Merge pull request #3664 from splunk/lamehug

lamehug

Author: patel-bhavin

detections/endpoint/domain_account_discovery_with_dsquery.yml

@@ -1,18 +1,19 @@
 name: Domain Account Discovery with Dsquery
 id: b1a8ce04-04c2-11ec-bea7-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-08-27'
 author: Teoderick Contreras, Mauricio Velazco, Splunk
 status: production
-type: Hunting
-description: The following analytic identifies the execution of `dsquery.exe` with
-  command-line arguments used to discover domain users. It leverages data from Endpoint
-  Detection and Response (EDR) agents, focusing on process names and command-line
-  executions. This activity is significant as it indicates potential reconnaissance
-  efforts by adversaries to map out domain users, which is a common precursor to further
-  attacks. If confirmed malicious, this behavior could allow attackers to gain insights
-  into user accounts, facilitating subsequent actions like privilege escalation or
-  lateral movement within the network.
+type: Anomaly
+description: The following analytic identifies the execution of `dsquery.exe` 
+  with command-line arguments used to discover domain users. It leverages data 
+  from Endpoint Detection and Response (EDR) agents, focusing on process names 
+  and command-line executions. This activity is significant as it indicates 
+  potential reconnaissance efforts by adversaries to map out domain users, which
+  is a common precursor to further attacks. If confirmed malicious, this 
+  behavior could allow attackers to gain insights into user accounts, 
+  facilitating subsequent actions like privilege escalation or lateral movement 
+  within the network.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
@@ -26,22 +27,54 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
   Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
-  and Response (EDR) agents. These agents are designed to provide security-related
-  telemetry from the endpoints where the agent is installed. To implement this search,
-  you must ingest logs that contain the process GUID, process name, and parent process.
-  Additionally, you must ingest complete command-line executions. These logs must
-  be processed using the appropriate Splunk Technology Add-ons that are specific to
-  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
-  data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
-known_false_positives: Administrators or power users may use this command for troubleshooting.
+how_to_implement: The detection is based on data that originates from Endpoint 
+  Detection and Response (EDR) agents. These agents are designed to provide 
+  security-related telemetry from the endpoints where the agent is installed. To
+  implement this search, you must ingest logs that contain the process GUID, 
+  process name, and parent process. Additionally, you must ingest complete 
+  command-line executions. These logs must be processed using the appropriate 
+  Splunk Technology Add-ons that are specific to the EDR product. The logs must 
+  also be mapped to the `Processes` node of the `Endpoint` data model. Use the 
+  Splunk Common Information Model (CIM) to normalize the field names and speed 
+  up the data modeling process.
+known_false_positives: Administrators or power users may use this command for 
+  troubleshooting.
 references:
 - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm
 - https://attack.mitre.org/techniques/T1087/002/
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: An instance of $parent_process_name$ spawning $process_name$ was identified
+    on endpoint $dest$ by user $user$.
+  risk_objects:
+  - field: user
+    type: user
+    score: 3
+  - field: dest
+    type: system
+    score: 3
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+  - field: process_name
+    type: process_name
 tags:
   analytic_story:
   - Active Directory Discovery
+  - LAMEHUG
   asset_type: Endpoint
   mitre_attack_id:
   - T1087.002
@@ -53,6 +86,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/domain_group_discovery_with_dsquery.yml

@@ -1,18 +1,19 @@
 name: Domain Group Discovery With Dsquery
 id: f0c9d62f-a232-4edd-b17e-bc409fb133d4
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-08-27'
 author: Mauricio Velazco, Splunk
 status: production
-type: Hunting
-description: The following analytic identifies the execution of `dsquery.exe` with
-  command-line arguments used to query for domain groups. It leverages Endpoint Detection
-  and Response (EDR) data, focusing on process names and command-line arguments. This
-  activity is significant because both Red Teams and adversaries use `dsquery.exe`
-  to enumerate domain groups, gaining situational awareness and facilitating further
-  Active Directory discovery. If confirmed malicious, this behavior could allow attackers
-  to map out the domain structure, identify high-value targets, and plan subsequent
-  attacks, potentially leading to privilege escalation or data exfiltration.
+type: Anomaly
+description: The following analytic identifies the execution of `dsquery.exe` 
+  with command-line arguments used to query for domain groups. It leverages 
+  Endpoint Detection and Response (EDR) data, focusing on process names and 
+  command-line arguments. This activity is significant because both Red Teams 
+  and adversaries use `dsquery.exe` to enumerate domain groups, gaining 
+  situational awareness and facilitating further Active Directory discovery. If 
+  confirmed malicious, this behavior could allow attackers to map out the domain
+  structure, identify high-value targets, and plan subsequent attacks, 
+  potentially leading to privilege escalation or data exfiltration.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
@@ -26,21 +27,53 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
   Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_dsquery_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
-  and Response (EDR) agents. These agents are designed to provide security-related
-  telemetry from the endpoints where the agent is installed. To implement this search,
-  you must ingest logs that contain the process GUID, process name, and parent process.
-  Additionally, you must ingest complete command-line executions. These logs must
-  be processed using the appropriate Splunk Technology Add-ons that are specific to
-  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
-  data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
-known_false_positives: Administrators or power users may use this command for troubleshooting.
+how_to_implement: The detection is based on data that originates from Endpoint 
+  Detection and Response (EDR) agents. These agents are designed to provide 
+  security-related telemetry from the endpoints where the agent is installed. To
+  implement this search, you must ingest logs that contain the process GUID, 
+  process name, and parent process. Additionally, you must ingest complete 
+  command-line executions. These logs must be processed using the appropriate 
+  Splunk Technology Add-ons that are specific to the EDR product. The logs must 
+  also be mapped to the `Processes` node of the `Endpoint` data model. Use the 
+  Splunk Common Information Model (CIM) to normalize the field names and speed 
+  up the data modeling process.
+known_false_positives: Administrators or power users may use this command for 
+  troubleshooting.
 references:
 - https://attack.mitre.org/techniques/T1069/002/
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: An instance of $parent_process_name$ spawning $process_name$ was identified
+    on endpoint $dest$ by user $user$.
+  risk_objects:
+  - field: user
+    type: user
+    score: 3
+  - field: dest
+    type: system
+    score: 3
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+  - field: process_name
+    type: process_name
 tags:
   analytic_story:
   - Active Directory Discovery
+  - LAMEHUG
   asset_type: Endpoint
   mitre_attack_id:
   - T1069.002
@@ -52,6 +85,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/remote_system_discovery_with_dsquery.yml

