diff --git a/.circleci/config.yml b/.circleci/config.yml index f5638fb21a..877fe39d5c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -15,7 +15,12 @@ apt-run: &apt-install name: install system packages command: | sudo apt update -qq - sudo apt install -y python-dev -qq + sudo apt install -y python-dev snapd -qq + # install go for other testing tools + wget https://raw.githubusercontent.com/canha/golang-tools-install-script/master/goinstall.sh + sudo chown circleci goinstall.sh + chmod +x goinstall.sh + ./goinstall.sh executors: content-executor: @@ -61,7 +66,25 @@ jobs: cd security-content source venv/bin/activate python bin/validate.py --path . --verbose - + - run: + name: run doc-gen + command: | + cd security-content + source venv/bin/activate + python bin/doc-gen.py --path . --output docs -v + - run: + name: check for broken links using liche + command: | + echo 'export GOROOT=~/.go' >> $BASH_ENV + echo 'export PATH=$GOROOT/bin:$PATH' >> $BASH_ENV + echo 'export GOPATH=~/go' >> $BASH_ENV + echo 'export PATH=$GOPATH/bin:$PATH' >> $BASH_ENV + echo 'export GO111MODULE="on"' >> $BASH_ENV + source $BASH_ENV + go get -u github.com/raviqqe/liche + cd security-content + liche -r docs/ + liche README.md build-sources: executor: content-executor steps: diff --git a/README.md b/README.md index 795f0314e9..3abff7e637 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ curl -s https://content.splunkresearch.com | jq ``` # What's in an Analytic Story? -[Analytic Stories](https://github.com/splunk/security-content/blob/develop/docs/stories_categories.md) and their corresponding searches are composed of **.yml** files (manifests) and associated .conf files. The stories reside in [/stories](/stories) and the searches live in [/detections](/detections). +[Analytic Stories](https://github.com/splunk/security-content/blob/develop/docs/stories_categories.md) and their corresponding searches are composed of **.yml** files (manifests) and associated .conf files. The stories reside in [/stories](https://github.com/splunk/security-content/tree/develop/stories) and the searches live in [/detections](https://github.com/splunk/security-content/tree/develop/detections). Manifests contain a number of mandatory and optional fields. You can see the full field list for each piece of content [here](https://github.com/splunk/security-content/tree/develop/docs#spec-documentation). diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 0833df2216..0829e2aa16 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -34,7 +34,7 @@ If you wish to be a contributing member of our community, please see the agreeme Please make sure to read and observe our [Code of Conduct](contributing/code-of-conduct.md). Please follow it in all of your interactions involving the project. ##### Setup Development Environment -see [Developing section](README.MD/#Developing) +see [Developing section](https://github.com/splunk/security-content#developing) ## Contribution Workflow Help is always welcome! For example, documentation can always use improvement. There's always code that can be clarified, functionality that can be extended, and tests to be added to guarantee behavior. If you see something you think should be fixed, don't be afraid to own it. diff --git a/docs/contributing/code-of-conduct.md b/docs/contributing/code-of-conduct.md new file mode 100644 index 0000000000..09408f440e --- /dev/null +++ b/docs/contributing/code-of-conduct.md @@ -0,0 +1,73 @@ +## Code of Conduct + +### Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, gender identity and expression, level of experience, +nationality, personal appearance, race, religion, or sexual identity and +orientation. + +### Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or +advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a professional setting + +### Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +### Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +### Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team at support@splunk.com. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +### Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at [http://contributor-covenant.org/version/1/4][version] + +[homepage]: http://contributor-covenant.org +[version]: http://contributor-covenant.org/version/1/4/ + diff --git a/docs/splunk_docs_categories.wiki b/docs/splunk_docs_categories.wiki index c0adcfda37..72b598534d 100644 --- a/docs/splunk_docs_categories.wiki +++ b/docs/splunk_docs_categories.wiki @@ -1317,7 +1317,7 @@ Notable events will include IP addresses, URLs, and user data. Drilling down can * DE.CM ====References==== -* https://blog.domaintools.com/tag/brand-monitor/ +* https://www.zerofox.com/blog/what-is-digital-risk-monitoring/ * https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/ * https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/ @@ -1371,7 +1371,7 @@ The search in this story can help you to detect if attackers are abusing your co ====References==== * https://www.us-cert.gov/ncas/alerts/TA13-088A -* https://deepthought.isc.org/article/AA-00897/0/What-is-a-DNS-Amplification-Attack.html +* https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/ creation_date = 2016-08-24 @@ -3041,6 +3041,8 @@ Once a phishing message has been detected, the next steps are to answer the foll ====Providing Technologies==== * Microsoft Exchange +* Bro +* Splunk Stream ====Data Models==== * Email diff --git a/docs/stories_categories.md b/docs/stories_categories.md index 1ba815f0ec..0c6c2e1f5e 100644 --- a/docs/stories_categories.md +++ b/docs/stories_categories.md @@ -1491,7 +1491,7 @@ Web * company = davidd@splunk.com ##### References -* https://blog.domaintools.com/tag/brand-monitor/ +* https://www.zerofox.com/blog/what-is-digital-risk-monitoring/ * https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/ * https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/ @@ -1547,7 +1547,7 @@ Network_Resolution ##### References * https://www.us-cert.gov/ncas/alerts/TA13-088A -* https://deepthought.isc.org/article/AA-00897/0/What-is-a-DNS-Amplification-Attack.html +* https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/ ### Data Protection * id = `91c676cf-0b23-438d-abee-f6335e1fce33` @@ -3461,12 +3461,15 @@ Once a phishing message has been detected, the next steps are to answer the foll 1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions. ##### Detections +* Monitor Email For Brand Abuse * Suspicious Email Attachment Extensions * Email Attachments With Lots Of Spaces * Suspicious Email - UBA Anomaly ##### Providing Technologies * Microsoft Exchange +* Bro +* Splunk Stream ##### Data Models Email diff --git a/package/default/analytic_stories.conf b/package/default/analytic_stories.conf index 63c11955a5..71db759f56 100644 --- a/package/default/analytic_stories.conf +++ b/package/default/analytic_stories.