Skip to content

Commit 08e7349

Browse files
MHaggisMHaggis
committed
updates
1 parent 676d89a commit 08e7349

5 files changed

+187
-2
lines changed

data_sources/windows_event_log_application_17135.yml

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
name: Windows Event Log Application 17135
2+
id: 4491537e-520c-46f7-9209-f56f852aa237
3+
version: 1
4+
date: '2025-02-26'
5+
author: Michael Haag, Splunk
6+
description: Data source object for Windows Event Log Application 17135
7+
source: XmlWinEventLog:Application
8+
sourcetype: XmlWinEventLog
9+
separator: EventCode
10+
supported_TA:
11+
- name: Splunk Add-on for Microsoft Windows
12+
url: https://splunkbase.splunk.com/app/742
13+
version: 9.0.1
14+
fields:
15+
- CategoryString
16+
- Channel
17+
- Computer
18+
- Error_Code
19+
- EventCode
20+
- EventData_Xml
21+
- EventID
22+
- EventRecordID
23+
- Image_File_Name
24+
- Keywords
25+
- Level
26+
- Name
27+
- Opcode
28+
- ProcessID
29+
- Qualifiers
30+
- RecordNumber
31+
- RenderingInfo_Xml
32+
- SourceName
33+
- SubStatus
34+
- SystemTime
35+
- System_Props_Xml
36+
- Task
37+
- TaskCategory
38+
- ThreadID
39+
- Version
40+
- _bkt
41+
- _cd
42+
- _eventtype_color
43+
- _indextime
44+
- _raw
45+
- _serial
46+
- _si
47+
- _sourcetype
48+
- _subsecond
49+
- _time
50+
- action
51+
- category
52+
- date_hour
53+
- date_mday
54+
- date_minute
55+
- date_month
56+
- date_second
57+
- date_wday
58+
- date_year
59+
- date_zone
60+
- dest
61+
- dvc
62+
- dvc_nt_host
63+
- event_id
64+
- eventtype
65+
- host
66+
- id
67+
- index
68+
- linecount
69+
- name
70+
- parent_process
71+
- process_name
72+
- punct
73+
- result
74+
- service
75+
- service_id
76+
- service_name
77+
- severity
78+
- severity_id
79+
- signature
80+
- signature_id
81+
- source
82+
- sourcetype
83+
- splunk_server
84+
- splunk_server_group
85+
- status
86+
- subject
87+
- tag
88+
- tag::action
89+
- tag::eventtype
90+
- timeendpos
91+
- timestartpos
92+
- user_group_id
93+
- user_id
94+
- vendor_product
95+
example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>17135</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2025-02-10T16:38:42.6969829Z'/><EventRecordID>16509</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>sp_add_sysadmin</Data><Binary>EF4200000A00000009000000610072002D00770069006E002D0032000000070000006D00610073007400650072000000</Binary></EventData></Event>
96+

data_sources/windows_event_log_application_8128.yml

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
name: Windows Event Log Application 8128
2+
id: 4491537e-5e0c-46f7-9209-f56f852aa237
3+
version: 1
4+
date: '2025-02-26'
5+
author: Michael Haag, Splunk
6+
description: Data source object for Windows Event Log Application 8128
7+
source: XmlWinEventLog:Application
8+
sourcetype: XmlWinEventLog
9+
separator: EventCode
10+
supported_TA:
11+
- name: Splunk Add-on for Microsoft Windows
12+
url: https://splunkbase.splunk.com/app/742
13+
version: 9.0.1
14+
fields:
15+
- CategoryString
16+
- Channel
17+
- Computer
18+
- Error_Code
19+
- EventCode
20+
- EventData_Xml
21+
- EventID
22+
- EventRecordID
23+
- EventSourceName
24+
- Guid
25+
- Image_File_Name
26+
- Keywords
27+
- Level
28+
- Name
29+
- Opcode
30+
- ProcessID
31+
- Qualifiers
32+
- RecordNumber
33+
- RenderingInfo_Xml
34+
- SourceName
35+
- SubStatus
36+
- SystemTime
37+
- System_Props_Xml
38+
- Task
39+
- TaskCategory
40+
- ThreadID
41+
- UserID
42+
- Version
43+
- _bkt
44+
- _cd
45+
- _eventtype_color
46+
- _indextime
47+
- _raw
48+
- _serial
49+
- _si
50+
- _sourcetype
51+
- _time
52+
- action
53+
- category
54+
- dest
55+
- dvc
56+
- dvc_nt_host
57+
- event_id
58+
- eventtype
59+
- host
60+
- id
61+
- index
62+
- linecount
63+
- name
64+
- parent_process
65+
- process_name
66+
- punct
67+
- result
68+
- service
69+
- service_id
70+
- service_name
71+
- severity
72+
- severity_id
73+
- signature
74+
- signature_id
75+
- source
76+
- sourcetype
77+
- splunk_server
78+
- splunk_server_group
79+
- status
80+
- subject
81+
- tag
82+
- tag::action
83+
- tag::eventtype
84+
- user_group_id
85+
- user_id
86+
- vendor_product
87+
example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>8128</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2025-02-10T20:03:14.2006851Z'/><EventRecordID>16635</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>odsole70.dll</Data><Data>2022.160.1000</Data><Data>sp_OACreate</Data><Binary>C01F00000A00000009000000610072002D00770069006E002D0032000000050000006D007300640062000000</Binary></EventData></Event>
88+

detections/endpoint/windows_sql_server_critical_procedures_enabled.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ references:
3535
- https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/clr-enabled-server-configuration-option
3636
- https://www.netspi.com/blog/technical/network-penetration-testing/enumerating-domain-accounts-via-sql-server-using-adsi/
3737
- https://attack.mitre.org/techniques/T1505/001/
38+
- https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
3839
drilldown_searches:
3940
- name: View the detection results for - "$dest$"
4041
search: '%original_detection_search% | search dest = "$dest$"'

detections/endpoint/windows_sql_server_extended_procedure_dll_loading_hunt.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ status: production
77
type: Hunting
88
description: This analytic detects when SQL Server loads DLLs to execute extended stored procedures. This is particularly important for security monitoring as it indicates the first-time use or version changes of potentially dangerous procedures like xp_cmdshell, sp_OACreate, and others. While this is a legitimate operation, adversaries may abuse these procedures for execution, discovery, or privilege escalation.
99
data_source:
10-
- Windows Event Log Application
10+
- Windows Event Log Application 8128
1111
search: '`wineventlog_application` EventCode=8128
1212
| rex field=EventData_Xml "<Data>(?<dll_name>[^<]+)</Data><Data>(?<dll_version>[^<]+)</Data><Data>(?<procedure_name>[^<]+)</Data>"
1313
| rename host as dest

detections/endpoint/windows_sql_server_startup_procedure.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ status: production
77
type: Anomaly
88
description: This detection identifies when a startup procedure is registered or executed in SQL Server. Startup procedures automatically execute when SQL Server starts, making them an attractive persistence mechanism for attackers. The detection monitors for suspicious stored procedure names and patterns that may indicate malicious activity, such as attempts to execute operating system commands or gain elevated privileges.
99
data_source:
10-
- Windows Event Log Application
10+
- Windows Event Log Application 17135
1111
search: '`wineventlog_application` EventCode=17135
1212
| rex field=EventData_Xml "<Data>(?<startup_procedure>[^<]+)</Data>"
1313
| rename host as dest

0 commit comments

Comments
 (0)