author: Michael Haag, Splunk
data_source:
- Sysmon EventID 13
Expand Down Expand Up @@ -57,11 +57,12 @@ tags:
risk_score: 2
security_domain: endpoint
cve:
- cve-2024-21378
- CVE-2024-21378
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log
sourcetype: xmlwineventlog
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
# version bumped by pre-commit hook
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Windows Service Creation on Remote Endpoint
id: e0eea4fa-4274-11ec-882b-3e22fbd008af
version: 2
date: '2024-05-21'
version: 3
date: '2024-07-23'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand Down Expand Up @@ -44,7 +44,7 @@ tags:
asset_type: Endpoint
confidence: 60
impact: 90
message: A Windows Service was created on a remote endpoint from $dest
message: A Windows Service was created on a remote endpoint from $dest$
mitre_attack_id:
- T1543
- T1543.003
Expand Down Expand Up @@ -79,3 +79,4 @@ tests:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
# version bumped by pre-commit hook
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Windows Service Initiation on Remote Endpoint
id: 3f519894-4276-11ec-ab02-3e22fbd008af
version: 2
date: '2024-05-10'
version: 3
date: '2024-07-23'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand Down Expand Up @@ -41,7 +41,7 @@ tags:
asset_type: Endpoint
confidence: 60
impact: 90
message: A Windows Service was started on a remote endpoint from $dest
message: A Windows Service was started on a remote endpoint from $dest$
mitre_attack_id:
- T1543
- T1543.003
Expand Down Expand Up @@ -76,3 +76,4 @@ tests:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
# version bumped by pre-commit hook

0 comments on commit ee3215a

Please sign in to comment.