Merge branch 'develop' into new-rules

Author: pyth0n1c

detections/cloud/o365_exfiltration_via_file_access.yml

@@ -0,0 +1,68 @@
+name: O365 Exfiltration via File Access
+id: 80b44ae2-60ff-43f1-8e56-34beb49a340a
+version: 1
+date: '2024-10-14'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the "open in app" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts.
+data_source: 
+- Office 365 Universal Audit Log
+search: |-
+  `o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg)
+  | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
+  | where NOT match(SiteUrl,user_flat)
+  | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
+  | eventstats avg(count) as avg stdev(count) as stdev by Workload
+  | rename SiteUrl as file_path,Workload as app
+  | where count > 50 AND count > (avg + (3*(stdev))) 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_exfiltration_via_file_access_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
+known_false_positives: It is possible that certain file access scenarios may trigger this alert, specifically OneDrive syncing and users accessing personal onedrives of other users. Adjust threshold and filtering as needed.
+references:
+- https://attack.mitre.org/techniques/T1567/exfil
+- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data
+- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate file access by $user$ 
+  search: '`o365_management_activity` Operation IN ("fileaccessed") UserId="$UserId$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$
+  risk_objects:
+  - field: user
+    type: user
+    score: 20
+  threat_objects:
+  - field: src
+    type: ip_address
+tags:
+  analytic_story: 
+  - Data Exfiltration
+  - Office 365 Account Takeover
+  asset_type: O365 Tenant  
+  mitre_attack_id: 
+  - T1567
+  - T1530  
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log
+    source: o365
+    sourcetype: o365:management:activity

detections/cloud/o365_exfiltration_via_file_download.yml

@@ -0,0 +1,66 @@
+name: O365 Exfiltration via File Download
+id: 06b23921-bfe2-4576-89dd-616f06e129da
+version: 1
+date: '2024-10-14'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic detects when an excessive number of files are downloaded from o365 by the same user over a short period of time. O365 may bundle these files together as a ZIP file, however each file will have it's own download event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts.
+data_source: 
+- Office 365 Universal Audit Log
+search: |-
+  `o365_management_activity` Operation IN ("filedownloaded") 
+  | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
+  | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
+  | rename SiteUrl as file_path,Workload as app
+  | where count > 50
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_exfiltration_via_file_download_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
+known_false_positives: It is possible that certain file download scenarios may trigger this alert, specifically OneDrive syncing. Adjust threshold and filtering as needed.
+references:
+- https://attack.mitre.org/techniques/T1567/exfil
+- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data
+- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate file downloads by $user$ 
+  search: '`o365_management_activity` Operation IN ("filedownloaded") UserId="$UserId$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects:
+  - field: src
+    type: ip_address
+tags:
+  analytic_story: 
+  - Data Exfiltration
+  - Office 365 Account Takeover
+  asset_type: O365 Tenant
+  mitre_attack_id: 
+  - T1567
+  - T1530  
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log
+    source: o365
+    sourcetype: o365:management:activity

detections/cloud/o365_exfiltration_via_file_sync_download.yml

@@ -0,0 +1,67 @@
+name: O365 Exfiltration via File Sync Download
+id: 350837b5-13d3-4c06-b688-db07afbe5050
+version: 1
+date: '2024-10-14'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic detects when an excessive number of files are sync from o365 by the same user over a short period of time. A malicious actor abuse the user-agent string through GUI or API access to evade triggering the FileDownloaded event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts.
+data_source: 
+- Office 365 Universal Audit Log
+search: |-
+  `o365_management_activity` Operation IN ("filesyncdownload*") UserAgent="*SkyDriveSync*"
+  | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
+  | where NOT match(SiteUrl,user_flat)
+  | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
+  | rename SiteUrl as file_path,Workload as app
+  | where count > 50
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_exfiltration_via_file_sync_download_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
+known_false_positives: It is possible that certain file sync scenarios may trigger this alert, specifically OneNote. Adjust threshold and filtering as needed.
+references:
+- https://attack.mitre.org/techniques/T1567/exfil
+- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data
+- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate file sync downloads by $user$ 
+  search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserId="$UserId$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: The user $user$ synced an excessive number of files [$count$] from $file_path$ using $src$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects:
+  - field: src
+    type: ip_address
+tags:
+  analytic_story: 
+  - Data Exfiltration
+  - Office 365 Account Takeover
+  asset_type: O365 Tenant
+  mitre_attack_id: 
+  - T1567
+  - T1530  
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log
+    source: o365
+    sourcetype: o365:management:activity

