Merge branch 'develop' into updates-june

Author: pyth0n1c

detections/endpoint/cmd_carry_out_string_command_parameter.yml

@@ -1,7 +1,7 @@
 name: CMD Carry Out String Command Parameter
 id: 54a6ed00-3256-11ec-b031-acde48001122
-version: 11
-date: '2025-05-06'
+version: 12
+date: '2025-05-26'
 author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production
 type: Hunting
@@ -17,14 +17,14 @@ data_source:
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process IN ("*/c*", "*/k*")
-  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
-  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
-  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
-  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
-  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `cmd_carry_out_string_command_parameter_filter`'
+  as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process
+  IN ("*/c*", "*/k*") by Processes.action Processes.dest Processes.original_file_name
+  Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
+  Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
+  Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
+  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
+  Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -41,27 +41,28 @@ references:
 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
 tags:
   analytic_story:
-  - Data Destruction
-  - DarkGate Malware
-  - Chaos Ransomware
-  - Hermetic Wiper
-  - Warzone RAT
+  - PlugX
   - Winter Vivern
+  - Rhysida Ransomware
+  - Malicious Inno Setup Loader
+  - DarkGate Malware
   - ProxyNotShell
-  - IcedID
-  - Living Off The Land
-  - NjRAT
   - Log4Shell CVE-2021-44228
-  - CISA AA23-347A
-  - AsyncRAT
-  - Rhysida Ransomware
-  - DarkCrystal RAT
-  - Crypto Stealer
   - Azorult
+  - Living Off The Land
   - Qakbot
-  - RedLine Stealer
-  - PlugX
+  - Chaos Ransomware
+  - IcedID
+  - Data Destruction
+  - Crypto Stealer
   - WhisperGate
+  - NjRAT
+  - AsyncRAT
+  - CISA AA23-347A
+  - Hermetic Wiper
+  - RedLine Stealer
+  - DarkCrystal RAT
+  - Warzone RAT
   asset_type: Endpoint
   cve:
   - CVE-2021-44228

detections/endpoint/cobalt_strike_named_pipes.yml

@@ -1,7 +1,7 @@
 name: Cobalt Strike Named Pipes
 id: 5876d429-0240-4709-8b93-ea8330b411b5
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-06-17'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -16,12 +16,33 @@ description: The following analytic detects the use of default or publicly known
 data_source:
 - Sysmon EventID 17
 - Sysmon EventID 18
-search: '`sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNamePipe*,
-  \\srvsvc_*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*,
-  \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime
+search: |
+  `sysmon` (EventID=17 OR EventID=18)
+  PipeName IN (
+    "\\DserNamePipe*",
+    "\\interprocess_*",
+    "\\lsarpc_*",
+    "\\mojo_*",
+    "\\msagent_*",
+    "\\MSSE-*",
+    "\\netlogon_*",
+    "\\ntsvcs*",
+    "\\postex_*",
+    "\\samr_*",
+    "\\spoolss_*",
+    "\\srvsvc_*",
+    "\\status_*",
+    "\\UIA_PIPE"*
+    "\\win_svc*",
+    "\\winsock*",
+    "\\wkssvc_*",
+  )
+  | stats count min(_time) as firstTime max(_time) as lastTime
   by dest dvc pipe_name process_exec process_guid process_id process_name process_path
-  signature signature_id user_id vendor_product Image PipeName | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`'
+  signature signature_id user_id vendor_product Image PipeName
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `cobalt_strike_named_pipes_filter`
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name, parent process, and command-line executions from your
   endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the

detections/endpoint/detect_renamed_7_zip.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed 7-Zip
 id: 4057291a-b8cf-11eb-95fe-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-06-02'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -43,6 +43,7 @@ references:
 tags:
   analytic_story:
   - Collection and Staging
+  - Malicious Inno Setup Loader
   asset_type: Endpoint
   mitre_attack_id:
   - T1560.001

detections/endpoint/detect_renamed_winrar.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed WinRAR
 id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122
-version: 12
-date: '2025-05-02'
+version: 13
+date: '2025-06-16'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -18,13 +18,15 @@ data_source:
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe
-  (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.action
-  Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
-  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
-  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
-  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
-  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  (Processes.process_name!=rar.exe AND Processes.process_name!=winrar.exe) 
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process 
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id 
+  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec 
+  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level 
+  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
   | `detect_renamed_winrar_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related

detections/endpoint/excessive_usage_of_cacls_app.yml

@@ -1,37 +1,56 @@
 name: Excessive Usage Of Cacls App
 id: 0bdf6092-af17-11eb-939a-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-06-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`,
-  or `icacls.exe` to change file or folder permissions. It leverages data from Endpoint
-  Detection and Response (EDR) agents, focusing on process names and command-line
-  executions. This activity is significant as it may indicate an adversary attempting
-  to restrict access to malware components or artifacts on a compromised system. If
-  confirmed malicious, this behavior could prevent users from deleting or accessing
+description: |
+  The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`,
+  or `icacls.exe` to change file or folder permissions.
+  It looks for 10 or more execution of the aforementioned processes in the span of 1 minute. 
+  It leverages data from Endpoint Detection and Response (EDR) agents, 
+  focusing on process names and command-line executions.
+  This activity is significant as it may indicate an adversary attempting
+  to restrict access to malware components or artifacts on a compromised system.
+  If confirmed malicious, this behavior could prevent users from deleting or accessing
   critical files, aiding in the persistence and concealment of malicious activities.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` values(Processes.dest) as dest
-  values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime values(Processes.action)
-  as action values(Processes.original_file_name) as original_file_name values(Processes.parent_process_exec)
-  as parent_process_exec values(Processes.parent_process_guid) as parent_process_guid
-  values(Processes.parent_process_id) as parent_process_id values(Processes.parent_process_path)
-  as parent_process_path values(Processes.process) as process values(Processes.process_exec)
-  as process_exec values(Processes.process_guid) as process_guid values(Processes.process_hash)
-  as process_hash values(Processes.process_id) as process_id values(Processes.process_integrity_level)
-  as process_integrity_level values(Processes.process_name) as process_name values(Processes.process_path)
-  as process_path values(Processes.user_id) as user_id values(Processes.vendor_product)
-  as vendor_product count from datamodel=Endpoint.Processes where Processes.process_name
-  = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name
-  = "XCACLS.exe" by Processes.parent_process_name Processes.parent_process Processes.dest
-  Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+search: |
+  | tstats `security_content_summariesonly` 
+    min(_time) as firstTime 
+    max(_time) as lastTime 
+    values(Processes.dest) as dest
+    values(Processes.user) as user 
+    values(Processes.action) as action 
+    values(Processes.original_file_name) as original_file_name 
+    values(Processes.parent_process_exec) as parent_process_exec 
+    values(Processes.parent_process_guid) as parent_process_guid
+    values(Processes.parent_process_id) as parent_process_id 
+    values(Processes.parent_process_path) as parent_process_path 
+    values(Processes.process) as process 
+    values(Processes.process_exec) as process_exec 
+    values(Processes.process_guid) as process_guid 
+    values(Processes.process_hash) as process_hash 
+    values(Processes.process_id) as process_id 
+    values(Processes.process_integrity_level) as process_integrity_level 
+    values(Processes.process_name) as process_name 
+    values(Processes.process_path) as process_path 
+    values(Processes.user_id) as user_id 
+    values(Processes.vendor_product) as vendor_product count 
+  from datamodel=Endpoint.Processes where 
+  Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") 
+  by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m 
+  | where count >=10 
+  | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `excessive_usage_of_cacls_app_filter`
+how_to_implement: |
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.

detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml

@@ -1,7 +1,7 @@
 name: Hiding Files And Directories With Attrib exe
 id: 6e5a3ae4-90a3-462d-9aa6-0119f638c0f1
-version: 12
-date: '2025-05-02'
+version: 13
+date: '2025-05-26'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -64,8 +64,9 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Azorult
   - Windows Persistence Techniques
+  - Malicious Inno Setup Loader
+  - Azorult
   - Compromised Windows Host
   - Windows Defense Evasion Tactics
   - Crypto Stealer

detections/endpoint/icacls_deny_command.yml

@@ -1,11 +1,12 @@
 name: Icacls Deny Command
 id: cf8d753e-a8fe-11eb-8f58-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-06-17'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
-description: The following analytic detects instances where an adversary modifies
+type: Anomaly
+description: |
+  The following analytic detects instances where an adversary modifies
   security permissions of a file or directory using commands like "icacls.exe", "cacls.exe",
   or "xcacls.exe" with deny options. It leverages data from Endpoint Detection and
   Response (EDR) agents, focusing on process names and command-line executions. This
@@ -17,17 +18,22 @@ data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe",
-  "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/deny*", "*/D*") by Processes.action
-  Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
-  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
-  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
-  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
-  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `icacls_deny_command_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+search: |
+  | tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where 
+  Processes.process_name IN ( "icacls.exe", "cacls.exe", "xcacls.exe") AND 
+  Processes.process IN ("*/deny*", "*/d:*", "*/d ") 
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process 
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id 
+  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec 
+  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level 
+  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `icacls_deny_command_filter`
+how_to_implement: |
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.

detections/endpoint/icacls_grant_command.yml

@@ -1,11 +1,12 @@
 name: ICACLS Grant Command
 id: b1b1e316-accc-11eb-a9b4-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects the use of the ICACLS command to grant
+description: |
+  The following analytic detects the use of the ICACLS command to grant
   additional access permissions to files or directories. It leverages data from Endpoint
   Detection and Response (EDR) agents, focusing on specific process names and command-line
   arguments. This activity is significant because it is commonly used by Advanced
@@ -17,17 +18,22 @@ data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe",
-  "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") by Processes.action
-  Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
-  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
-  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
-  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
-  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `icacls_grant_command_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+search: |
+  | tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where 
+  Processes.process_name IN ( "icacls.exe", "cacls.exe", "xcacls.exe") AND 
+  Processes.process IN ("*/grant*", "*/g:*", "*/g *") 
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process 
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id 
+  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec 
+  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level 
+  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `icacls_grant_command_filter`
+how_to_implement: |
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.