Merge pull request #3296 from splunk/updated_nexus_activity

updated_nexus_activity

Author: patel-bhavin

detections/endpoint/any_powershell_downloadfile.yml

@@ -1,7 +1,7 @@
 name: Any Powershell DownloadFile
 id: 1a93b7ea-7af7-11eb-adb5-acde48001122
-version: 8
-date: '2024-11-13'
+version: 9
+date: '2025-01-27'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -71,16 +71,18 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - Hermetic Wiper
-  - Log4Shell CVE-2021-44228
-  - Phemedrone Stealer
   - Data Destruction
-  - PXA Stealer
   - Ingress Tool Transfer
-  - Malicious PowerShell
   - DarkCrystal RAT
-  - Crypto Stealer
+  - PXA Stealer
   - Braodo Stealer
+  - Phemedrone Stealer
+  - Log4Shell CVE-2021-44228
+  - Malicious PowerShell
+  - Hermetic Wiper
+  - Crypto Stealer
+  - Nexus APT Threat Activity
+  - Earth Estries
   asset_type: Endpoint
   cve:
   - CVE-2021-44228
@@ -96,7 +98,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/detect_renamed_psexec.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed PSExec
 id: 683e6196-b8e8-11eb-9a79-acde48001122
-version: 9
-date: '2024-11-13'
+version: 10
+date: '2025-01-27'
 author: Michael Haag, Splunk, Alex Oberkircher, Github Community
 status: production
 type: Hunting
@@ -39,15 +39,17 @@ references:
 - https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/
 tags:
   analytic_story:
-  - SamSam Ransomware
+  - BlackByte Ransomware
   - DHS Report TA18-074A
-  - HAFNIUM Group
   - DarkSide Ransomware
-  - Active Directory Lateral Movement
+  - SamSam Ransomware
   - CISA AA22-320A
+  - HAFNIUM Group
   - Sandworm Tools
-  - BlackByte Ransomware
+  - Active Directory Lateral Movement
+  - Nexus APT Threat Activity
   - DarkGate Malware
+  - Earth Estries
   - Rhysida Ransomware
   asset_type: Endpoint
   mitre_attack_id:
@@ -61,7 +63,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/detect_renamed_winrar.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed WinRAR
 id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122
-version: 7
-date: '2024-11-13'
+version: 8
+date: '2025-01-27'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -39,6 +39,8 @@ references:
 tags:
   analytic_story:
   - Collection and Staging
+  - Earth Estries
+  - Nexus APT Threat Activity
   - CISA AA22-277A
   asset_type: Endpoint
   mitre_attack_id:
@@ -52,7 +54,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 6
-date: '2024-12-10'
+version: 10
+date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -61,42 +61,46 @@ rba:
     type: file_name
 tags:
   analytic_story:
-  - Volt Typhoon
-  - LockBit Ransomware
-  - Data Destruction
-  - Snake Keylogger
-  - XMRig
-  - DarkGate Malware
   - Chaos Ransomware
-  - Double Zero Destructor
-  - Hermetic Wiper
+  - Trickbot
+  - Snake Keylogger
+  - CISA AA23-347A
+  - Industroyer2
+  - WinDealer RAT
+  - Qakbot
   - Warzone RAT
-  - AcidPour
-  - Graceful Wipe Out Attack
-  - BlackByte Ransomware
   - IcedID
-  - NjRAT
+  - ValleyRAT
+  - Azorult
   - Handala Wiper
+  - LockBit Ransomware
   - Meduza Stealer
-  - CISA AA23-347A
+  - Brute Ratel C4
   - AsyncRAT
+  - AcidPour
+  - Derusbi
+  - DarkGate Malware
+  - Graceful Wipe Out Attack
+  - NjRAT
+  - WhisperGate
+  - Data Destruction
+  - BlackByte Ransomware
+  - AgentTesla
+  - Swift Slicer
+  - Crypto Stealer
+  - Hermetic Wiper
+  - MoonPeak
+  - Double Zero Destructor
+  - XMRig
+  - PlugX
   - Amadey
-  - Industroyer2
-  - ValleyRAT
-  - Rhysida Ransomware
   - DarkCrystal RAT
-  - Crypto Stealer
-  - Azorult
-  - Swift Slicer
-  - AgentTesla
-  - Qakbot
   - Remcos
-  - Trickbot
-  - Brute Ratel C4
+  - Nexus APT Threat Activity
+  - Earth Estries
+  - Rhysida Ransomware
   - RedLine Stealer
-  - PlugX
-  - MoonPeak
-  - WhisperGate
+  - Volt Typhoon
   asset_type: Endpoint
   mitre_attack_id:
   - T1036
@@ -108,7 +112,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml

@@ -1,8 +1,8 @@
 name: Linux Auditd File Permission Modification Via Chmod
 id: 5f1d2ea7-eec0-4790-8b24-6875312ad492
-version: 5
-date: '2024-12-19'
-author: Teoderick Contreras, Splunk, Ivar Nygård
+version: 6
+date: '2025-01-27'
+author: "Teoderick Contreras, Splunk, Ivar Nyg\xE5rd"
 status: production
 type: Anomaly
 description: The following analytic detects suspicious file permission modifications
@@ -22,9 +22,9 @@ search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename hos
   max(_time) as lastTime by process_exec proctitle dest | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`| `linux_auditd_file_permission_modification_via_chmod_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd
-  data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
-  executions and process details on Unix/Linux systems. These logs should be ingested
-  and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833),
+  data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures
+  command-line executions and process details on Unix/Linux systems. These logs should
+  be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833),
   which is essential for correctly parsing and categorizing the data. The next step
   involves normalizing the field names  to match the field names set by the Splunk
   Common Information Model (CIM) to ensure consistency across different data sources
@@ -58,11 +58,13 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - XorDDos
+  - Linux Privilege Escalation
   - Linux Living Off The Land
   - Compromised Linux Host
-  - Linux Privilege Escalation
   - Linux Persistence Techniques
+  - XorDDos
+  - Nexus APT Threat Activity
+  - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
   - T1222.002
@@ -75,7 +77,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log
     source: /var/log/audit/audit.log
     sourcetype: linux:audit

detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml

@@ -1,7 +1,7 @@
 name: Linux Auditd Nopasswd Entry In Sudoers File
 id: 651df959-ad17-4b73-a323-90cb96d5fa1b
-version: 3
-date: '2024-11-13'
+version: 4
+date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -58,8 +58,10 @@ rba:
 tags:
   analytic_story:
   - Linux Privilege Escalation
-  - Linux Persistence Techniques
   - Compromised Linux Host
+  - Linux Persistence Techniques
+  - Nexus APT Threat Activity
+  - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
   - T1548.003
@@ -72,7 +74,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log
     source: /var/log/audit/audit.log
     sourcetype: linux:audit

detections/endpoint/linux_auditd_possible_access_to_credential_files.yml

@@ -1,7 +1,7 @@
 name: Linux Auditd Possible Access To Credential Files
 id: 0419cb7a-57ea-467b-974f-77c303dfe2a3
-version: 3
-date: '2024-11-13'
+version: 4
+date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -60,8 +60,10 @@ rba:
 tags:
   analytic_story:
   - Linux Privilege Escalation
-  - Linux Persistence Techniques
   - Compromised Linux Host
+  - Linux Persistence Techniques
+  - Nexus APT Threat Activity
+  - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
   - T1003.008
@@ -74,7 +76,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log
     source: /var/log/audit/audit.log
     sourcetype: linux:audit

detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml

@@ -1,7 +1,7 @@
 name: Linux Auditd Possible Access To Sudoers File
 id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834
-version: 3
-date: '2024-11-13'
+version: 4
+date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -57,8 +57,10 @@ rba:
 tags:
   analytic_story:
   - Linux Privilege Escalation
-  - Linux Persistence Techniques
   - Compromised Linux Host
+  - Linux Persistence Techniques
+  - Nexus APT Threat Activity
+  - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
   - T1548.003
@@ -71,7 +73,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log
     source: /var/log/audit/audit.log
     sourcetype: linux:audit