detections/endpoint/chcp_command_execution.yml

@@ -1,7 +1,7 @@
 name: CHCP Command Execution
 id: 21d236ec-eec1-11eb-b23e-acde48001122
-version: 4
-date: '2024-11-13'
+version: 5
+date: '2025-02-19'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -15,7 +15,6 @@ description: The following analytic detects the execution of the chcp.exe applic
   system compromise and data exfiltration.
 data_source:
 - Sysmon EventID 1
-- Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com

detections/endpoint/jscript_execution_using_cscript_app.yml

@@ -1,7 +1,7 @@
 name: Jscript Execution Using Cscript App
 id: 002f1e24-146e-11ec-a470-acde48001122
-version: 5
-date: '2025-02-10'
+version: 6
+date: '2025-02-19'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -14,7 +14,6 @@ description: The following analytic detects the execution of JScript using the c
   scripts, leading to code execution, data exfiltration, or further system compromise.
 data_source:
 - Sysmon EventID 1
-- Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name

detections/endpoint/ping_sleep_batch_command.yml

@@ -1,7 +1,7 @@
 name: Ping Sleep Batch Command
 id: ce058d6c-79f2-11ec-b476-acde48001122
-version: 6
-date: '2025-02-10'
+version: 7
+date: '2025-02-19'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -15,7 +15,6 @@ description: The following analytic identifies the execution of ping sleep batch
   exfiltration.
 data_source:
 - Sysmon EventID 1
-- Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process

detections/endpoint/vbscript_execution_using_wscript_app.yml

@@ -1,7 +1,7 @@
 name: Vbscript Execution Using Wscript App
 id: 35159940-228f-11ec-8a49-acde48001122
-version: 5
-date: '2025-02-10'
+version: 6
+date: '2025-02-19'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -15,7 +15,6 @@ description: The following analytic detects the execution of VBScript using the
   data exfiltration, or further lateral movement within the network.
 data_source:
 - Sysmon EventID 1
-- Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name

detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml

@@ -1,7 +1,7 @@
 name: Windows Command Shell DCRat ForkBomb Payload
 id: 2bb1a362-7aa8-444a-92ed-1987e8da83e1
-version: 6
-date: '2025-02-10'
+version: 7
+date: '2025-02-19'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -15,7 +15,6 @@ description: The following analytic detects the execution of a DCRat "forkbomb"
   disruption of services.
 data_source:
 - Sysmon EventID 1
-- Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.parent_process) as parent_process values(Processes.parent_process_id)

detections/endpoint/windows_indirect_command_execution_via_forfiles.yml

@@ -1,7 +1,7 @@
 name: Windows Indirect Command Execution Via forfiles
 id: 1fdf31c9-ff4d-4c48-b799-0e8666e08787
-version: 4
-date: '2024-11-13'
+version: 5
+date: '2025-02-19'
 author: Eric McGinnis, Splunk
 status: production
 type: TTP
@@ -16,7 +16,6 @@ description: The following analytic detects the execution of programs initiated
   compromise.
 data_source:
 - Sysmon EventID 1
-- Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*forfiles*

detections/endpoint/windows_indirect_command_execution_via_pcalua.yml

@@ -1,7 +1,7 @@
 name: Windows Indirect Command Execution Via pcalua
 id: 3428ac18-a410-4823-816c-ce697d26f7a8
-version: 4
-date: '2024-11-13'
+version: 5
+date: '2025-02-19'
 author: Eric McGinnis, Splunk
 status: production
 type: TTP
@@ -15,7 +15,6 @@ description: The following analytic detects programs initiated by pcalua.exe, th
   environment.
 data_source:
 - Sysmon EventID 1
-- Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*pcalua*