New Rules & Updates - Oct 25 (#3726)

* new rules and updates

* fix issues with ci

* rename for accurate macro

* update description and logic

* new wbadmin rule and fix pwsh dataset

* more updates for the weekend

* update network rules filters

* downgrade versions

* Update windows_file_transfer_protocol_in_non_common_process_path.yml

* add missing DS for some rules

* update nirsoft lookup and add new rules

* update more nirsoft stuff

* update snort message

* Update cisco_secure_firewall_filetype_lookup.yml

* new analytic and updates / incl. fix #3730

* Update detect_new_local_admin_account.yml

* add lnx dataset and fix wildcards

Author: nasbench

detections/cloud/o365_elevated_mailbox_permission_assigned.yml

@@ -1,9 +1,10 @@
 name: O365 Elevated Mailbox Permission Assigned
 id: 2246c142-a678-45f8-8546-aaed7e0efd30
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-10-21'
 author: Patrick Bareiss, Mauricio Velazco, Splunk
-data_source: []
+data_source:
+  - O365 Add-MailboxPermission
 type: TTP
 status: production
 description: The following analytic identifies the assignment of elevated mailbox

detections/cloud/o365_mailbox_folder_read_permission_assigned.yml

@@ -1,9 +1,10 @@
 name: O365 Mailbox Folder Read Permission Assigned
 id: 1435475e-2128-4417-a34f-59770733b0d5
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-10-21'
 author: Mauricio Velazco, Splunk
-data_source: []
+data_source:
+  - O365 ModifyFolderPermissions
 type: TTP
 status: production
 description: The following analytic identifies instances where read permissions are

detections/cloud/o365_mailbox_folder_read_permission_granted.yml

@@ -1,9 +1,10 @@
 name: O365 Mailbox Folder Read Permission Granted
 id: cd15c0a8-470e-4b12-9517-046e4927db30
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-10-21'
 author: Mauricio Velazco, Splunk
-data_source: []
+data_source:
+  - O365 ModifyFolderPermissions
 type: TTP
 status: production
 description: The following analytic identifies instances where read permissions are

…int/curl_download_and_bash_execution.yml …ted/curl_download_and_bash_execution.ymldetections/endpoint/curl_download_and_bash_execution.yml renamed to detections/deprecated/curl_download_and_bash_execution.yml detections/endpoint/curl_download_and_bash_execution.yml renamed to detections/deprecated/curl_download_and_bash_execution.yml

@@ -1,9 +1,9 @@
 name: Curl Download and Bash Execution
 id: 900bc324-59f3-11ec-9fb4-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-10-16'
 author: Michael Haag, Splunk, DipsyTipsy
-status: production
+status: deprecated
 type: TTP
 description: The following analytic detects the use of curl on Linux or MacOS systems
   to download a file from a remote source and pipe it directly to bash for execution.

…ections/endpoint/w3wp_spawning_shell.yml …tions/deprecated/w3wp_spawning_shell.ymldetections/endpoint/w3wp_spawning_shell.yml renamed to detections/deprecated/w3wp_spawning_shell.yml detections/endpoint/w3wp_spawning_shell.yml renamed to detections/deprecated/w3wp_spawning_shell.yml

@@ -1,9 +1,9 @@
 name: W3WP Spawning Shell
 id: 0f03423c-7c6a-11eb-bc47-acde48001122
-version: 10
-date: '2025-09-16'
+version: 11
+date: '2025-10-16'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
 description: The following analytic identifies instances where a shell (PowerShell.exe
   or Cmd.exe) is spawned from W3WP.exe, the IIS worker process. This detection leverages

…int/wget_download_and_bash_execution.yml …ted/wget_download_and_bash_execution.ymldetections/endpoint/wget_download_and_bash_execution.yml renamed to detections/deprecated/wget_download_and_bash_execution.yml detections/endpoint/wget_download_and_bash_execution.yml renamed to detections/deprecated/wget_download_and_bash_execution.yml

