Skip to content

Commit 91446e2

Browse files
t-contrerast-contreras
committed
secret_blizzard
1 parent 1cb141a commit 91446e2

File tree

2 files changed

+20
-30
lines changed

2 files changed

+20
-30
lines changed

detections/endpoint/windows_firewallapi_dll_load_from_temp.yml

Lines changed: 10 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -25,22 +25,17 @@ known_false_positives: Legitimate windows application that are not on the list l
2525
references:
2626
- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
2727
drilldown_searches:
28-
- name: View the detection results for - "$__UPDATE__FIRST_RISK_OBJECT$" and "$__UPDATE__SECOND_RISK_OBJECT$"
29-
search: '%original_detection_search% | search "$__UPDATE__FIRST_RISK_OBJECT = "$__UPDATE__FIRST_RISK_OBJECT$"
30-
second_observable_type_here = "$__UPDATE__SECOND_RISK_OBJECT$"'
28+
- name: View the detection results for - "$dest$" and "$user$"
29+
search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
3130
earliest_offset: $info_min_time$
3231
latest_offset: $info_max_time$
33-
- name: View the detection results for - "$dest$"
34-
search: '%original_detection_search% | search dest = "$dest$"'
35-
earliest_offset: $info_min_time$
36-
latest_offset: $info_max_time$
37-
- name: View risk events for the last 7 days for - "$dest$"
38-
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
39-
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
40-
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
41-
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
42-
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
43-
| `security_content_ctime(lastTime)`'
32+
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
33+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$",
34+
"$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time)
35+
as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
36+
Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
37+
as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
38+
by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
4439
earliest_offset: $info_min_time$
4540
latest_offset: $info_max_time$
4641
rba:
@@ -66,4 +61,4 @@ tests:
6661
attack_data:
6762
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/firewall_api_path/firewallapi_temp.log
6863
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
69-
sourcetype: XmlWinEventLogle
64+
sourcetype: XmlWinEventLog

detections/endpoint/windows_firewallapi_dll_load_from_unusual_path.yml

Lines changed: 10 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -25,22 +25,17 @@ known_false_positives: Legitimate windows application that are not on the list l
2525
references:
2626
- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
2727
drilldown_searches:
28-
- name: View the detection results for - "$__UPDATE__FIRST_RISK_OBJECT$" and "$__UPDATE__SECOND_RISK_OBJECT$"
29-
search: '%original_detection_search% | search "$__UPDATE__FIRST_RISK_OBJECT = "$__UPDATE__FIRST_RISK_OBJECT$"
30-
second_observable_type_here = "$__UPDATE__SECOND_RISK_OBJECT$"'
28+
- name: View the detection results for - "$dest$" and "$user$"
29+
search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
3130
earliest_offset: $info_min_time$
3231
latest_offset: $info_max_time$
33-
- name: View the detection results for - "$dest$"
34-
search: '%original_detection_search% | search dest = "$dest$"'
35-
earliest_offset: $info_min_time$
36-
latest_offset: $info_max_time$
37-
- name: View risk events for the last 7 days for - "$dest$"
38-
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
39-
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
40-
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
41-
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
42-
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
43-
| `security_content_ctime(lastTime)`'
32+
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
33+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$",
34+
"$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time)
35+
as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
36+
Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
37+
as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
38+
by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
4439
earliest_offset: $info_min_time$
4540
latest_offset: $info_max_time$
4641
rba:
@@ -66,4 +61,4 @@ tests:
6661
attack_data:
6762
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/firewall_api_path/firewallapi_temp.log
6863
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
69-
sourcetype: XmlWinEventLogle
64+
sourcetype: XmlWinEventLog

0 commit comments

Comments
 (0)