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-11-05T20:22:48 UTC +# On Date: 2019-11-18T18:30:07 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# @@ -163,7 +163,7 @@ creation_date = 2017-06-01 modification_date = 2017-12-19 id = 91c676cf-0b23-438d-abee-f6335e1fce78 version = 1.0 -reference = ["https://blog.domaintools.com/tag/brand-monitor/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"] +reference = ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"] detection_searches = ["ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule"] mappings = {"cis20": ["CIS 7"], "kill_chain_phases": ["Actions on Objectives", "Delivery"], "mitre_attack": [], "nist": ["PR.IP"]} investigative_searches = ["ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Email Info", "ESCU - Get Emails From Specific Sender", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Process Responsible For The DNS Traffic", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get User Information from Identity Table", "ESCU - Investigate Web Activity From Host"] @@ -291,7 +291,7 @@ version = 2.0 reference = ["https://www.us-cert.gov/ncas/alerts/TA18-074A"] detection_searches = ["ESCU - Create local admin accounts using net.exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - First time seen command line argument - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - Sc.exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Name Used by Dragonfly Threat Actors - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg.exe Process - Rule"] mappings = {"cis20": ["CIS 12", "CIS 16", "CIS 2", "CIS 3", "CIS 5", "CIS 7", "CIS 8"], "kill_chain_phases": ["Actions on Objectives", "Command and Control", "Installation"], "mitre_attack": ["AppInit DLLs", "Authentication Package", "Command and Control", "Command-Line Interface", "Commonly Used Port", "Credential Access", "Defense Evasion", "Disabling Security Tools", "Execution", "Lateral Movement", "Modify Existing Service", "Modify Registry", "New Service", "Persistence", "PowerShell", "Privilege Escalation", "Registry Run Keys / Start Folder", "Scheduled Task", "Scripting", "Valid Accounts"], "nist": ["DE.AE", "DE.CM", "ID.AM", "PR.AC", "PR.AT", "PR.DS", "PR.IP", "PR.PT"]} -investigative_searches = ["ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Parent Process Info", "ESCU - Get Process Info", "ESCU - Get Process Information For Port Activity", "ESCU - Get Registry Activities", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get User Information from Identity Table", "ESCU - Get Vulnerability Logs For Endpoint", "ESCU - Investigate Web Activity From Host"] +investigative_searches = ["ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Parent Process Info", "ESCU - Get Process File Activity", "ESCU - Get Process Info", "ESCU - Get Process Information For Port Activity", "ESCU - Get Process Registry Activity", "ESCU - Get Registry Activities", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get User Information from Identity Table", "ESCU - Get Vulnerability Logs For Endpoint", "ESCU - Investigate Web Activity From Host"] support_searches = ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"] data_models = ["Authentication", "Endpoint", "Network_Traffic", "Risk", "Vulnerabilities", "Web"] providing_technologies = ["Bluecoat", "Bro", "Carbon Black Response", "CrowdStrike Falcon", "Linux", "Microsoft Windows", "Nessus", "Palo Alto Firewall", "Splunk Enterprise Security", "Splunk Stream", "Sysmon", "Tanium", "Ziften", "macOS"] @@ -307,7 +307,7 @@ creation_date = 2016-08-24 modification_date = 2016-09-13 id = e8afd39e-3294-11e6-b39d-a45e60c6700 version = 1.0 -reference = ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://deepthought.isc.org/article/AA-00897/0/What-is-a-DNS-Amplification-Attack.html"] +reference = ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/"] detection_searches = ["ESCU - Large Volume of DNS ANY Queries - Rule"] mappings = {"cis20": ["CIS 11", "CIS 12"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": [], "nist": ["DE.AE", "PR.IP", "PR.PT"]} investigative_searches = ["ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User"] @@ -927,12 +927,12 @@ modification_date = 2017-09-19 id = 2b1800dd-92f9-47ec-a981-fdf1351e5d55 version = 1.0 reference = ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"] -detection_searches = ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule"] +detection_searches = ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule"] mappings = {"cis20": ["CIS 12", "CIS 3", "CIS 7"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["Defense Evasion", "Execution"], "nist": ["DE.AE", "PR.IP"]} -investigative_searches = [] -support_searches = [] -data_models = ["Email", "UEBA"] -providing_technologies = ["Cuckoo", "DeepSight", "Microsoft Exchange", "SMTP", "Splunk Enterprise Security", "VirusTotal"] +investigative_searches = ["ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Email Info", "ESCU - Get Emails From Specific Sender", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get User Information from Identity Table", "ESCU - Investigate Web Activity From Host"] +support_searches = ["ESCU - DNSTwist Domain Names"] +data_models = ["Authentication", "Email", "Risk", "UEBA", "Web"] +providing_technologies = ["Bluecoat", "Bro", "Cuckoo", "DeepSight", "Linux", "Microsoft Exchange", "Microsoft Windows", "Palo Alto Firewall", "SMTP", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Stream", "VirusTotal", "macOS"] description = Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story. narrative = It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\ Once a phishing message has been detected, the next steps are to answer the following questions: \ diff --git a/package/default/macros.conf b/package/default/macros.conf index 565f3790d8..273782b401 100644 --- a/package/default/macros.conf +++ b/package/default/macros.