@@ -1,9 +1,9 @@
 name: Wget Download and Bash Execution
 id: 35682718-5a85-11ec-b8f7-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-10-16'
 author: Michael Haag, Splunk, DipsyTipsy
-status: production
+status: deprecated
 type: TTP
 description: The following analytic detects the use of wget on Windows, Linux or MacOS
   to download a file from a remote source and pipe it to bash. This detection leverages

detections/endpoint/advanced_ip_or_port_scanner_execution.yml

@@ -0,0 +1,101 @@
+name: Advanced IP or Port Scanner Execution
+id: 9a4e50c7-5b62-4d52-93b4-f2b61332e9a5
+version: 1
+date: '2025-10-13'
+author: Nasreddine Bencherchali, Splunk
+status: production
+type: Anomaly
+description: |
+  The following analytic detects the execution of network scanning utilities such as Advanced IP Scanner or Advanced Port Scanner.
+  These legitimate administrative tools are often leveraged by threat actors and ransomware operators during the discovery phase to enumerate active hosts and open ports within a target environment.
+  Detection is based on process creation telemetry referencing known executable names, original file names, or specific command-line parameters such as "/portable" and "/lng" that are characteristic of these tools.
+  If confirmed malicious, this activity may indicate internal reconnaissance aimed at identifying reachable systems or services prior to lateral movement or further post-compromise actions.
+data_source:
+  - Sysmon EventID 1
+  - Windows Event Log Security 4688
+  - CrowdStrike ProcessRollup2
+search: |
+  | tstats `security_content_summariesonly`
+    count min(_time) as firstTime
+          max(_time) as lastTime
+
+    from datamodel=Endpoint.Processes where
+      Processes.process_name IN ("advanced_ip_scanner.exe", "advanced_ip_scanner_console.exe", "advanced_port_scanner.exe", "advanced_port_scanner_console.exe")
+      OR
+      Processes.original_file_name IN ("advanced_ip_scanner.exe", "advanced_ip_scanner_console.exe", "advanced_port_scanner.exe", "advanced_port_scanner_console.exe")
+      OR (
+      Processes.process = "* /portable *"
+      Processes.process = "* /lng *"
+      )
+
+    by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
+       Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
+       Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
+       Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
+       Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+
+  | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `advanced_ip_or_port_scanner_execution_filter`
+how_to_implement: |
+  The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: |
+  Legitimate administrators or IT staff may use Advanced IP or Port Scanner for authorized
+  network management or inventory purposes. Validate the context of execution and apply any filters as necessary.
+references:
+  - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
+  - https://cloud.google.com/blog/topics/threat-intelligence/tactics-techniques-procedures-associated-with-maze-ransomware-incidents/
+  - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
+  - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
+  - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner
+drilldown_searches:
+  - name: View the detection results for - "$dest$" and "$user$"
+    search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$" and "$user$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$",
+      "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+      as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+      Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+rba:
+  message: Execution of Advanced IP or Port Scanner detected via $process$ on $dest$
+  risk_objects:
+    - field: user
+      type: user
+      score: 64
+    - field: dest
+      type: system
+      score: 64
+  threat_objects: []
+tags:
+  analytic_story:
+    - Windows Defense Evasion Tactics
+  asset_type: Endpoint
+  mitre_attack_id:
+    - T1046
+    - T1135
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  security_domain: endpoint
+tests:
+  - name: True Positive Test
+    attack_data:
+    - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/advanced_ip_port_scanner/advanced_ip_port_scanner.log
+      source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+      sourcetype: XmlWinEventLog

