Merge branch 'develop' into lnx_auditd_magic_system_request_key

CheraghiMilad · web-flow · commit 655bd7fee350 · 2025-08-29T20:05:46.000+03:30
diff --git a/contentctl.yml b/contentctl.yml
@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.13.0
+  version: 5.14.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
diff --git a/detections/cloud/aws_defense_evasion_impair_security_services.yml b/detections/cloud/aws_defense_evasion_impair_security_services.yml
@@ -1,13 +1,11 @@
 name: AWS Defense Evasion Impair Security Services
 id: b28c4957-96a6-47e0-a965-6c767aac1458
-version: 8
-date: '2025-05-22'
-author: Bhavin Patel, Gowthamaraj Rajendran, Splunk
+version: 9
+date: '2025-08-26'
+author: Bhavin Patel, Gowthamaraj Rajendran, Splunk, PashFW, Github Community
 status: production
 type: TTP
-description: The following analytic detects attempts to delete critical AWS security
-  service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web
-  Application Firewall rules. It leverages CloudTrail logs to identify specific API
+description: The following analytic detects attempts to impair or disable AWS security services by monitoring specific deletion operations across GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs. These actions include deleting detectors, rule groups, IP sets, web ACLs, logging configurations, alarms, and log streams. Adversaries may perform such operations to evade detection or remove visibility from defenders. By explicitly pairing eventName values with their corresponding eventSource services, this detection reduces noise and ensures that only security-related deletions are flagged. It leverages CloudTrail logs to identify specific API
   calls like "DeleteLogStream" and "DeleteDetector." This activity is significant
   because it indicates potential efforts to disable security monitoring and evade
   detection. If confirmed malicious, this could allow attackers to operate undetected,
@@ -22,14 +20,17 @@ data_source:
 - AWS CloudTrail DeleteRuleGroup
 - AWS CloudTrail DeleteLoggingConfiguration
 - AWS CloudTrail DeleteAlarms
-search: '`cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms")
+search: |
+  `cloudtrail`
+  (eventName="DeleteDetector" AND eventSource="guardduty.amazonaws.com") OR (   eventName IN ("DeleteIPSet", "DeleteWebACL", "DeleteRuleGroup", "DeleteRule") AND eventSource IN ("guardduty.amazonaws.com", "wafv2.amazonaws.com", "waf.amazonaws.com") ) OR ( eventName="DeleteLoggingConfiguration" AND eventSource IN ("wafv2.amazonaws.com", "waf.amazonaws.com", "route53.amazonaws.com") )
   | rename user_name as user
   | stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|  `aws_defense_evasion_impair_security_services_filter`'
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `aws_defense_evasion_impair_security_services_filter`
 how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in
   your AWS Environment.
-known_false_positives: While this search has no known false positives, it is possible
-  that it is a legitimate admin activity. Please consider filtering out these noisy
+known_false_positives: Legitimate administrators may occasionally delete GuardDuty detectors, WAF rule groups, or CloudWatch alarms during environment reconfiguration, migration, or decommissioning activities. In such cases, these events are expected and benign. These should be validated against approved change tickets or deployment pipelines to differentiate malicious activity from normal operations. Please consider filtering out these noisy
   events using userAgent, user_arn field names.
 references:
 - https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html
diff --git a/detections/endpoint/windows_speechruntime_com_hijacking_dll_load.yml b/detections/endpoint/windows_speechruntime_com_hijacking_dll_load.yml
@@ -0,0 +1,69 @@
+name: Windows SpeechRuntime COM Hijacking DLL Load
+id: bd35738c-e93a-4e4f-be24-f6a3680b950a
+version: 1
+date: '2025-08-22'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: SpeechRuntime is vulnerable to an attack that allows a user to run code on another user's 
+  session remotely and stealthily by exploiting a Windows COM class. When this class 
+  is invoked, it launches SpeechRuntime.exe in the context of the currently logged-on user. Because this 
+  COM class is susceptible to COM Hijacking, the attacker can alter the registry remotely to point to a 
+  malicious DLL. By dropping that DLL on the target system (e.g., via SMB) and triggering the COM object, 
+  the attacker causes the malicious DLL to load into SpeechRuntime.exe and executing under the user's context. This
+  detection identifies suspicious DLL loads by SpeechRuntime.exe from outside the expected locations.
+data_source:
+- Sysmon EventID 7
+search: '`sysmon` EventCode=7 Image="*SpeechRuntime.exe" | eval image_loaded_lower = lower(ImageLoaded) 
+  | search NOT image_loaded_lower="*system32*" | fillnull | stats count min(_time) as firstTime
+  max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name 
+  parent_process_name parent_process_guid
+  process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists
+  service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `windows_speechruntime_com_hijacking_dll_load_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints.
+  If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
+  Also be sure to include those monitored dll to your own sysmon config.
+known_false_positives: This process should normally never be loading dlls from outside the Windows system directory.
+references:
+- https://github.com/rtecCyberSec/SpeechRuntimeMove
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Possible Lateral Movement abusing Speech Runtime on $dest$
+  risk_objects:
+  - field: dest
+    type: system
+    score: 55
+  threat_objects: []
+tags:
+  analytic_story:
+  - Active Directory Lateral Movement
+  - Compromised Windows Host
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1021.003
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_speechruntime/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/detections/endpoint/windows_speechruntime_suspicious_child_process.yml b/detections/endpoint/windows_speechruntime_suspicious_child_process.yml
@@ -0,0 +1,75 @@
+name: Windows SpeechRuntime Suspicious Child Process
+id: f7bb956f-b956-42a5-8c2c-ff9cdbbf7526
+version: 1
+date: '2025-08-22'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: SpeechRuntime is vulnerable to an attack that allows a user to run code on another user's 
+  session remotely and stealthily by exploiting a Windows COM class. When this class 
+  is invoked, it launches SpeechRuntime.exe in the context of the currently logged-on user. Because this 
+  COM class is susceptible to COM Hijacking, the attacker can alter the registry remotely to point to a 
+  malicious DLL. By dropping that DLL on the target system (e.g., via SMB) and triggering the COM object, 
+  the attacker causes the malicious DLL to load into SpeechRuntime.exe and executing under the user's context. 
+  This detection identifies suspicious child processes of SpeechRuntime.exe that could indicate abuse 
+  of this vulnerability.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime 
+  from datamodel=Endpoint.Processes where (Processes.parent_process_name="*SpeechRuntime.exe*")
+  Processes.process IN ("*cmd.exe*","*powershell.exe*","*rundll32.exe*","*bitsadmin.exe*","*wmic.exe*","*cscript.exe*")
+  by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.process_name Processes.process 
+  Processes.process_id Processes.parent_process_id Processes.parent_process_name action parent_process_exec 
+  parent_process_guid parent_process_path process_exec process_guid process_hash process_integrity_level 
+  process_path user_id vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`| `windows_speechruntime_suspicious_child_process_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: This process should normally never be spawning these child processes.
+references:
+- https://github.com/rtecCyberSec/SpeechRuntimeMove
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Possible Lateral Movement on $dest$ by abusing SpeechRuntime.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 65
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+tags:
+  analytic_story:
+  - Active Directory Lateral Movement
+  - Compromised Windows Host
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1021.003
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_speechruntime/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/removed/detections/cisco_secure_application_alerts.yml b/removed/detections/cisco_secure_application_alerts.yml
@@ -3,7 +3,7 @@ id: 9982bff4-fc5d-49a3-ab9e-2dbbab2a711b
 version: 3
 date: '2025-08-04'
 author: Ryan Long, Bhavin Patel, Splunk
-status: deprecated
+status: removed
 type: Anomaly
 description: |
   The following analytic is to leverage alerts from Cisco SecureApp, which identifies and monitors exploit attempts targeting business applications. The primary attack observed involves exploiting vulnerabilities in web applications, including injection attacks (SQL, API abuse), deserialization vulnerabilities, remote code execution attempts, LOG4J and zero day attacks. These attacks are typically aimed at gaining unauthorized access, exfiltrating sensitive data, or disrupting application functionality.