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-11-05T20:22:49 UTC +# On Date: 2019-11-18T18:30:07 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# @@ -66,15 +66,15 @@ definition = lookup update=true lookup_rare_process_whitelist_default process as description = This macro is intended to whitelist processes that have been definied as rare [investigate_cloud_compute_instance_activities_output_filter] -definition = `comment("Use this macro to add additional filters for investigating cloud compute activties")` +definition = `comment(Use this macro to add additional filters for investigating cloud compute activties)` description = Use this macro to add additional filters for investigating cloud compute activties [investigate_user_activities_in_all_cloud_region_output_filter] -definition = `comment("Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in all cloud regions")` +definition = `comment(Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in all cloud regions)` description = Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in all cloud regions [investigate_user_activities_in_single_cloud_region_output_filter] -definition = `comment("Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in a specific cloud regions")` +definition = `comment(Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in a specific cloud regions)` description = Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in a specific cloud regions [isWindowsSystemFile] @@ -82,7 +82,7 @@ definition = lookup update=true isWindowsSystemFile_lookup filename as process_n description = This macro limits the output to process names that are in the Windows System directory [previously_seen_cloud_compute_creations_by_user_input_filter] -definition = `comment("Use this macro to add additional filters for monitoring users that create cloud compute images")` +definition = `comment(Use this macro to add additional filters for monitoring users that create cloud compute images)` description = Use this macro to add additional filters for monitoring users that create cloud compute images [previously_seen_cloud_compute_creations_by_user_search_window_begin_offset] @@ -90,7 +90,7 @@ definition = -70m@m description = Use this macro to determine how far into the past the window should be to determine if the user is new or not [previously_seen_cloud_compute_image_input_filter] -definition = `comment("Use this macro to add additional filters for monitoring cloud compute images")` +definition = `comment(Use this macro to add additional filters for monitoring cloud compute images)` description = Use this macro to add additional filters for monitoring cloud compute images [previously_seen_cloud_compute_image_search_window_begin_offset] @@ -98,7 +98,7 @@ definition = -70m@m description = Use this macro to determine how far into the past the window should be to determine if the image is new or not [previously_seen_cloud_compute_instance_types_input_filter] -definition = `comment("Use this macro to add additional filters for monitoring cloud compute instance types")` +definition = `comment(Use this macro to add additional filters for monitoring cloud compute instance types)` description = Use this macro to add additional filters for monitoring cloud compute instance types [previously_seen_cloud_compute_instance_types_search_window_begin_offset] @@ -106,7 +106,7 @@ definition = -70m@m description = Use this macro to determine how far into the past the window should be to determine if the instance type is new or not [previously_seen_cloud_regions_input_filter] -definition = `comment("Use this macro to add additional filters for monitoring your cloud regions")` +definition = `comment(Use this macro to add additional filters for monitoring your cloud regions)` description = Use this macro to add additional filters for monitoring your cloud regions [previously_seen_cloud_regions_search_window_begin_offset] diff --git a/package/default/savedsearches.conf b/package/default/savedsearches.conf index 7ba064147c..86b7f6a1d3 100644 --- a/package/default/savedsearches.conf +++ b/package/default/savedsearches.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-11-05T20:22:48 UTC +# On Date: 2019-11-18T18:30:07 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# @@ -4997,8 +4997,8 @@ action.escu.confidence = medium action.escu.full_search_name = ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule action.escu.search_type = detection action.escu.asset_at_risk = Endpoint -action.escu.fields_required = ["dest"] -action.escu.entities = ["dest"] +action.escu.fields_required = ["dest", "process_id", "process", "parent_process_id"] +action.escu.entities = ["dest", "process_id", "process", "parent_process_id"] action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Sysmon", "Tanium", "Ziften"] action.escu.analytic_story = ["DHS Report TA18-074A"] cron_schedule = 50 * * * * @@ -5012,8 +5012,10 @@ action.notable.param.rule_description = The system $dest$ executed a PowerShell action.notable.param.rule_title = PowerShell process with -executionpolicy bypass detected on $dest$ action.notable.param.security_domain = endpoint action.notable.param.severity = medium +action.notable.param.drilldown_name = View powershell process information on $dest$ +action.notable.param.drilldown_search = | from datamodel:Endpoint.Processes | search dest="$dest$" process_id=$process_id$ action.notable.param.recommended_actions = escu_investigate -action.notable.param.next_steps = {"version": 1, "data": "Recommended following steps:\n\n1.