Merge branch 'develop' into backwards

Author: ljstella

contentctl.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.13.0
+  version: 5.14.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
@@ -44,9 +44,9 @@ apps:
 - uid: 7404
   title: Cisco Security Cloud
   appid: CiscoSecurityCloud
-  version: 3.3.1
+  version: 3.4.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_331.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_340.tgz
 - uid: 6652
   title: Add-on for Linux Sysmon
   appid: Splunk_TA_linux_sysmon

data_sources/cisco_ai_defense_alerts.yml

@@ -10,5 +10,5 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.3.1
+  version: 3.4.0
 fields: null

data_sources/cisco_duo_activity.yml

@@ -10,7 +10,7 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.3.1
+  version: 3.4.0
 fields:
 - access_device.browser
 - access_device.browser_version

data_sources/cisco_duo_administrator.yml

@@ -10,7 +10,7 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.3.1
+  version: 3.4.0
 fields:
 - action
 - actionlabel

data_sources/cisco_secure_firewall_threat_defense_connection_event.yml

@@ -10,7 +10,7 @@ sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.3.1
+  version: 3.4.0
 fields:
 - AC_RuleAction
 - action

data_sources/cisco_secure_firewall_threat_defense_file_event.yml

@@ -10,7 +10,7 @@ sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.3.1
+  version: 3.4.0
 fields:
 - app
 - Application

data_sources/cisco_secure_firewall_threat_defense_intrusion_event.yml

@@ -10,7 +10,7 @@ sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.3.1
+  version: 3.4.0
 fields:
 - Application
 - Classification

detections/cloud/aws_defense_evasion_impair_security_services.yml

@@ -1,13 +1,11 @@
 name: AWS Defense Evasion Impair Security Services
 id: b28c4957-96a6-47e0-a965-6c767aac1458
-version: 8
-date: '2025-05-22'
-author: Bhavin Patel, Gowthamaraj Rajendran, Splunk
+version: 9
+date: '2025-08-26'
+author: Bhavin Patel, Gowthamaraj Rajendran, Splunk, PashFW, Github Community
 status: production
 type: TTP
-description: The following analytic detects attempts to delete critical AWS security
-  service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web
-  Application Firewall rules. It leverages CloudTrail logs to identify specific API
+description: The following analytic detects attempts to impair or disable AWS security services by monitoring specific deletion operations across GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs. These actions include deleting detectors, rule groups, IP sets, web ACLs, logging configurations, alarms, and log streams. Adversaries may perform such operations to evade detection or remove visibility from defenders. By explicitly pairing eventName values with their corresponding eventSource services, this detection reduces noise and ensures that only security-related deletions are flagged. It leverages CloudTrail logs to identify specific API
   calls like "DeleteLogStream" and "DeleteDetector." This activity is significant
   because it indicates potential efforts to disable security monitoring and evade
   detection. If confirmed malicious, this could allow attackers to operate undetected,
@@ -22,14 +20,17 @@ data_source:
 - AWS CloudTrail DeleteRuleGroup
 - AWS CloudTrail DeleteLoggingConfiguration
 - AWS CloudTrail DeleteAlarms
-search: '`cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms")
+search: |
+  `cloudtrail`
+  (eventName="DeleteDetector" AND eventSource="guardduty.amazonaws.com") OR (   eventName IN ("DeleteIPSet", "DeleteWebACL", "DeleteRuleGroup", "DeleteRule") AND eventSource IN ("guardduty.amazonaws.com", "wafv2.amazonaws.com", "waf.amazonaws.com") ) OR ( eventName="DeleteLoggingConfiguration" AND eventSource IN ("wafv2.amazonaws.com", "waf.amazonaws.com", "route53.amazonaws.com") )
   | rename user_name as user
   | stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|  `aws_defense_evasion_impair_security_services_filter`'
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `aws_defense_evasion_impair_security_services_filter`
 how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in
   your AWS Environment.
-known_false_positives: While this search has no known false positives, it is possible
-  that it is a legitimate admin activity. Please consider filtering out these noisy
+known_false_positives: Legitimate administrators may occasionally delete GuardDuty detectors, WAF rule groups, or CloudWatch alarms during environment reconfiguration, migration, or decommissioning activities. In such cases, these events are expected and benign. These should be validated against approved change tickets or deployment pipelines to differentiate malicious activity from normal operations. Please consider filtering out these noisy
   events using userAgent, user_arn field names.
 references:
 - https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html

