Merge pull request #3314 from splunk/headless_bee

headless_bee

Author: nasbench

detections/endpoint/detect_rare_executables.yml

@@ -1,7 +1,7 @@
 name: Detect Rare Executables
 id: 44fddcb2-8d3b-454c-874e-7c6de5a4f7ac
-version: 7
-date: '2024-11-13'
+version: '8'
+date: '2025-02-07'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -58,9 +58,12 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Unusual Processes
+  - SnappyBee
   - Rhysida Ransomware
+  - China-Nexus Threat Activity
   - Crypto Stealer
+  - Earth Estries
+  - Unusual Processes
   asset_type: Endpoint
   mitre_attack_id:
   - T1204
@@ -72,7 +75,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -15,15 +15,14 @@ description: The following analytic identifies the creation of executables or sc
   a significant security threat.
 data_source:
 - Sysmon EventID 11
-search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as
-  file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
-  where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe",
-  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") AND Filesystem.file_path IN ("*\\windows\\fonts\\*",
-  "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*",
-  "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*",
-  "*\\Windows\\repair\\*", "*\\AppData\\Local\\Temp*", "*\\PerfLogs\\*", "*:\\temp\\*")
+search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
+  where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") 
+  AND Filesystem.file_path IN ("*\\windows\\fonts\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*",
+  "*\\Windows\\repair\\*", "*\\PerfLogs\\*") AND NOT(Filesystem.file_path IN("*\\temp\\*"))
   by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user
-  | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `drop_dm_object_name(Filesystem)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
   | `executables_or_script_creation_in_suspicious_path_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the Filesystem responsible for the changes from
@@ -100,6 +99,7 @@ tags:
   - Azorult
   - Data Destruction
   - Amadey
+  - SnappyBee
   - WhisperGate
   asset_type: Endpoint
   mitre_attack_id:
@@ -112,6 +112,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/executables_suspicious_file_path/exec_susp_path2.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/executables_or_script_creation_in_temp_path.yml

@@ -0,0 +1,116 @@
+name: Executables Or Script Creation In Temp Path
+id: e0422b71-2c05-4f32-8754-01fb415f49c9
+version: 11
+date: '2025-02-11'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic identifies the creation of executables or scripts
+  in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem
+  data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created
+  in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is
+  significant as adversaries often use these paths to evade detection and maintain
+  persistence. If confirmed malicious, this behavior could allow attackers to execute
+  unauthorized code, escalate privileges, or persist within the environment, posing
+  a significant security threat.
+data_source:
+- Sysmon EventID 11
+search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
+  where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") 
+  AND Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*", "*:\\Windows\\Temp\\*", "*:\\Temp*")
+  by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user
+  | `drop_dm_object_name(Filesystem)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `executables_or_script_creation_in_temp_path_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on process that include the name of the Filesystem responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
+known_false_positives: Administrators may allow creation of script or exe in the paths
+  specified. Filter as needed.
+references:
+- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
+- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
+- https://twitter.com/pr0xylife/status/1590394227758104576
+- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Potentially suspicious executable or script with file name $file_name$, $file_path$
+    and process_id $process_id$ was created in temporary folder by $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 20
+  threat_objects:
+  - field: file_name
+    type: file_name
+tags:
+  analytic_story:
+  - Chaos Ransomware
+  - Trickbot
+  - Snake Keylogger
+  - CISA AA23-347A
+  - Industroyer2
+  - WinDealer RAT
+  - Qakbot
+  - Warzone RAT
+  - IcedID
+  - ValleyRAT
+  - Azorult
+  - Handala Wiper
+  - LockBit Ransomware
+  - Meduza Stealer
+  - Brute Ratel C4
+  - AsyncRAT
+  - AcidPour
+  - Derusbi
+  - DarkGate Malware
+  - Graceful Wipe Out Attack
+  - NjRAT
+  - WhisperGate
+  - Data Destruction
+  - BlackByte Ransomware
+  - AgentTesla
+  - Swift Slicer
+  - Crypto Stealer
+  - Hermetic Wiper
+  - MoonPeak
+  - Double Zero Destructor
+  - XMRig
+  - PlugX
+  - Amadey
+  - DarkCrystal RAT
+  - Remcos
+  - China-Nexus Threat Activity
+  - Earth Estries
+  - Rhysida Ransomware
+  - RedLine Stealer
+  - Volt Typhoon
+  - SnappyBee
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1036
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml

@@ -58,12 +58,12 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Linux Privilege Escalation
-  - Linux Living Off The Land
-  - Compromised Linux Host
+  - China-Nexus Threat Activity
   - Linux Persistence Techniques
   - XorDDos
-  - China-Nexus Threat Activity
+  - Linux Privilege Escalation
+  - Compromised Linux Host
+  - Linux Living Off The Land
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
@@ -80,3 +80,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/auditd_proctitle_chmod.log
     source: auditd
     sourcetype: auditd
+

detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml

@@ -57,10 +57,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Compromised Linux Host
-  - Linux Persistence Techniques
-  - China-Nexus Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
@@ -77,3 +77,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd2.log
     source: auditd
     sourcetype: auditd
+

detections/endpoint/linux_auditd_possible_access_to_credential_files.yml

@@ -57,10 +57,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Compromised Linux Host
-  - Linux Persistence Techniques
-  - China-Nexus Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
@@ -76,3 +76,4 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/auditd_proctitle_access_cred.log      
     source: auditd
     sourcetype: auditd
+

detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml

@@ -56,10 +56,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Compromised Linux Host
-  - Linux Persistence Techniques
-  - China-Nexus Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
@@ -76,3 +76,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log
     source: auditd
     sourcetype: auditd
+

detections/endpoint/linux_auditd_preload_hijack_library_calls.yml

@@ -59,10 +59,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Compromised Linux Host
-  - Linux Persistence Techniques
-  - China-Nexus Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
@@ -79,3 +79,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/auditd_execve_ldpreload.log
     source: auditd
     sourcetype: auditd
+

detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml

@@ -49,19 +49,20 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Warzone RAT
-  - NjRAT
-  - China-Nexus Threat Activity
-  - FIN7
+  - SnappyBee
+  - Phemedrone Stealer
   - Snake Keylogger
-  - 3CX Supply Chain Attack
+  - NjRAT
   - CISA AA23-347A
-  - AgentTesla
-  - Phemedrone Stealer
+  - 3CX Supply Chain Attack
+  - FIN7
+  - Earth Estries
+  - Warzone RAT
+  - China-Nexus Threat Activity
   - DarkGate Malware
-  - RedLine Stealer
   - Remcos
-  - Earth Estries
+  - RedLine Stealer
+  - AgentTesla
   asset_type: Endpoint
   mitre_attack_id:
   - T1555.003

detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml

@@ -1,7 +1,7 @@
 name: Non Firefox Process Access Firefox Profile Dir
 id: e6fc13b0-1609-11ec-b533-acde48001122
-version: 6
-date: '2025-02-10'
+version: '7'
+date: '2025-02-13'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -48,18 +48,21 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Azorult
-  - Remcos
+  - SnappyBee
+  - Phemedrone Stealer
+  - Snake Keylogger
   - NjRAT
-  - Warzone RAT
+  - CISA AA23-347A
   - 3CX Supply Chain Attack
+  - Azorult
+  - China-Nexus Threat Activity
+  - Warzone RAT
+  - AgentTesla
   - RedLine Stealer
-  - FIN7
   - DarkGate Malware
-  - AgentTesla
-  - CISA AA23-347A
-  - Phemedrone Stealer
-  - Snake Keylogger
+  - Remcos
+  - Earth Estries
+  - FIN7
   asset_type: Endpoint
   mitre_attack_id:
   - T1555.003
@@ -71,7 +74,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log
     source: XmlWinEventLog:Security
     sourcetype: XmlWinEventLog