Merge branch 'develop' into output_normalization_aws

Author: patel-bhavin

data_sources/windows_event_log_security_4700.yml

@@ -0,0 +1,16 @@
+name: Windows Event Log Security 4700
+id: 89895c7b-2aba-41ca-ad12-8b6d290b5dde
+version: 1
+date: '2025-03-11'
+author: Steven Dick
+description: Data source object for Windows Event Log Security 4700
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 9.0.1
+fields:
+- EventID
+example_log: '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />  <EventID>4700</EventID>  <Version>0</Version>  <Level>0</Level>  <Task>12804</Task>  <Opcode>0</Opcode>  <Keywords>0x8020000000000000</Keywords>  <TimeCreated SystemTime="2015-09-23T02:32:47.606423000Z" />  <EventRecordID>344861</EventRecordID>  <Correlation />  <Execution ProcessID="516" ThreadID="756" />  <Channel>Security</Channel>  <Computer>DC01.contoso.local</Computer>  <Security />  </System><EventData> <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>  <Data Name="SubjectUserName">dadmin</Data>  <Data Name="SubjectDomainName">CONTOSO</Data>  <Data Name="SubjectLogonId">0x364eb</Data>  <Data Name="TaskName">\\Microsoft\\StartListener</Data>  <Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>  </EventData> </Event>'

data_sources/windows_event_log_security_4702.yml

@@ -0,0 +1,16 @@
+name: Windows Event Log Security 4702
+id: 167e378e-3675-4042-b611-d3bfb6d2abc7
+version: 1
+date: '2025-03-11'
+author: Steven Dick
+description: Data source object for Windows Event Log Security 4702
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 9.0.1
+fields:
+- EventID
+example_log: '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />  <EventID>4702</EventID>  <Version>0</Version>  <Level>0</Level>  <Task>12804</Task>  <Opcode>0</Opcode>  <Keywords>0x8020000000000000</Keywords>  <TimeCreated SystemTime="2015-09-23T03:00:59.343820000Z" />  <EventRecordID>344863</EventRecordID>  <Correlation />  <Execution ProcessID="516" ThreadID="596" />  <Channel>Security</Channel>  <Computer>DC01.contoso.local</Computer>  <Security />  </System><EventData> <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>  <Data Name="SubjectUserName">dadmin</Data>  <Data Name="SubjectDomainName">CONTOSO</Data>  <Data Name="SubjectLogonId">0x364eb</Data>  <Data Name="TaskName">\\Microsoft\\StartListener</Data>  <Data Name="TaskContentNew"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>HighestAvailable</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>  </EventData> </Event>'

detections/cloud/o365_bec_email_hiding_rule_created.yml

@@ -0,0 +1,58 @@
+name: O365 BEC Email Hiding Rule Created
+id: 603ebac2-f157-4df7-a6ac-34e8d0350f86
+version: 1
+date: '2025-02-14'
+author: '0xC0FFEEEE, Github Community'
+type: TTP
+status: production
+description: This analytic detects mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers.
+  This may indicate that an attacker has gained access to the account.
+search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" |
+  stats values(Name) as Name, values(MarkAsRead) as MarkAsRead, values(MoveToFolder)
+  as MoveToFolder by _time Id user | lookup ut_shannon_lookup word as Name | eval
+  entropy_score=if(ut_shannon<=2, 1, 0) | eval len_score=if(len(Name)<=3, 1,0) | eval
+  read_score=if(MarkAsRead="True", 1, 0) | eval folder_score=if(match(MoveToFolder,
+  "^(RSS|Conversation History|Archive)"), 1, 0) | eval suspicious_score=entropy_score+len_score+read_score+folder_score
+  | where suspicious_score>2 | `o365_bec_email_hiding_rule_created_filter`'
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest
+  Office 365 management activity events. You also need to have the Splunk TA URL 
+  Toolbox (https://splunkbase.splunk.com/app/2734/) installed.
+known_false_positives: Short rule names may trigger false positives. Adjust
+  the entropy and length thresholds as needed.
+references:
+- https://attack.mitre.org/techniques/T1564/008/
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  dest = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for $user$
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Potential BEC mailbox rule was created by $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects:
+  - field: Name
+    type: signature
+tags:
+  analytic_story:
+  - Office 365 Account Takeover
+  asset_type: O365 Tenant
+  mitre_attack_id:
+  - T1564.008
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: audit
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log
+    sourcetype: o365:management:activity
+    source: o365

detections/endpoint/detect_rare_executables.yml

@@ -1,7 +1,7 @@
 name: Detect Rare Executables
 id: 44fddcb2-8d3b-454c-874e-7c6de5a4f7ac
-version: 7
-date: '2024-11-13'
+version: '8'
+date: '2025-02-07'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -58,9 +58,12 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Unusual Processes
+  - SnappyBee
   - Rhysida Ransomware
+  - China-Nexus Threat Activity
   - Crypto Stealer
+  - Earth Estries
+  - Unusual Processes
   asset_type: Endpoint
   mitre_attack_id:
   - T1204
@@ -72,7 +75,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -15,15 +15,14 @@ description: The following analytic identifies the creation of executables or sc
   a significant security threat.
 data_source:
 - Sysmon EventID 11
-search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as
-  file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
-  where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe",
-  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") AND Filesystem.file_path IN ("*\\windows\\fonts\\*",
-  "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*",
-  "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*",
-  "*\\Windows\\repair\\*", "*\\AppData\\Local\\Temp*", "*\\PerfLogs\\*", "*:\\temp\\*")
+search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
+  where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") 
+  AND Filesystem.file_path IN ("*\\windows\\fonts\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*",
+  "*\\Windows\\repair\\*", "*\\PerfLogs\\*") AND NOT(Filesystem.file_path IN("*\\temp\\*"))
   by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user
-  | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `drop_dm_object_name(Filesystem)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
   | `executables_or_script_creation_in_suspicious_path_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the Filesystem responsible for the changes from
@@ -100,6 +99,7 @@ tags:
   - Azorult
   - Data Destruction
   - Amadey
+  - SnappyBee
   - WhisperGate
   asset_type: Endpoint
   mitre_attack_id:
@@ -112,6 +112,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/executables_suspicious_file_path/exec_susp_path2.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/executables_or_script_creation_in_temp_path.yml

@@ -0,0 +1,116 @@
+name: Executables Or Script Creation In Temp Path
+id: e0422b71-2c05-4f32-8754-01fb415f49c9
+version: 11
+date: '2025-02-11'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic identifies the creation of executables or scripts
+  in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem
+  data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created
+  in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is
+  significant as adversaries often use these paths to evade detection and maintain
+  persistence. If confirmed malicious, this behavior could allow attackers to execute
+  unauthorized code, escalate privileges, or persist within the environment, posing
+  a significant security threat.
+data_source:
+- Sysmon EventID 11
+search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
+  where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") 
+  AND Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*", "*:\\Windows\\Temp\\*", "*:\\Temp*")
+  by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user
+  | `drop_dm_object_name(Filesystem)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `executables_or_script_creation_in_temp_path_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on process that include the name of the Filesystem responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
+known_false_positives: Administrators may allow creation of script or exe in the paths
+  specified. Filter as needed.
+references:
+- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
+- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
+- https://twitter.com/pr0xylife/status/1590394227758104576
+- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Potentially suspicious executable or script with file name $file_name$, $file_path$
+    and process_id $process_id$ was created in temporary folder by $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 20
+  threat_objects:
+  - field: file_name
+    type: file_name
+tags:
+  analytic_story:
+  - Chaos Ransomware
+  - Trickbot
+  - Snake Keylogger
+  - CISA AA23-347A
+  - Industroyer2
+  - WinDealer RAT
+  - Qakbot
+  - Warzone RAT
+  - IcedID
+  - ValleyRAT
+  - Azorult
+  - Handala Wiper
+  - LockBit Ransomware
+  - Meduza Stealer
+  - Brute Ratel C4
+  - AsyncRAT
+  - AcidPour
+  - Derusbi
+  - DarkGate Malware
+  - Graceful Wipe Out Attack
+  - NjRAT
+  - WhisperGate
+  - Data Destruction
+  - BlackByte Ransomware
+  - AgentTesla
+  - Swift Slicer
+  - Crypto Stealer
+  - Hermetic Wiper
+  - MoonPeak
+  - Double Zero Destructor
+  - XMRig
+  - PlugX
+  - Amadey
+  - DarkCrystal RAT
+  - Remcos
+  - China-Nexus Threat Activity
+  - Earth Estries
+  - Rhysida Ransomware
+  - RedLine Stealer
+  - Volt Typhoon
+  - SnappyBee
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1036
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml

@@ -58,12 +58,12 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Linux Privilege Escalation
-  - Linux Living Off The Land
-  - Compromised Linux Host
+  - China-Nexus Threat Activity
   - Linux Persistence Techniques
   - XorDDos
-  - China-Nexus Threat Activity
+  - Linux Privilege Escalation
+  - Compromised Linux Host
+  - Linux Living Off The Land
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
@@ -80,3 +80,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/auditd_proctitle_chmod.log
     source: auditd
     sourcetype: auditd
+

detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml

@@ -57,10 +57,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Compromised Linux Host
-  - Linux Persistence Techniques
-  - China-Nexus Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
@@ -77,3 +77,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd2.log
     source: auditd
     sourcetype: auditd
+

detections/endpoint/linux_auditd_possible_access_to_credential_files.yml

@@ -57,10 +57,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Compromised Linux Host
-  - Linux Persistence Techniques
-  - China-Nexus Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
@@ -76,3 +76,4 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/auditd_proctitle_access_cred.log      
     source: auditd
     sourcetype: auditd
+

detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml

@@ -56,10 +56,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Compromised Linux Host
-  - Linux Persistence Techniques
-  - China-Nexus Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
@@ -76,3 +76,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log
     source: auditd
     sourcetype: auditd
+