Merge branch 'develop' into new-research-detection-endpoint

nasbench · web-flow · commit 3e93fb912df2 · 2025-02-19T14:52:13.000+01:00
diff --git a/app_template/default/data/ui/nav/default.xml b/app_template/default/data/ui/nav/default.xml
@@ -3,7 +3,7 @@
   <view name="feedback"/>
   <view name="search"/>
   <collection label="Dashboards">
-    <view source="unclassified" match=" - "/>
+    <view source="unclassified" match="__"/>
   </collection>
   <a href="https://docs.splunk.com/Documentation/ESCU">Docs</a>
 </nav>
diff --git a/detections/application/windows_ad_dangerous_deny_acl_modification.yml b/detections/application/windows_ad_dangerous_deny_acl_modification.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: This detection identifies an Active Directory access-control list (ACL)
   modification event, which applies permissions that deny the ability to enumerate
   permissions of the object.
diff --git a/detections/application/windows_ad_dangerous_group_acl_modification.yml b/detections/application/windows_ad_dangerous_group_acl_modification.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: 'This detection monitors the addition of the following ACLs to an Active
   Directory group object: "Full control", "All extended rights", "All validated writes",  "Create
   all child objects", "Delete all child objects", "Delete subtree", "Delete", "Modify
diff --git a/detections/application/windows_ad_dangerous_user_acl_modification.yml b/detections/application/windows_ad_dangerous_user_acl_modification.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: 'This detection monitors the addition of the following ACLs to an Active
   Directory user object: "Full control","All extended rights","All validated writes",
   "Create all child objects","Delete all child objects","Delete subtree","Delete","Modify
diff --git a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml
@@ -1,12 +1,12 @@
 name: Windows AD DCShadow Privileges ACL Addition
 id: ae915743-1aa8-4a94-975c-8062ebc8b723
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-17'
 author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: This detection identifies an Active Directory access-control list (ACL)
   modification event, which applies the minimum required extended rights to perform
   the DCShadow attack.
diff --git a/detections/application/windows_ad_domain_root_acl_deletion.yml b/detections/application/windows_ad_domain_root_acl_deletion.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: ACL deletion performed on the domain root object, significant AD change
   with high impact. Following MS guidance all changes at this level should be reviewed.
   Drill into the logonID within EventCode 4624 for information on the source device
diff --git a/detections/application/windows_ad_domain_root_acl_modification.yml b/detections/application/windows_ad_domain_root_acl_modification.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: ACL modification performed on the domain root object, significant AD
   change with high impact. Following MS guidance all changes at this level should
   be reviewed. Drill into the logonID within EventCode 4624 for information on the
diff --git a/detections/application/windows_ad_gpo_deleted.yml b/detections/application/windows_ad_gpo_deleted.yml
@@ -1,12 +1,12 @@
 name: Windows AD GPO Deleted
 id: 0d41772b-35ab-4e1c-a2ba-d0b455481aee
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-17'
 author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: This detection identifies when an Active Directory Group Policy is deleted
   using the Group Policy Management Console.
 search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=gpLink | eval  ObjectDN=upper(ObjectDN)
diff --git a/detections/application/windows_ad_gpo_disabled.yml b/detections/application/windows_ad_gpo_disabled.yml
@@ -1,12 +1,12 @@
 name: Windows AD GPO Disabled
 id: 72793bc0-c0cd-400e-9e60-fdf36f278917
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-17'
 author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: This detection identifies when an Active Directory Group Policy is disabled
   using the Group Policy Management Console.
 search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=flags OperationType="%%14674"
diff --git a/detections/application/windows_ad_gpo_new_cse_addition.yml b/detections/application/windows_ad_gpo_new_cse_addition.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: This detection identifies when a a new client side extension is added
   to an Active Directory Group Policy using the Group Policy Management Console.
 search: '`wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=gPCMachineExtensionNames
diff --git a/detections/application/windows_ad_hidden_ou_creation.yml b/detections/application/windows_ad_hidden_ou_creation.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: This analytic is looking for when an ACL is applied to an OU which denies
   listing the objects residing in the OU. This activity combined with modifying the
   owner of the OU will hide AD objects even from domain administrators.
diff --git a/detections/application/windows_ad_object_owner_updated.yml b/detections/application/windows_ad_object_owner_updated.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: AD Object Owner Updated. The owner provides Full control level privileges
   over the target AD Object. This event has significant impact alone and is also a
   precursor activity for hiding an AD object.
diff --git a/detections/application/windows_ad_self_dacl_assignment.yml b/detections/application/windows_ad_self_dacl_assignment.yml
@@ -1,12 +1,12 @@
 name: Windows AD Self DACL Assignment
 id: 16132445-da9f-4d03-ad44-56d717dcd67d
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-17'
 author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: Detect when a user creates a new DACL in AD for their own AD object.
 search: "`wineventlog_security` EventCode=5136  | stats min(_time) as _time values(eval(if(OperationType==\"\
   %%14675\",AttributeValue,null))) as old_value values(eval(if(OperationType==\"%%14674\"\
diff --git a/detections/application/windows_ad_suspicious_attribute_modification.yml b/detections/application/windows_ad_suspicious_attribute_modification.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: 'This detection monitors changes to the following Active Directory attributes:
   "msDS-AllowedToDelegateTo", "msDS-AllowedToActOnBehalfOfOtherIdentity", "msDS-KeyCredentialLink",
   "scriptPath", and "msTSInitialProgram".  Modifications to these attributes can indicate
diff --git a/detections/application/windows_ad_suspicious_gpo_modification.yml b/detections/application/windows_ad_suspicious_gpo_modification.yml
@@ -6,8 +6,8 @@ author: Dean Luxton
 status: experimental
 type: TTP
 data_source:
-- Windows Security 5136
-- Windows Security 5145
+- Windows Event Log Security 5136
+- Windows Event Log Security 5145
 description: This analytic looks for a the creation of potentially harmful GPO which
   could lead to persistence or code execution on remote hosts. Note, this analyic
   is looking for the absence of the corresponding 5136 events which is evidence of
diff --git a/detections/cloud/o365_service_principal_privilege_escalation.yml b/detections/cloud/o365_service_principal_privilege_escalation.yml
@@ -4,7 +4,7 @@ version: 2
 date: '2025-02-10'
 author: Dean Luxton
 data_source:
-- O365 Add app role assignment grant to user
+- O365 Add app role assignment grant to user.
 type: TTP
 status: production
 description: This detection identifies when an Azure Service Principal elevates privileges
diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 type: TTP
 status: production
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: The following analytic detects the addition of permissions required for
   a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All,
   and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136 from
diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml
@@ -1,10 +1,10 @@
 name: Windows Archived Collected Data In TEMP Folder
 id: cb56a1ea-e0b1-46d5-913f-e024cba40cbe
-version: 2
-date: '2024-11-13'
+version: 3
+date: '2025-02-17'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11
 type: TTP
 status: production
 description: The following analytic detects the creation of archived files in a temporary
diff --git a/detections/endpoint/windows_bitlocker_suspicious_command_usage.yml b/detections/endpoint/windows_bitlocker_suspicious_command_usage.yml
@@ -0,0 +1,69 @@
+name: Windows BitLocker Suspicious Command Usage
+id: d0e6ec70-6e40-41a2-8b93-8d9ff077a746
+version: 1
+date: '2025-02-10'
+author: Steven Dick
+status: production
+type: TTP
+description: This analytic is developed to detect the usage of BitLocker commands used to disable or impact boot settings. The malware ShrinkLocker uses various commands change how BitLocker handles encryption, potentially bypassing TPM requirements, enabling BitLocker without TPM, and enforcing specific startup key and PIN configurations. Such modifications can weaken system security, making it easier for unauthorized access and data breaches. Detecting these changes is crucial for maintaining robust encryption and data protection.
+data_source: 
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+search: |-
+  | tstats `security_content_summariesonly` values(Processes.process) as process, values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = manage-bde.exe AND Processes.process IN ("* -protectors -disable *","* -protectors -delete *","* –forcerecovery *","* -lock *") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `windows_bitlocker_suspicious_command_usage_filter`
+how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
+known_false_positives: Administrators may enable or disable this feature that may cause some false positive.
+references:
+- https://attack.mitre.org/techniques/T1486/
+- https://www.nccgroup.com/us/research-blog/nameless-and-shameless-ransomware-encryption-via-bitlocker/
+- https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
+- https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/
+drilldown_searches:
+- name: View the detection results for - "$dest$" and "$user$"
+  search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$" and "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate processes on $dest$ 
+  search: '| from datamodel Endpoint.Processes
+| search process_name = $process_name$ AND dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A suspicious Windows BitLocker command was run by $user$ detected on $dest$
+  risk_objects: 
+  - field: dest
+    type: system
+    score: 60
+  - field: user
+    type: user
+    score: 60
+  threat_objects: 
+  - field: parent_process
+    type: process
+tags:
+  analytic_story: 
+  - ShrinkLocker
+  asset_type: Endpoint
+  mitre_attack_id: 
+  - T1486
+  - T1490
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml
@@ -1,10 +1,10 @@
 name: Windows BitLockerToGo with Network Activity
 id: 14e3a089-cc23-4f4d-a770-26e44a31fbac
-version: 2
-date: '2025-01-21'
+version: 3
+date: '2025-02-17'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 data_source:
-- Sysmon Event ID 22
+- Sysmon EventID 22
 type: Hunting
 status: production
 description: The following analytic detects suspicious usage of BitLockerToGo.exe,
diff --git a/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml b/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml
@@ -1,10 +1,10 @@
 name: Windows Credentials Access via VaultCli Module
 id: c0d89118-3f89-4cd7-8140-1f39e7210681
-version: 2
-date: '2025-01-21'
+version: 3
+date: '2025-02-17'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 7
+- Sysmon EventID 7
 type: Anomaly
 status: production
 description: The following analytic detects potentially abnormal interactions with
diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml
@@ -4,7 +4,7 @@ version: 3
 date: '2025-02-10'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11
 type: TTP
 status: production
 description: The following analytic detects the copying of Chrome's Local State and
diff --git a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml
@@ -4,7 +4,7 @@ version: 3
 date: '2025-02-10'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11
 type: TTP
 status: production
 description: The following analytic detects the creation of files containing passwords,
diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
@@ -1,10 +1,10 @@
 name: Windows Obfuscated Files or Information via RAR SFX
 id: 4ab6862b-ce88-4223-96c0-f6da2cffb898
-version: 1
-date: '2024-12-12'
+version: 2
+date: '2025-02-17'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11
 type: Anomaly
 status: production
 description: The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery.
diff --git a/detections/endpoint/windows_powershell_process_with_malicious_string.yml b/detections/endpoint/windows_powershell_process_with_malicious_string.yml
@@ -0,0 +1,69 @@
+name: Windows PowerShell Process With Malicious String
+id: 5df35d50-e1a3-4a52-a337-92e69d9b1b8a
+version: 1
+date: '2024-12-19'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic detects the execution of multiple offensive toolkits and commands through the process execution datamodel. This method captures commands given directly to powershell.exe, allowing for the identification of suspicious activities including several well-known tools used for credential theft, lateral movement, and persistence. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.
+data_source: 
+- Windows Security Event ID 4688
+- Sysmon Event ID 1
+- CrowdStrike ProcessRollup2
+search: |-
+  | tstats `security_content_summariesonly` count values(Processes.original_file_name) as original_file_name values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.dest Processes.process_name Processes.parent_process_name Processes.process 
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | lookup malicious_powershell_strings command as process
+  | where isnotnull(match)
+  | `windows_powershell_process_with_malicious_string_filter`
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: Unknown, possible usage by internal red team or powershell commands with overlap.
+references:
+- https://attack.mitre.org/techniques/T1059/001/
+- https://github.com/PowerShellMafia/PowerSploit
+- https://github.com/PowerShellEmpire/
+- https://github.com/S3cur3Th1sSh1t/PowerSharpPack
+drilldown_searches:
+- name: View the detection results for - "$dest$" and "$user$"
+  search: '%original_detection_search% | search dest = "$dest$" AND user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$" and "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate PowerShell on $dest$ 
+  search: '| from datamodel:Endpoint.Processes | search dest=$dest|s$ process_name=$process_name$ "*$match$*"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: The user $user$ ran a known malicious PowerShell string matching *$match$* on $dest$
+  risk_objects:
+  - field: user
+    type: user
+    score: 70
+  - field: dest
+    type: system
+    score: 70
+  threat_objects:
+  - field: process_name
+    type: process_name
+tags:
+  analytic_story: 
+  - Malicious PowerShell
+  asset_type: Endpoint 
+  mitre_attack_id: 
+  - T1059.001
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml b/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml
diff --git a/detections/endpoint/windows_process_executed_from_removable_media.yml b/detections/endpoint/windows_process_executed_from_removable_media.yml
diff --git a/detections/endpoint/windows_runmru_command_execution.yml b/detections/endpoint/windows_runmru_command_execution.yml
diff --git a/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml
diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml
diff --git a/detections/endpoint/windows_system_remote_discovery_with_query.yml b/detections/endpoint/windows_system_remote_discovery_with_query.yml
diff --git a/detections/endpoint/windows_usbstor_registry_key_modification.yml b/detections/endpoint/windows_usbstor_registry_key_modification.yml
diff --git a/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml
diff --git a/lookups/malicious_powershell_strings.csv b/lookups/malicious_powershell_strings.csv
diff --git a/lookups/malicious_powershell_strings.yml b/lookups/malicious_powershell_strings.yml