@@ -1,18 +1,19 @@
 name: Remote System Discovery with Dsquery
 id: 9fb562f4-42f8-4139-8e11-a82edf7ed718
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-08-27'
 author: Mauricio Velazco, Splunk
 status: production
-type: Hunting
-description: The following analytic detects the execution of `dsquery.exe` with the
-  `computer` argument, which is used to discover remote systems within a domain. This
-  detection leverages data from Endpoint Detection and Response (EDR) agents, focusing
-  on process names and command-line arguments. Remote system discovery is significant
-  as it indicates potential reconnaissance activities by adversaries or Red Teams
-  to map out network resources and Active Directory structures. If confirmed malicious,
-  this activity could lead to further exploitation, lateral movement, and unauthorized
-  access to critical systems within the network.
+type: Anomaly
+description: The following analytic detects the execution of `dsquery.exe` with 
+  the `computer` argument, which is used to discover remote systems within a 
+  domain. This detection leverages data from Endpoint Detection and Response 
+  (EDR) agents, focusing on process names and command-line arguments. Remote 
+  system discovery is significant as it indicates potential reconnaissance 
+  activities by adversaries or Red Teams to map out network resources and Active
+  Directory structures. If confirmed malicious, this activity could lead to 
+  further exploitation, lateral movement, and unauthorized access to critical 
+  systems within the network.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
@@ -26,22 +27,54 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
   Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_dsquery_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
-  and Response (EDR) agents. These agents are designed to provide security-related
-  telemetry from the endpoints where the agent is installed. To implement this search,
-  you must ingest logs that contain the process GUID, process name, and parent process.
-  Additionally, you must ingest complete command-line executions. These logs must
-  be processed using the appropriate Splunk Technology Add-ons that are specific to
-  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
-  data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
-known_false_positives: Administrators or power users may use this command for troubleshooting.
+how_to_implement: The detection is based on data that originates from Endpoint 
+  Detection and Response (EDR) agents. These agents are designed to provide 
+  security-related telemetry from the endpoints where the agent is installed. To
+  implement this search, you must ingest logs that contain the process GUID, 
+  process name, and parent process. Additionally, you must ingest complete 
+  command-line executions. These logs must be processed using the appropriate 
+  Splunk Technology Add-ons that are specific to the EDR product. The logs must 
+  also be mapped to the `Processes` node of the `Endpoint` data model. Use the 
+  Splunk Common Information Model (CIM) to normalize the field names and speed 
+  up the data modeling process.
+known_false_positives: Administrators or power users may use this command for 
+  troubleshooting.
 references:
 - https://attack.mitre.org/techniques/T1018/
 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: An instance of $parent_process_name$ spawning $process_name$ was identified
+    on endpoint $dest$ by user $user$.
+  risk_objects:
+  - field: user
+    type: user
+    score: 3
+  - field: dest
+    type: system
+    score: 3
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+  - field: process_name
+    type: process_name
 tags:
   analytic_story:
   - Active Directory Discovery
+  - LAMEHUG
   asset_type: Endpoint
   mitre_attack_id:
   - T1018
@@ -53,6 +86,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/system_information_discovery_detection.yml

@@ -1,7 +1,7 @@
 name: System Information Discovery Detection
 id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72
-version: 10
-date: '2025-07-28'
+version: 11
+date: '2025-08-27'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
@@ -82,6 +82,7 @@ tags:
   - BlackSuit Ransomware
   - Cleo File Transfer Software
   - Interlock Ransomware
+  - LAMEHUG
   asset_type: Windows
   mitre_attack_id:
   - T1082