[[action|escu_investigate]]: Based on ESCU investigate recommendations:\ nESCU - Get Authentication Logs For Endpoint\nESCU - Get Parent Process Info\nESCU - Get Risk Modifiers For User\nESCU - Get Process Info\nESCU - Get Notable History\nESCU - Get Notable Info\nESCU - Get Risk Modifiers For Endpoint\nESCU - Get User Information from Identity Table\n"} +action.notable.param.next_steps = {"version": 1, "data": "Recommended following steps:\n\n1.[[action|escu_investigate]]: Based on ESCU investigate recommendations:\ nESCU - Get Process Registry Activity\nESCU - Get Process File Activity\nESCU - Get Authentication Logs For Endpoint\nESCU - Get Parent Process Info\nESCU - Get Notable Info\n"} action.risk = 1 action.risk.param._risk_object = dest action.risk.param._risk_object_type = system @@ -5033,7 +5035,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)`| search process=* -ex* OR process=* bypass * +search = | tstats `summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe AND (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)` | `ctime(lastTime)` [ESCU - Malicious PowerShell Process - Multiple Suspicious Command-Line Arguments - Rule] action.escu = 0 @@ -5212,7 +5214,7 @@ action.escu.asset_at_risk = Endpoint action.escu.fields_required = ["src_user"] action.escu.entities = ["src_user"] action.escu.providing_technologies = ["Microsoft Exchange", "Bro", "Splunk Stream"] -action.escu.analytic_story = ["Brand Monitoring"] +action.escu.analytic_story = ["Brand Monitoring", "Suspicious Emails"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m @@ -9208,7 +9210,7 @@ action.escu.full_search_name = ESCU - Get Authentication Logs For Endpoint description = This search returns all users that have attempted to access a particular endpoint. action.escu.creation_date = 2017-04-10 action.escu.modification_date = 2017-11-01 -action.escu.analytic_story = ["AWS Network ACL Activity", "Account Monitoring and Controls", "Apache Struts Vulnerability", "Brand Monitoring", "ColdRoot MacOS RAT", "Collection and Staging", "Command and Control", "Credential Dumping", "DHS Report TA18-074A", "Data Protection", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "Host Redirection", "Lateral Movement", "Malicious PowerShell", "Monitor for Unauthorized Software", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Router & Infrastructure Security", "SQL Injection", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] +action.escu.analytic_story = ["AWS Network ACL Activity", "Account Monitoring and Controls", "Apache Struts Vulnerability", "Brand Monitoring", "ColdRoot MacOS RAT", "Collection and Staging", "Command and Control", "Credential Dumping", "DHS Report TA18-074A", "Data Protection", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "Host Redirection", "Lateral Movement", "Malicious PowerShell", "Monitor for Unauthorized Software", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Router & Infrastructure Security", "SQL Injection", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious Emails", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] action.escu.earliest_time_offset = 3600 action.escu.latest_time_offset = 86400 action.escu.data_models = ["Authentication"] @@ -9365,7 +9367,7 @@ action.escu.full_search_name = ESCU - Get Email Info description = This search returns all the information Splunk might have collected a specific email message over the last 2 hours. action.escu.creation_date = 2017-04-21 action.escu.modification_date = 2017-11-09 -action.escu.analytic_story = ["Brand Monitoring"] +action.escu.analytic_story = ["Brand Monitoring", "Suspicious Emails"] action.escu.earliest_time_offset = 3600 action.escu.latest_time_offset = 86400 action.escu.data_models = ["Email"] @@ -9388,7 +9390,7 @@ action.escu.full_search_name = ESCU - Get Emails From Specific Sender description = This search returns all the emails from a specific sender over the last 24 and next hours. action.escu.creation_date = 2017-04-21 action.escu.modification_date = 2017-11-09 -action.escu.analytic_story = ["Brand Monitoring", "Web Fraud Detection"] +action.escu.analytic_story = ["Brand Monitoring", "Suspicious Emails", "Web Fraud Detection"] action.escu.earliest_time_offset = 3600 action.escu.latest_time_offset = 86400 action.escu.data_models = ["Email"] @@ -9501,7 +9503,7 @@ action.escu.full_search_name = ESCU - Get Notable History description = This search queries the notable index and returns all the Notable Events for the particular destination host, giving the analyst an overview of the incidents that may have occurred with the host under investigation. action.escu.creation_date = 2017-03-15 action.escu.modification_date = 2017-09-20 -action.escu.analytic_story = ["AWS Cross Account Activity", "AWS Cryptomining", "AWS Network ACL Activity", "AWS User Monitoring", "Account Monitoring and Controls", "Apache Struts Vulnerability", "Asset Tracking", "Brand Monitoring", "ColdRoot MacOS RAT", "Collection and Staging", "Command and Control", "Credential Dumping", "DHS Report TA18-074A", "DNS Amplification Attacks", "Data Protection", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "Host Redirection", "JBoss Vulnerability", "Lateral Movement", "Malicious PowerShell", "Monitor Backup Solution", "Monitor for Unauthorized Software", "Monitor for Updates", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Router & Infrastructure Security", "SQL Injection", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Splunk Enterprise Vulnerability", "Splunk Enterprise Vulnerability CVE-2018-11409", "Suspicious AWS EC2 Activities", "Suspicious AWS S3 Activities", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual AWS EC2 Modifications", "Unusual Processes", "Use of Cleartext Protocols", "Web Fraud Detection", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] +action.escu.analytic_story = ["AWS Cross Account Activity", "AWS Cryptomining", "AWS Network ACL Activity", "AWS User Monitoring", "Account Monitoring and Controls", "Apache Struts Vulnerability", "Asset Tracking", "Brand Monitoring", "ColdRoot MacOS RAT", "Collection and Staging", "Command and Control", "Credential Dumping", "DHS Report TA18-074A", "DNS Amplification Attacks", "Data Protection", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "Host Redirection", "JBoss Vulnerability", "Lateral Movement", "Malicious PowerShell", "Monitor Backup Solution", "Monitor for Unauthorized Software", "Monitor for Updates", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Router & Infrastructure Security", "SQL Injection", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Splunk Enterprise Vulnerability", "Splunk Enterprise Vulnerability CVE-2018-11409", "Suspicious AWS EC2 Activities", "Suspicious AWS S3 Activities", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious Emails", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual AWS EC2 Modifications", "Unusual Processes", "Use of Cleartext Protocols", "Web Fraud Detection", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] action.escu.earliest_time_offset = 3600 action.escu.latest_time_offset = 86400 action.escu.providing_technologies = ["Splunk Enterprise Security"] @@ -9523,7 +9525,7 @@ action.escu.full_search_name = ESCU - Get Notable Info description = This search queries the notable index to retrieve detailed information captured within the notable. Every notable has a unique ID associated with it, which is used to point us directly to the notable event under investigation. action.escu.creation_date = 2017-03-15 action.escu.modification_date = 2017-09-20 -action.escu.analytic_story = ["AWS Cryptomining", "AWS Network ACL Activity", "AWS User Monitoring", "Account Monitoring and Controls", "Apache Struts Vulnerability", "Asset Tracking", "Brand Monitoring", "Collection and Staging", "Command and Control", "Credential Dumping", "DHS Report TA18-074A", "DNS Amplification Attacks", "Data Protection", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "Host Redirection", "JBoss Vulnerability", "Lateral Movement", "Malicious PowerShell", "Monitor for Unauthorized Software", "Monitor for Updates", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Router & Infrastructure Security", "SQL Injection", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Splunk Enterprise Vulnerability", "Splunk Enterprise Vulnerability CVE-2018-11409", "Suspicious AWS EC2 Activities", "Suspicious AWS S3 Activities", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Use of Cleartext Protocols", "Web Fraud Detection", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] +action.escu.analytic_story = ["AWS Cryptomining", "AWS Network ACL Activity", "AWS User Monitoring", "Account Monitoring and Controls", "Apache Struts Vulnerability", "Asset Tracking", "Brand Monitoring", "Collection and Staging", "Command and Control", "Credential Dumping", "DHS Report TA18-074A", "DNS Amplification Attacks", "Data Protection", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "Host Redirection", "JBoss Vulnerability", "Lateral Movement", "Malicious PowerShell", "Monitor for Unauthorized Software", "Monitor for Updates", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Router & Infrastructure Security", "SQL Injection", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Splunk Enterprise Vulnerability", "Splunk Enterprise Vulnerability CVE-2018-11409", "Suspicious AWS EC2 Activities", "Suspicious AWS S3 Activities", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious Emails", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Use of Cleartext Protocols", "Web Fraud Detection", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] action.escu.earliest_time_offset = 3600 action.escu.latest_time_offset = 86400 action.escu.providing_technologies = ["Splunk Enterprise Security"] @@ -9583,6 +9585,29 @@ schedule_window = auto is_visible = false search = | tstats `summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name = {process_name} Processes.dest = {dest} by Processes.user Processes.parent_process_name Processes.process_name | `drop_dm_object_name("Processes")` | `ctime(firstTime)`| `ctime(lastTime)` +[ESCU - Get Process File Activity] +action.escu = 0 +action.escu.enabled = 1 +action.escu.search_type = investigative +action.escu.full_search_name = ESCU - Get Process File Activity +description = This search returns the file activity for a specific process on a specific endpoint +action.escu.creation_date = 2019-11-06 +action.escu.modification_date = 2019-11-06 +action.escu.analytic_story = ["DHS Report TA18-074A"] +action.escu.earliest_time_offset = 3600 +action.escu.latest_time_offset = 86400 +action.escu.data_models = ["Endpoint"] +action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Sysmon", "Tanium", "Ziften"] +action.escu.eli5 = none +action.escu.how_to_implement = To successfully implement this search you must be ingesting endpoint data and populating the Endpoint data model. +action.escu.known_false_positives = None at this time +action.escu.fields_required = ["process_id", "dest"] +action.escu.entities = ["process_id", "dest"] +disabled = true +schedule_window = auto +is_visible = false +search = | tstats `summariesonly` values(Filesystem.file_name) as file_name values(Filesystem.dest) as dest, values(Filesystem.process_id) as process_id from datamodel=Endpoint.Filesystem where Filesystem.dest={dest} Filesystem.process_id={process_id} by Filesystem.file_path, Filesystem.action, _time | `drop_dm_object_name(Filesystem)` | sort _time | table _time, process_id, dest, action, file_name, file_path + [ESCU - Get Process Info] action.escu = 0 action.escu.enabled = 1 @@ -9629,6 +9654,29 @@ schedule_window = auto is_visible = false search = | tstats `summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest = {dest} by Processes.process_name Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `ctime(firstTime)`|`ctime(lastTime)` | search [| tstats `summariesonly` count from datamodel=Endpoint.Ports where Ports.dest_port={dest_port} by Ports.process_id Ports.src | `drop_dm_object_name(Ports)` | rename src as dest] +[ESCU - Get Process Registry Activity] +action.escu = 0 +action.escu.enabled = 1 +action.escu.search_type = investigative +action.escu.full_search_name = ESCU - Get Process Registry Activity +description = This search returns the registry activity for a specific process on a specific endpoint +action.escu.creation_date = 2019-11-06 +action.escu.modification_date = 2019-11-06 +action.escu.analytic_story = ["DHS Report TA18-074A"] +action.escu.earliest_time_offset = 3600 +action.escu.latest_time_offset = 86400 +action.escu.data_models = ["Endpoint"] +action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Sysmon", "Tanium", "Ziften"] +action.escu.eli5 = none +action.escu.how_to_implement = To successfully implement this search you must be ingesting endpoint data and populating the Endpoint data model. +action.escu.known_false_positives = None at this time +action.escu.fields_required = ["process_id", "dest"] +action.escu.entities = ["process_id", "dest"] +disabled = true +schedule_window = auto +is_visible = false +search = | tstats `summariesonly` values(Registry.registry_key_name) as registry_key_name, values(Registry.dest) as dest, values(Registry.process_id) as process_id from datamodel=Endpoint.Registry where Registry.process_id={process_id} AND Registry.dest={dest} by Registry.registry_path, Registry.action, _time | `drop_dm_object_name(Registry)` | sort _time | table _time, process_id, dest, action, registry_key_name, registry_path + [ESCU - Get Process Responsible For The DNS Traffic] action.escu = 0 action.escu.enabled = 1 @@ -9683,7 +9731,7 @@ action.escu.full_search_name = ESCU - Get Risk Modifiers For Endpoint description = For the last 7 days, the search will query the Risk data model in Splunk Enterprise Security and calculate the count, sum of the risk\_scores, names of the correlation searches that contributed to create a risk score for a specific endpoint(machine\_name) action.escu.creation_date = 2017-10-14 action.escu.modification_date = 2017-10-19 -action.escu.analytic_story = ["AWS Network ACL Activity", "Account Monitoring and Controls", "Apache Struts Vulnerability", "Brand Monitoring", "ColdRoot MacOS RAT", "Collection and Staging", "Command and Control", "Credential Dumping", "DHS Report TA18-074A", "DNS Amplification Attacks", "Data Protection", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "Host Redirection", "JBoss Vulnerability", "Lateral Movement", "Malicious PowerShell", "Monitor Backup Solution", "Monitor for Unauthorized Software", "Monitor for Updates", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Router & Infrastructure Security", "SQL Injection", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Splunk Enterprise Vulnerability", "Splunk Enterprise Vulnerability CVE-2018-11409", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Use of Cleartext Protocols", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] +action.escu.analytic_story = ["AWS Network ACL Activity", "Account Monitoring and Controls", "Apache Struts Vulnerability", "Brand Monitoring", "ColdRoot MacOS RAT", "Collection and Staging", "Command and Control", "Credential Dumping", "DHS Report TA18-074A", "DNS Amplification Attacks", "Data Protection", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "Host Redirection", "JBoss Vulnerability", "Lateral Movement", "Malicious PowerShell", "Monitor Backup Solution", "Monitor for Unauthorized Software", "Monitor for Updates", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Router & Infrastructure Security", "SQL Injection", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Splunk Enterprise Vulnerability", "Splunk Enterprise Vulnerability CVE-2018-11409", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious Emails", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Use of Cleartext Protocols", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] action.escu.earliest_time_offset = 3600 action.escu.latest_time_offset = 86400 action.escu.data_models = ["Risk"] @@ -9706,7 +9754,7 @@ action.escu.full_search_name = ESCU - Get Risk Modifiers For User description = For the last 7 days, the search will query the Risk data model in Splunk Enterprise Security and calculate the count, sum of the risk_scores, names of the correlation searches that contributed to create a risk score for a specific user action.escu.creation_date = 2017-10-14 action.escu.modification_date = 2017-10-19 -action.escu.analytic_story = ["AWS Network ACL Activity", "Account Monitoring and Controls", "Apache Struts Vulnerability", "Brand Monitoring", "ColdRoot MacOS RAT", "Collection and Staging", "Command and Control", "Credential Dumping", "DHS Report TA18-074A", "DNS Amplification Attacks", "Data Protection", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "Host Redirection", "Lateral Movement", "Malicious PowerShell", "Monitor Backup Solution", "Monitor for Unauthorized Software", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Router & Infrastructure Security", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Use of Cleartext Protocols", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] +action.escu.analytic_story = ["AWS Network ACL Activity", "Account Monitoring and Controls", "Apache Struts Vulnerability", "Brand Monitoring", "ColdRoot MacOS RAT", "Collection and Staging", "Command and Control", "Credential Dumping", "DHS Report TA18-074A", "DNS Amplification Attacks", "Data Protection", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "Host Redirection", "Lateral