Merge branch 'develop' into objectivity_stealer

Author: patel-bhavin

detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml

@@ -1,17 +1,18 @@
 name: Windows Access Token Manipulation SeDebugPrivilege
 id: 6ece9ed0-5f92-4315-889d-48560472b188
-version: 14
-date: '2025-05-02'
+version: 15
+date: '2025-08-20'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects a process enabling the "SeDebugPrivilege"
-  privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering
-  out common legitimate processes. This activity is significant because SeDebugPrivilege
-  allows a process to inspect and modify the memory of other processes, potentially
-  leading to credential dumping or code injection. If confirmed malicious, an attacker
-  could gain extensive control over system processes, enabling them to escalate privileges,
-  persist in the environment, or access sensitive information.
+description: The following analytic detects a process enabling the 
+  "SeDebugPrivilege" privilege token. It leverages Windows Security Event Logs 
+  with EventCode 4703, filtering out common legitimate processes. This activity 
+  is significant because SeDebugPrivilege allows a process to inspect and modify
+  the memory of other processes, potentially leading to credential dumping or 
+  code injection. If confirmed malicious, an attacker could gain extensive 
+  control over system processes, enabling them to escalate privileges, persist 
+  in the environment, or access sensitive information.
 data_source:
 - Windows Event Log Security 4703
 search: '`wineventlog_security` EventCode=4703 EnabledPrivilegeList = "*SeDebugPrivilege*"
@@ -21,11 +22,11 @@ search: '`wineventlog_security` EventCode=4703 EnabledPrivilegeList = "*SeDebugP
   SubjectUserName SubjectUserSid TargetUserName TargetLogonId TargetDomainName EnabledPrivilegeList
   action dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `windows_access_token_manipulation_sedebugprivilege_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting
-  Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also
-  required.
-known_false_positives: Some native binaries and browser applications may request SeDebugPrivilege.
-  Filter as needed.
+how_to_implement: To successfully implement this search, you need to be 
+  ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows
+  TA is also required.
+known_false_positives: Some native binaries and browser applications may request
+  SeDebugPrivilege. Filter as needed.
 references:
 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703
 - https://devblogs.microsoft.com/oldnewthing/20080314-00/?p=23113
@@ -47,8 +48,8 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A process $ProcessName$ adjust its privileges with SeDebugPrivilege on
-    $Computer$.
+  message: A process $ProcessName$ adjust its privileges with SeDebugPrivilege 
+    on $Computer$.
   risk_objects:
   - field: Computer
     type: system
@@ -68,6 +69,7 @@ tags:
   - DarkGate Malware
   - ValleyRAT
   - Brute Ratel C4
+  - PathWiper
   asset_type: Endpoint
   mitre_attack_id:
   - T1134.002
@@ -79,6 +81,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log
     source: XmlWinEventLog:Security
     sourcetype: XmlWinEventLog

detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml

@@ -1,18 +1,19 @@
 name: Windows Access Token Winlogon Duplicate Handle In Uncommon Path
 id: b8f7ed6b-0556-4c84-bffd-839c262b0278
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-08-20'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects a process attempting to duplicate the
-  handle of winlogon.exe from an uncommon or public source path. This is identified
-  using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific
-  access rights and excluding common system paths. This activity is significant because
-  it may indicate an adversary trying to escalate privileges by leveraging the high-privilege
-  tokens associated with winlogon.exe. If confirmed malicious, this could allow the
-  attacker to gain elevated access, potentially leading to full system compromise
-  and persistent control over the affected host.
+description: The following analytic detects a process attempting to duplicate 
+  the handle of winlogon.exe from an uncommon or public source path. This is 
+  identified using Sysmon EventCode 10, focusing on processes targeting 
+  winlogon.exe with specific access rights and excluding common system paths. 
+  This activity is significant because it may indicate an adversary trying to 
+  escalate privileges by leveraging the high-privilege tokens associated with 
+  winlogon.exe. If confirmed malicious, this could allow the attacker to gain 
+  elevated access, potentially leading to full system compromise and persistent 
+  control over the affected host.
 data_source:
 - Sysmon EventID 10
 search: '`sysmon` EventCode=10  TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*")
@@ -24,12 +25,12 @@ search: '`sysmon` EventCode=10  TargetImage IN("*\\system32\\winlogon.exe*", "*\
   parent_process_name parent_process_path process_exec process_guid process_id process_name
   process_path signature signature_id user_id vendor_product | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`'
-how_to_implement: To successfully implement this search, you must be ingesting data
-  that records process activity from your hosts to populate the endpoint data model
-  in the processes node. If you are using Sysmon, you must have at least version 6.0.4
-  of the Sysmon TA.
-known_false_positives: It is possible legitimate applications will request access
-  to winlogon, filter as needed.
+how_to_implement: To successfully implement this search, you must be ingesting 
+  data that records process activity from your hosts to populate the endpoint 
+  data model in the processes node. If you are using Sysmon, you must have at 
+  least version 6.0.4 of the Sysmon TA.
+known_false_positives: It is possible legitimate applications will request 
+  access to winlogon, filter as needed.
 references:
 - https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle
 - https://attack.mitre.org/techniques/T1134/001/
@@ -48,8 +49,8 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A process $SourceImage$ is duplicating the handle token of winlogon.exe
-    on $dest$
+  message: A process $SourceImage$ is duplicating the handle token of 
+    winlogon.exe on $dest$
   risk_objects:
   - field: dest
     type: system
@@ -60,6 +61,7 @@ rba:
 tags:
   analytic_story:
   - Brute Ratel C4
+  - PathWiper
   asset_type: Endpoint
   mitre_attack_id:
   - T1134.001
@@ -71,6 +73,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml

@@ -0,0 +1,43 @@
+name: Windows DLL Module Loaded in Temp Dir
+id: c2998141-235a-4e31-83cf-46afb5208a87
+version: 1
+date: '2025-08-20'
+author: Teoderick Contreras, Splunk
+status: production
+type: Hunting
+description: The following analytic detects instances where a Dynamic Link Library (DLL) is loaded from a temporary directory on a Windows system. Loading DLLs from non-standard paths such as %TEMP% is uncommon for legitimate applications and is often associated with adversary tradecraft, including DLL search order hijacking, side-loading, or execution of malicious payloads staged in temporary folders. Adversaries frequently leverage these directories because they are writable by standard users and often overlooked by security controls, making them convenient locations to drop and execute malicious files. This behavior may indicate attempts to evade detection, execute unauthorized code, or maintain persistence through hijacked execution flows. Detection of DLL loads from %TEMP% can help surface early signs of compromise and should be investigated in the context of the originating process, user account, and potential file creation or modification activity within the same directory.
+data_source:
+- Sysmon EventID 7
+search: '`sysmon` EventCode=7 NOT (ImageLoaded IN("C:\\Program Files*")) AND ImageLoaded="*\\temp\\*" AND ImageLoaded="*.dll"
+  | fillnull 
+  | stats count min(_time) as firstTime max(_time) as lastTime 
+  by Image ImageLoaded dest loaded_file loaded_file_path original_file_name
+  process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists
+  service_dll_signature_verified signature signature_id user_id vendor_product 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
+  | `windows_dll_module_loaded_in_temp_dir_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the process name and imageloaded executions from your endpoints. If you
+  are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
+known_false_positives: unknown
+references:
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a
+- https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/
+tags:
+  analytic_story:
+  - Interlock Rat
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1105
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/dll_loaded_in_temp/module_loaded_in_temp.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml

@@ -0,0 +1,75 @@
+name: Windows Excel ActiveMicrosoftApp Child Process
+id: 4dfd6a58-93b2-4012-bb33-038bb63652b3
+version: 1
+date: '2025-08-20'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic identifies the execution of the ActiveMicrosoftApp process as a child of Microsoft Excel. Under normal conditions, Excel primarily spawns internal Office-related processes, and the creation of ActiveMicrosoftApp is uncommon in day-to-day business workflows. Adversaries may abuse this behavior to blend malicious activity within trusted applications, execute unauthorized code, or bypass application control mechanisms. This technique aligns with common tradecraft where Office applications are leveraged as initial access or execution vectors due to their prevalence in enterprise environments. Detecting this relationship helps defenders spot suspicious child processes that may indicate malware execution, persistence mechanisms, or attempts to establish command-and-control. Security teams should investigate the parent Excel process, the context of the ActiveMicrosoftApp execution, and any subsequent network or file activity. While certain legitimate Office features could trigger this process in specific environments, its occurrence generally warrants further scrutiny to validate intent and rule out compromise.
+data_source:
+- Sysmon EventID 1
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
+  where Processes.parent_process_name = "EXCEL.EXE" Processes.process_name IN ("WINPROJ.EXE", "FOXPROW.exe","SCHDPLUS.exe")
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
+  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
+  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
+  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_excel_activemicrosoftapp_child_process_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: Microsoft Project has been discontinued since January 2010, so its presence is unlikely in modern environments. If a related child process is observed, verify its legitimacy to rule out potential misuse.
+references:
+- https://specterops.io/blog/2023/10/30/lateral-movement-abuse-the-power-of-dcom-excel-application/
+- https://blog.talosintelligence.com/pathwiper-targets-ukraine/
+- https://www.trellix.com/blogs/research/dcom-abuse-and-network-erasure-with-trellix-ndr/
+drilldown_searches:
+  - name: View the detection results for - "$dest$" and "$user$"
+    search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$" and "$user$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$",
+      "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+      as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+      Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+rba:
+  message: Risk Message goes here
+  risk_objects:
+  - field: dest
+    type: system
+    score: 10
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+tags:
+  analytic_story:
+  - PathWiper
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1021.003
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/excel_activemicrosoftapp/sysmon_winprojexe.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog