Merge branch 'develop' into 8_million_requests

josehelps · web-flow · commit 9428a91911ba · 2025-02-20T17:53:03.000-05:00
diff --git a/detections/application/cisco_secure_application_alerts.yml b/detections/application/cisco_secure_application_alerts.yml
@@ -79,7 +79,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
-  # manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty.
+  manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty.
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml
@@ -14,7 +14,7 @@ data_source:
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
   where Processes.process_path IN("*\\temp\\*")
-  by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user 
+  by Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process_path Processes.dest Processes.user 
   | `drop_dm_object_name(Processes)` 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)`
diff --git a/detections/endpoint/windows_security_and_backup_services_stop.yml b/detections/endpoint/windows_security_and_backup_services_stop.yml
@@ -47,7 +47,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Known services $param1$ terminated by a potential ransomware on $dest$
+  message: Known services $display_name$ terminated by a potential ransomware on $dest$
   risk_objects:
   - field: dest
     type: system
diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml
@@ -5,14 +5,14 @@ date: '2025-02-07'
 author: Steven Dick
 status: production
 type: Anomaly
-description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
+description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment. 
 data_source: 
 - Windows Event Log System 7045
 search: |-
   `wineventlog_system` EventCode=7045 
-  | stats values(user) as user, values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID
+  | stats values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID
   | eval process_name = mvindex(split(process,"\\"),-1)
-  | rename Computer as dest, ServiceName as object_name, ServiceType as object_type
+  | rename Computer as dest, ServiceName as object_name, ServiceType as object_type, UserID as user_id
   | lookup windows_suspicious_services service_name as object_name
   | where isnotnull(tool_name)
   | `security_content_ctime(firstTime)` 
@@ -44,9 +44,6 @@ rba:
   - field: dest
     type: system
     score: 75
-  - field: user
-    type: user
-    score: 75
   threat_objects: 
   - field: process
     type: process
diff --git a/lookups/malicious_powershell_strings.csv b/lookups/malicious_powershell_strings.csv