Movement", "Malicious PowerShell", "Monitor Backup Solution", "Monitor for Unauthorized Software", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Router & Infrastructure Security", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious Emails", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Use of Cleartext Protocols", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] action.escu.earliest_time_offset = 3600 action.escu.latest_time_offset = 86400 action.escu.data_models = ["Risk"] @@ -9774,7 +9822,7 @@ action.escu.full_search_name = ESCU - Get User Information from Identity Table description = Gather more information about the user identified in the Notable Event. action.escu.creation_date = 2017-04-10 action.escu.modification_date = 2017-09-20 -action.escu.analytic_story = ["AWS Cryptomining", "AWS Network ACL Activity", "Account Monitoring and Controls", "Apache Struts Vulnerability", "Brand Monitoring", "ColdRoot MacOS RAT", "Collection and Staging", "Command and Control", "Credential Dumping", "DHS Report TA18-074A", "Data Protection", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "Host Redirection", "Lateral Movement", "Malicious PowerShell", "Monitor for Unauthorized Software", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Router & Infrastructure Security", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Suspicious AWS EC2 Activities", "Suspicious AWS S3 Activities", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Use of Cleartext Protocols", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] +action.escu.analytic_story = ["AWS Cryptomining", "AWS Network ACL Activity", "Account Monitoring and Controls", "Apache Struts Vulnerability", "Brand Monitoring", "ColdRoot MacOS RAT", "Collection and Staging", "Command and Control", "Credential Dumping", "DHS Report TA18-074A", "Data Protection", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "Host Redirection", "Lateral Movement", "Malicious PowerShell", "Monitor for Unauthorized Software", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Router & Infrastructure Security", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Suspicious AWS EC2 Activities", "Suspicious AWS S3 Activities", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious Emails", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Use of Cleartext Protocols", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] action.escu.earliest_time_offset = 3600 action.escu.latest_time_offset = 86400 action.escu.providing_technologies = ["Splunk Enterprise Security"] @@ -10022,7 +10070,7 @@ action.escu.full_search_name = ESCU - Investigate Web Activity From Host description = This search allows you to find all the web activity from a specific host. During an investigation, it is important to profile web activity to characterize user or host activity. action.escu.creation_date = 2017-04-21 action.escu.modification_date = 2017-11-09 -action.escu.analytic_story = ["Brand Monitoring", "DHS Report TA18-074A", "Disabling Security Tools", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "JBoss Vulnerability", "Monitor for Unauthorized Software", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "SamSam Ransomware", "Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Windows Registry Activities", "Unusual Processes", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation"] +action.escu.analytic_story = ["Brand Monitoring", "DHS Report TA18-074A", "Disabling Security Tools", "Emotet Malware (DHS Report TA18-201A)", "Hidden Cobra Malware", "JBoss Vulnerability", "Monitor for Unauthorized Software", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "SamSam Ransomware", "Suspicious Command-Line Executions", "Suspicious Emails", "Suspicious MSHTA Activity", "Suspicious Windows Registry Activities", "Unusual Processes", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation"] action.escu.earliest_time_offset = 3600 action.escu.latest_time_offset = 86400 action.escu.data_models = ["Web"] @@ -10343,7 +10391,7 @@ action.escu.full_search_name = ESCU - DNSTwist Domain Names description = This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches. action.escu.creation_date = 2017-06-01 action.escu.modification_date = 2018-10-08 -action.escu.analytic_story = ["Brand Monitoring"] +action.escu.analytic_story = ["Brand Monitoring", "Suspicious Emails"] dispatch.earliest_time = -30d@d dispatch.latest_time = -10m@m action.escu.providing_technologies = ["Splunk Enterprise"] diff --git a/package/default/transforms.conf b/package/default/transforms.conf index 13ab813c9d..3d0ebaf6e6 100644 --- a/package/default/transforms.conf +++ b/package/default/transforms.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-11-05T20:22:48 UTC +# On Date: 2019-11-18T18:30:07 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/package/default/use_case_library.conf b/package/default/use_case_library.conf index aa066b029d..95bf64f0b8 100644 --- a/package/default/use_case_library.conf +++ b/package/default/use_case_library.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-11-05T20:22:49 UTC +# On Date: 2019-11-18T18:30:07 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# @@ -121,7 +121,7 @@ narrative = This Analytic Story is designed to help you develop a better underst category = Abuse last_updated = 2017-12-19 version = 1.0 -references = ["https://blog.domaintools.com/tag/brand-monitor/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"] +references = ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"] maintainers = [{"company": "Splunk", "email": "davidd@splunk.com", "name": "David Dorsey"}] spec_version = 2 searches = ["ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule", "ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Email Info", "ESCU - Get Emails From Specific Sender", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Process Responsible For The DNS Traffic", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get User Information