Merge pull request #3636 from splunk/more_interlock_rat

more_interlock_rat

Author: patel-bhavin

detections/endpoint/chcp_command_execution.yml

@@ -1,7 +1,7 @@
 name: CHCP Command Execution
 id: 21d236ec-eec1-11eb-b23e-acde48001122
-version: 8
-date: '2025-07-16'
+version: 9
+date: '2025-08-07'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -70,6 +70,7 @@ tags:
   - Crypto Stealer
   - Quasar RAT
   - Forest Blizzard
+  - Interlock Rat
   asset_type: Endpoint
   mitre_attack_id:
   - T1059

detections/endpoint/cmd_carry_out_string_command_parameter.yml

@@ -1,7 +1,7 @@
 name: CMD Carry Out String Command Parameter
 id: 54a6ed00-3256-11ec-b031-acde48001122
-version: 13
-date: '2025-07-16'
+version: 14
+date: '2025-08-07'
 author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production
 type: Hunting
@@ -64,6 +64,7 @@ tags:
   - AsyncRAT
   - RedLine Stealer
   - Log4Shell CVE-2021-44228
+  - Interlock Rat
   asset_type: Endpoint
   cve:
   - CVE-2021-44228

detections/endpoint/executables_or_script_creation_in_temp_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 14
-date: '2025-05-06'
+version: 15
+date: '2025-08-07'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -101,6 +101,7 @@ tags:
   - Industroyer2
   - Amadey
   - IcedID
+  - Interlock Rat
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

detections/endpoint/windows_anonymous_pipe_activity.yml

@@ -1,7 +1,7 @@
 name: Windows Anonymous Pipe Activity
 id: ee301e1e-cd81-4011-a911-e5f049b9e3d5
-version: 3
-date: '2025-05-02'
+version: 4
+date: '2025-08-07'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -51,6 +51,7 @@ tags:
   - Salt Typhoon
   - China-Nexus Threat Activity
   - SnappyBee
+  - Interlock Rat
   asset_type: Endpoint
   mitre_attack_id:
   - T1559