Merge branch 'develop' into MSIX-Resurrection

Author: patel-bhavin

detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml

@@ -1,7 +1,7 @@
 name: Linux Auditd Install Kernel Module Using Modprobe Utility
 id: 95165985-ace5-4d42-9c42-93a89a5af901
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-08-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -64,6 +64,7 @@ tags:
   - Linux Rootkit
   - Linux Persistence Techniques
   - Compromised Linux Host
+  - China-Nexus Threat Activity
   asset_type: Endpoint
   mitre_attack_id:
   - T1547.006

detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml

@@ -1,7 +1,7 @@
 name: Linux Install Kernel Module Using Modprobe Utility
 id: 387b278a-6326-11ec-aa2c-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-08-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -65,6 +65,7 @@ tags:
   - Linux Privilege Escalation
   - Linux Persistence Techniques
   - Linux Rootkit
+  - China-Nexus Threat Activity
   asset_type: Endpoint
   mitre_attack_id:
   - T1547.006

detections/network/internal_horizontal_port_scan.yml

@@ -1,7 +1,7 @@
 name: Internal Horizontal Port Scan
 id: 1ff9eb9a-7d72-4993-a55e-59a839e607f1
-version: 7
-date: '2025-05-22'
+version: 8
+date: '2025-08-18'
 author: Dean Luxton
 status: production
 type: TTP
@@ -60,6 +60,7 @@ tags:
   analytic_story:
   - Network Discovery
   - Cisco Secure Firewall Threat Defense Analytics
+  - China-Nexus Threat Activity
   asset_type: Endpoint
   mitre_attack_id:
   - T1046

detections/network/internal_horizontal_port_scan_nmap_top_20.yml

@@ -1,7 +1,7 @@
 name: Internal Horizontal Port Scan NMAP Top 20
 id: 3141a041-4f57-4277-9faa-9305ca1f8e5b
-version: 5
-date: '2025-05-22'
+version: 6
+date: '2025-08-18'
 author: Dean Luxton
 status: production
 type: TTP
@@ -62,6 +62,7 @@ tags:
   analytic_story:
   - Network Discovery
   - Cisco Secure Firewall Threat Defense Analytics
+  - China-Nexus Threat Activity
   asset_type: Endpoint
   mitre_attack_id:
   - T1046

detections/network/internal_vertical_port_scan.yml

@@ -1,7 +1,7 @@
 name: Internal Vertical Port Scan
 id: 40d2dc41-9bbf-421a-a34b-8611271a6770
-version: 6
-date: '2025-05-22'
+version: 7
+date: '2025-08-18'
 author: Dean Luxton
 status: production
 type: TTP
@@ -60,6 +60,7 @@ tags:
   analytic_story:
   - Network Discovery
   - Cisco Secure Firewall Threat Defense Analytics
+  - China-Nexus Threat Activity
   asset_type: Endpoint
   mitre_attack_id:
   - T1046

stories/china_nexus_threat_activity.yml

@@ -1,17 +1,20 @@
 name: China-Nexus Threat Activity
 id: ac8b8e7c-ed27-428b-871f-ceb9400c733a
-version: 2
-date: '2025-02-24'
+version: 3
+date: '2025-08-18'
 author: Teoderick Contreras, Splunk
 status: production
-description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, Chinese state-nexus adversaries known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss.
+description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, Chinese state-nexus adversaries known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss. This includes TTPs for groups such as APT31, APT40, and more. Also covers UNC groups such as UNC3886.
 narrative: As described by Crowdstrike, Chinese state-nexus threat group or adversary are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors.
 references:
 - https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/
 - https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-weapons-97d4ef95?st=oe1KKi&reflink=desktopwebshare _permalink
 - https://www.judiciary.senate.gov/imo/media/doc/2024-11-19_pm_-_testimony_-_meyers.pdf
 - https://go.crowdstrike.com/rs/281-OBQ-266/images/GlobalThreatReport2024.pdf
 - https://www.crowdstrike.com/adversaries/envoy-panda/
+- https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html
+- https://cloud.google.com/blog/topics/threat-intelligence/apt40-examining-a-china-nexus-espionage-actor
+- https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
 tags:
   category:
   - Malware