from Identity Table", "ESCU - Investigate Web Activity From Host", "ESCU - DNSTwist Domain Names"] @@ -214,7 +214,7 @@ version = 2.0 references = ["https://www.us-cert.gov/ncas/alerts/TA18-074A"] maintainers = [{"company": "Splunk", "email": "rvaldez@splunk.com", "name": "Rico Valdez"}] spec_version = 2 -searches = ["ESCU - Create local admin accounts using net.exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - First time seen command line argument - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - Sc.exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Name Used by Dragonfly Threat Actors - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg.exe Process - Rule", "ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Parent Process Info", "ESCU - Get Process Info", "ESCU - Get Process Information For Port Activity", "ESCU - Get Registry Activities", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get User Information from Identity Table", "ESCU - Get Vulnerability Logs For Endpoint", "ESCU - Investigate Web Activity From Host", "ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"] +searches = ["ESCU - Create local admin accounts using net.exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - First time seen command line argument - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - Sc.exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Name Used by Dragonfly Threat Actors - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg.exe Process - Rule", "ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Parent Process Info", "ESCU - Get Process File Activity", "ESCU - Get Process Info", "ESCU - Get Process Information For Port Activity", "ESCU - Get Process Registry Activity", "ESCU - Get Registry Activities", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get User Information from Identity Table", "ESCU - Get Vulnerability Logs For Endpoint", "ESCU - Investigate Web Activity From Host", "ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"] description = Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more. narrative = The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity. \ There is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure. \ @@ -225,7 +225,7 @@ Suspicious activities--spikes in SMB traffic, processes that launch netsh (to mo category = Abuse last_updated = 2016-09-13 version = 1.0 -references = ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://deepthought.isc.org/article/AA-00897/0/What-is-a-DNS-Amplification-Attack.html"] +references = ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/"] maintainers = [{"company": "Splunk", "email": "bpatel@splunk.com", "name": "Bhavin Patel"}] spec_version = 2 searches = ["ESCU - Large Volume of DNS ANY Queries - Rule", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User"] @@ -687,7 +687,7 @@ version = 1.0 references = ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"] maintainers = [{"company": "Splunk", "email": "bpatel@splunk.com", "name": "Bhavin Patel"}] spec_version = 2 -searches = ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule"] +searches = ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Email Info", "ESCU - Get Emails From Specific Sender", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get User Information from Identity Table", "ESCU - Investigate Web Activity From Host", "ESCU - DNSTwist Domain Names"] description = Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story. narrative = It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\ Once a phishing message has been detected, the next steps are to answer the following questions: \ @@ -2915,6 +2915,14 @@ known_false_positives = None at this time earliest_time_offset = 0 latest_time_offset = 86400 +[savedsearch://ESCU - Get Process File Activity] +type = investigation +explanation = none +how_to_implement = To successfully implement this search you must be ingesting endpoint data and populating the Endpoint data model. +known_false_positives = None at this time +earliest_time_offset = 7200 +latest_time_offset = 7200 + [savedsearch://ESCU - Get Process Info] type = investigation explanation = none @@ -2931,6 +2939,14 @@ known_false_positives = None at this time earliest_time_offset = 7200 latest_time_offset = 7200 +[savedsearch://ESCU - Get Process Registry Activity] +type = investigation +explanation = none +how_to_implement = To successfully implement this search you must be ingesting endpoint data and populating the Endpoint data model. +known_false_positives = None at this time +earliest_time_offset = 7200 +latest_time_offset = 7200 + [savedsearch://ESCU - Get Process Responsible For The DNS Traffic] type = investigation explanation = none diff --git a/responses/README.md b/responses/README.md new file mode 100644 index 0000000000..e36fb6a2a5 --- /dev/null +++ b/responses/README.md @@ -0,0 +1,2 @@ +### Comming soon to a theater near you + diff --git a/stories/brand_monitoring.yml b/stories/brand_monitoring.yml index a88431295e..fdef9aea8f 100644 --- a/stories/brand_monitoring.yml +++ b/stories/brand_monitoring.yml @@ -45,7 +45,7 @@ original_authors: email: davidd@splunk.com name: David Dorsey references: - - https://blog.domaintools.com/tag/brand-monitor/ + - https://www.zerofox.com/blog/what-is-digital-risk-monitoring/ - https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/ - https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/ spec_version: 2 diff --git a/stories/dns_amplification_attacks.yml b/stories/dns_amplification_attacks.yml index 5b66e89508..13bd5b900c 100644 --- a/stories/dns_amplification_attacks.yml +++ b/stories/dns_amplification_attacks.yml @@ -40,7 +40,7 @@ original_authors: name: Bhavin Patel references: - https://www.us-cert.gov/ncas/alerts/TA13-088A - - https://deepthought.isc.org/article/AA-00897/0/What-is-a-DNS-Amplification-Attack.html + - https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/ spec_version: 2 usecase: Security Monitoring version: '1.0'