detections/endpoint/cmd_carry_out_string_command_parameter.yml

@@ -1,17 +1,18 @@
 name: CMD Carry Out String Command Parameter
 id: 54a6ed00-3256-11ec-b031-acde48001122
-version: 14
-date: '2025-08-07'
+version: 15
+date: '2025-08-22'
 author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production
 type: Hunting
-description: The following analytic detects the use of `cmd.exe /c` to execute commands,
-  a technique often employed by adversaries and malware to run batch commands or invoke
-  other shells like PowerShell. This detection leverages data from Endpoint Detection
-  and Response (EDR) agents, focusing on command-line executions and process metadata.
-  Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized
-  command execution. If confirmed malicious, this behavior could lead to unauthorized
-  code execution, privilege escalation, or persistence within the environment.
+description: The following analytic detects the use of `cmd.exe /c` to execute 
+  commands, a technique often employed by adversaries and malware to run batch 
+  commands or invoke other shells like PowerShell. This detection leverages data
+  from Endpoint Detection and Response (EDR) agents, focusing on command-line 
+  executions and process metadata. Monitoring this activity is crucial as it can
+  indicate script-based attacks or unauthorized command execution. If confirmed 
+  malicious, this behavior could lead to unauthorized code execution, privilege 
+  escalation, or persistence within the environment.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
@@ -25,17 +26,18 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_
   Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
   Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
-  and Response (EDR) agents. These agents are designed to provide security-related
-  telemetry from the endpoints where the agent is installed. To implement this search,
-  you must ingest logs that contain the process GUID, process name, and parent process.
-  Additionally, you must ingest complete command-line executions. These logs must
-  be processed using the appropriate Splunk Technology Add-ons that are specific to
-  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
-  data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
-known_false_positives: False positives may be high based on legitimate scripted code
-  in any environment. Filter as needed.
+how_to_implement: The detection is based on data that originates from Endpoint 
+  Detection and Response (EDR) agents. These agents are designed to provide 
+  security-related telemetry from the endpoints where the agent is installed. To
+  implement this search, you must ingest logs that contain the process GUID, 
+  process name, and parent process. Additionally, you must ingest complete 
+  command-line executions. These logs must be processed using the appropriate 
+  Splunk Technology Add-ons that are specific to the EDR product. The logs must 
+  also be mapped to the `Processes` node of the `Endpoint` data model. Use the 
+  Splunk Common Information Model (CIM) to normalize the field names and speed 
+  up the data modeling process.
+known_false_positives: False positives may be high based on legitimate scripted 
+  code in any environment. Filter as needed.
 references:
 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
@@ -65,6 +67,7 @@ tags:
   - RedLine Stealer
   - Log4Shell CVE-2021-44228
   - Interlock Rat
+  - 0bj3ctivity Stealer
   asset_type: Endpoint
   cve:
   - CVE-2021-44228
@@ -78,6 +81,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml

@@ -1,8 +1,8 @@
 name: Disabling Windows Local Security Authority Defences via Registry
 id: 45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab
-version: 7
-date: '2025-05-02'
-author: Dean Luxton
+version: 8
+date: '2025-08-20'
+author: Dean Luxton,Teoderick Contreras Splunk
 status: production
 type: TTP
 data_source:
@@ -16,13 +16,15 @@ description: The following analytic identifies the deletion of registry keys tha
   If confirmed malicious, this action could allow attackers to bypass critical security
   mechanisms, leading to potential system compromise and persistent access.
 search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry
-  where Registry.registry_path IN ("*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LsaCfgFlags",
-  "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\*", "*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL")
-  Registry.action IN (deleted, unknown) by Registry.action Registry.dest Registry.process_guid
+  where Registry.registry_path IN ("*\\Lsa\\LsaCfgFlags", "*\\Lsa\\RunAsPPL", "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\*") 
+  AND ((Registry.action = deleted) 
+  OR (Registry.action = modified AND Registry.registry_value_data IN(0x00000000, 0)))
+  by Registry.action Registry.dest Registry.process_guid
   Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name
   Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type
   Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_windows_local_security_authority_defences_via_registry_filter`'
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `disabling_windows_local_security_authority_defences_via_registry_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -77,6 +79,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/disable_lsa_protection/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/disable_lsa_protection_new/lsa_reg_deletion_modification.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog