headless_bee

Author: t-contreras

detections/endpoint/any_powershell_downloadfile.yml

@@ -1,7 +1,7 @@
 name: Any Powershell DownloadFile
 id: 1a93b7ea-7af7-11eb-adb5-acde48001122
-version: 11
-date: '2025-02-10'
+version: '12'
+date: '2025-02-24'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -71,18 +71,19 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - Data Destruction
   - Ingress Tool Transfer
+  - China-Nexus Threat Activity
+  - Crypto Stealer
+  - Hermetic Wiper
   - DarkCrystal RAT
-  - PXA Stealer
-  - Braodo Stealer
-  - Phemedrone Stealer
-  - Log4Shell CVE-2021-44228
   - Malicious PowerShell
-  - Hermetic Wiper
-  - Crypto Stealer
-  - Nexus APT Threat Activity
   - Earth Estries
+  - Phemedrone Stealer
+  - Braodo Stealer
+  - PXA Stealer
+  - Nexus APT Threat Activity
+  - Data Destruction
+  - Log4Shell CVE-2021-44228
   asset_type: Endpoint
   cve:
   - CVE-2021-44228
@@ -97,7 +98,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/detect_rare_executables.yml

@@ -60,7 +60,7 @@ tags:
   analytic_story:
   - SnappyBee
   - Rhysida Ransomware
-  - Nexus APT Threat Activity
+  - China-Nexus Threat Activity
   - Crypto Stealer
   - Earth Estries
   - Unusual Processes

detections/endpoint/detect_renamed_psexec.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed PSExec
 id: 683e6196-b8e8-11eb-9a79-acde48001122
-version: 11
-date: '2025-02-10'
+version: '12'
+date: '2025-02-24'
 author: Michael Haag, Splunk, Alex Oberkircher, Github Community
 status: production
 type: Hunting
@@ -39,18 +39,19 @@ references:
 - https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
   - BlackByte Ransomware
+  - HAFNIUM Group
   - DHS Report TA18-074A
-  - DarkSide Ransomware
-  - SamSam Ransomware
   - CISA AA22-320A
-  - HAFNIUM Group
-  - Sandworm Tools
+  - DarkSide Ransomware
   - Active Directory Lateral Movement
-  - Nexus APT Threat Activity
   - DarkGate Malware
-  - Earth Estries
+  - Sandworm Tools
   - Rhysida Ransomware
+  - Nexus APT Threat Activity
+  - Earth Estries
+  - SamSam Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1569.002
@@ -62,7 +63,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/detect_renamed_winrar.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed WinRAR
 id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122
-version: 9
-date: '2025-02-10'
+version: '10'
+date: '2025-02-24'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -38,10 +38,11 @@ references:
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - CISA AA22-277A
   - Collection and Staging
-  - Earth Estries
   - Nexus APT Threat Activity
-  - CISA AA22-277A
+  - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
   - T1560.001
@@ -53,7 +54,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -95,7 +95,7 @@ tags:
   - Amadey
   - DarkCrystal RAT
   - Remcos
-  - Nexus APT Threat Activity
+  - China-Nexus Threat Activity
   - Earth Estries
   - Rhysida Ransomware
   - RedLine Stealer

detections/endpoint/executables_or_script_creation_in_temp_path.yml

@@ -94,7 +94,7 @@ tags:
   - Amadey
   - DarkCrystal RAT
   - Remcos
-  - Nexus APT Threat Activity
+  - China-Nexus Threat Activity
   - Earth Estries
   - Rhysida Ransomware
   - RedLine Stealer

detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml

@@ -1,8 +1,8 @@
 name: Linux Auditd File Permission Modification Via Chmod
 id: 5f1d2ea7-eec0-4790-8b24-6875312ad492
-version: 7
-date: '2025-02-10'
-author: Teoderick Contreras, Splunk, Ivar Nygård
+version: '8'
+date: '2025-02-24'
+author: "Teoderick Contreras, Splunk, Ivar Nyg\xE5rd"
 status: production
 type: Anomaly
 description: The following analytic detects suspicious file permission modifications
@@ -58,11 +58,12 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Linux Privilege Escalation
-  - Linux Living Off The Land
-  - Compromised Linux Host
+  - China-Nexus Threat Activity
   - Linux Persistence Techniques
   - XorDDos
+  - Linux Privilege Escalation
+  - Compromised Linux Host
+  - Linux Living Off The Land
   - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
@@ -76,7 +77,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log
     source: /var/log/audit/audit.log
     sourcetype: linux:audit

detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml

@@ -1,7 +1,7 @@
 name: Linux Auditd Nopasswd Entry In Sudoers File
 id: 651df959-ad17-4b73-a323-90cb96d5fa1b
-version: 5
-date: '2025-02-10'
+version: '6'
+date: '2025-02-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -57,9 +57,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Compromised Linux Host
-  - Linux Persistence Techniques
   - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
@@ -73,7 +74,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log
     source: /var/log/audit/audit.log
     sourcetype: linux:audit

detections/endpoint/linux_auditd_possible_access_to_credential_files.yml

@@ -1,7 +1,7 @@
 name: Linux Auditd Possible Access To Credential Files
 id: 0419cb7a-57ea-467b-974f-77c303dfe2a3
-version: 5
-date: '2025-02-10'
+version: '6'
+date: '2025-02-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -59,9 +59,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Compromised Linux Host
-  - Linux Persistence Techniques
   - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
@@ -75,7 +76,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log
     source: /var/log/audit/audit.log
     sourcetype: linux:audit

detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml

@@ -1,7 +1,7 @@
 name: Linux Auditd Possible Access To Sudoers File
 id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834
-version: 5
-date: '2025-02-10'
+version: '6'
+date: '2025-02-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -56,9 +56,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Compromised Linux Host
-  - Linux Persistence Techniques
   - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
@@ -72,7 +73,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log
     source: /var/log/audit/audit.log
     sourcetype: linux:audit