headless_bee

t-contreras · t-contreras · commit 265cd83413f3 · 2025-02-21T13:26:44.000+01:00
diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml
@@ -18,7 +18,7 @@ data_source:
 search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
   where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") 
   AND Filesystem.file_path IN ("*\\windows\\fonts\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*",
-  "*\\Windows\\repair\\*", "*\\PerfLogs\\*", "*\\programdata\\*") AND NOT(Filesystem.file_path IN("*\\temp\\*"))
+  "*\\Windows\\repair\\*", "*\\PerfLogs\\*") AND NOT(Filesystem.file_path IN("*\\temp\\*"))
   by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user
   | `drop_dm_object_name(Filesystem)` 
   | `security_content_ctime(firstTime)` 
diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml
@@ -17,7 +17,7 @@ data_source:
 - Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
   where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") 
-  AND Filesystem.file_path IN ("*\\temp\\*")
+  AND Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*", "*:\\Windows\\Temp\\*", "*:\\Temp*")
   by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user
   | `drop_dm_object_name(Filesystem)` 
   | `security_content_ctime(firstTime)` 
diff --git a/detections/endpoint/windows_anonymous_pipe_activity.yml b/detections/endpoint/windows_anonymous_pipe_activity.yml
@@ -34,13 +34,6 @@ drilldown_searches:
     | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-rba:
-  message: An anonymous Pipe Channel activity on [$dest$].
-  risk_objects:
-  - field: dest
-    type: system
-    score: 30
-  threat_objects: []
 tags:
   analytic_story:
   - SnappyBee
diff --git a/detections/endpoint/windows_snappybee_create_test_registry.yml b/detections/endpoint/windows_snappybee_create_test_registry.yml
@@ -1,11 +1,11 @@
-name: Windows Create Test Registry
+name: Windows SnappyBee Create Test Registry
 id: 80402396-d78a-4c6e-ade5-7697ea670adf
 version: 1
 date: '2025-02-11'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
-description: The following analytic detects modifications to the Windows registry under `SOFTWARE\Microsoft\Test`, a location rarely used by legitimate applications in a production environment. Monitoring this key is crucial, as adversaries may create or alter values here for persistence, privilege escalation, or system manipulation. The detection leverages **Sysmon Event ID 13** (Registry Value Set) to identify unauthorized changes. Analysts should investigate processes associated with these modifications, particularly unsigned executables or suspicious command-line activity, as they may indicate malware or unauthorized software behavior.
+description: The following analytic detects modifications to the Windows registry under `SOFTWARE\Microsoft\Test`, a location rarely used by legitimate applications in a production environment. Monitoring this key is crucial, as adversaries may create or alter values here for monitoring update of itself file path, updated configuration file, or system mark compromised. The detection leverages **Sysmon Event ID 13** (Registry Value Set) to identify unauthorized changes. Analysts should investigate processes associated with these modifications, particularly unsigned executables or suspicious command-line activity, as they may indicate malware or unauthorized software behavior.
 data_source:
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
@@ -14,7 +14,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   | `drop_dm_object_name(Registry)` 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
-  | `windows_create_test_registry_filter`'
+  | `windows_snappybee_create_test_registry_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the process responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure
diff --git a/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml b/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml
@@ -10,7 +10,9 @@ data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
-  where Processes.parent_process_name != "services.exe" AND Processes.process_name = "svchost.exe" AND Processes.process != unknown
+  where Processes.parent_process_name != "services.exe" AND Processes.process_name = "svchost.exe" AND Processes.process != unknown 
+  AND Processes.parent_process_path != "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe"
+  AND Processes.parent_process_path != "C:\\Program Files\\Windows Defender\\MsMpEng.exe"
   by Processes.parent_process_name Processes.parent_process_path Processes.parent_process Processes.process_path Processes.process Processes.original_file_name Processes.dest Processes.user 
   | `drop_dm_object_name(Processes)` 
   | `security_content_ctime(firstTime)` 
