Merge pull request #3529 from splunk/fix-issues-0525

patel-bhavin · web-flow · commit 7986635c78a4 · 2025-05-20T09:49:54.000-07:00
Fix Reported Issues
diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml
@@ -1,11 +1,12 @@
 name: Ping Sleep Batch Command
 id: ce058d6c-79f2-11ec-b476-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-05-19'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic identifies the execution of ping sleep batch commands.
+description: |
+  The following analytic identifies the execution of ping sleep batch commands.
   It leverages data from Endpoint Detection and Response (EDR) agents, focusing on
   process and parent process command-line details. This activity is significant as
   it indicates an attempt to delay malicious code execution, potentially evading detection
@@ -17,9 +18,21 @@ data_source:
 - Sysmon EventID 1
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process
-  = "*ping*" Processes.parent_process = *-n* Processes.parent_process="* Nul*"Processes.parent_process="*&gt;*")
-  OR (Processes.process = "*ping*" Processes.process = *-n* Processes.process="* Nul*"Processes.process="*&gt;*")
+  as lastTime from datamodel=Endpoint.Processes where 
+      (
+      Processes.parent_process= "*ping*" 
+      Processes.parent_process = *-n* 
+      Processes.parent_process="* Nul*"
+      Processes.parent_process IN ("*&gt;*", "*>*")
+      Processes.parent_process IN ("*&amp;*", "*& *")
+      )
+    OR (
+      Processes.process = "*ping*"
+      Processes.process = *-n* 
+      Processes.process="* Nul*" 
+      Processes.process IN ("*&gt;*", "*>*")
+      Processes.process IN ("*&amp;*", "*& *")
+      )
   by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml
@@ -1,7 +1,7 @@
 name: Schtasks scheduling job on remote system
 id: 1297fb80-f42a-4b4a-9c8a-88c066237cf6
-version: 14
-date: '2025-05-02'
+version: 15
+date: '2025-05-19'
 author: David Dorsey, Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -20,7 +20,7 @@ data_source:
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe
   OR Processes.original_file_name=schtasks.exe) (Processes.process="*/create*" AND
-  Processes.process="*/s*") by Processes.action Processes.dest Processes.original_file_name
+  Processes.process="*/s *") by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
   Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml
@@ -1,7 +1,7 @@
 name: Windows MSIExec DLLRegisterServer
 id: fdb59aef-d88f-4909-8369-ec2afbd2c398
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-05-19'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -21,7 +21,7 @@ data_source:
 search:
   '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process
-  IN ("*/y*", "*-y*") by Processes.action Processes.dest Processes.original_file_name
+  IN ("* /y*", "* -y*") by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
   Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
diff --git a/detections/endpoint/windows_process_commandline_discovery.yml b/detections/endpoint/windows_process_commandline_discovery.yml
@@ -1,7 +1,7 @@
 name: Windows Process Commandline Discovery
 id: 67d2a52e-a7e2-4a5d-ae44-a21212048bc2
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-05-19'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -20,7 +20,7 @@ description: The following analytic detects the use of Windows Management Instru
   further exploitation or lateral movement.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=
-  "* process *" Processes.process= "* get commandline *" by Processes.action Processes.dest
+  "* process *" Processes.process= "* get *" Processes.process= "*CommandLine*" by Processes.action Processes.dest
   Processes.original_file_name Processes.parent_process Processes.parent_process_exec
   Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
   Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