detections/endpoint/detect_new_local_admin_account.yml

@@ -1,7 +1,7 @@
 name: Detect New Local Admin account
 id: b25f6f62-0712-43c1-b203-083231ffd97d
 version: 9
-date: '2025-10-14'
+date: '2025-10-23'
 author: David Dorsey, Splunk
 status: production
 type: TTP
@@ -16,11 +16,30 @@ description: The following analytic detects the creation of new accounts elevate
 data_source:
 - Windows Event Log Security 4732
 - Windows Event Log Security 4720
-search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators)
-  | transaction user dest connected=false maxspan=180m | stats count min(_time) as
-  firstTime max(_time) as lastTime dc(EventCode) as distinct_eventcodes by src_user
-  user dest | where distinct_eventcodes>1 | `security_content_ctime(firstTime)` |
-  `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`'
+search: |
+  `wineventlog_security`
+  (
+    EventCode=4720 
+    OR
+    (
+      EventCode=4732
+      AND
+      (
+        Group_Name=Administrators
+        OR
+        TargetUserName=Administrators
+      )
+    )
+  )
+  | transaction user dest connected=false maxspan=180m
+  | stats count min(_time) as firstTime 
+                max(_time) as lastTime 
+                dc(EventCode) as distinct_eventcodes 
+    by src_user user dest
+  | where distinct_eventcodes > 1
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `detect_new_local_admin_account_filter`
 how_to_implement: You must be ingesting Windows event logs using the Splunk Windows
   TA and collecting event code 4720 and 4732
 known_false_positives: The activity may be legitimate. For this reason, it's best

detections/endpoint/detect_regasm_with_network_connection.yml

@@ -1,7 +1,7 @@
 name: Detect Regasm with Network Connection
 id: 07921114-6db4-4e2e-ae58-3ea8a52ae93f
 version: 11
-date: '2025-10-14'
+date: '2025-10-20'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -14,12 +14,24 @@ description: The following analytic detects the execution of regasm.exe establis
   leading to privilege escalation and further malicious actions within the environment.
 data_source:
 - Sysmon EventID 3
-search: '`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16
-  process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime
-  by action app dest dest_ip dest_port direction dvc protocol protocol_version src
-  src_ip src_port transport user vendor_product process_name process_exec process_guid
-  process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `detect_regasm_with_network_connection_filter`'
+search: |
+  `sysmon`
+  EventID=3 
+  process_name=regasm.exe
+  NOT dest_ip IN (
+    "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
+    "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
+    "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+    "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
+    "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4"
+  )
+  | stats count min(_time) as firstTime max(_time) as lastTime
+    by action app dest dest_ip dest_port direction dvc protocol protocol_version src
+       src_ip src_port transport user vendor_product process_name process_exec process_guid
+       process_id
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `detect_regasm_with_network_connection_filter`
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name, parent process, and command-line executions from your
   endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the

detections/endpoint/detect_regsvcs_with_network_connection.yml

@@ -1,7 +1,7 @@
 name: Detect Regsvcs with Network Connection
 id: e3e7a1c0-f2b9-445c-8493-f30a63522d1a
 version: 12
-date: '2025-10-14'
+date: '2025-10-20'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -15,12 +15,24 @@ description: The following analytic identifies instances of Regsvcs.exe establis
   data. Immediate investigation and remediation are recommended.
 data_source:
 - Sysmon EventID 3
-search: '`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16
-  process_name=regsvcs.exe  | stats count min(_time) as firstTime max(_time) as lastTime
-  by action app dest dest_ip dest_port direction dvc protocol protocol_version src
-  src_ip src_port transport user vendor_product process_name process_exec process_guid
-  process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `detect_regsvcs_with_network_connection_filter`'
+search: |
+  `sysmon`
+  EventID=3
+  NOT dest_ip IN (
+    "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
+    "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
+    "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+    "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
+    "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4"
+  )
+  process_name=regsvcs.exe
+  | stats count min(_time) as firstTime max(_time) as lastTime
+    by action app dest dest_ip dest_port direction dvc protocol protocol_version src
+       src_ip src_port transport user vendor_product process_name process_exec process_guid
+       process_id
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `detect_regsvcs_with_network_connection_filter`
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name, parent process, and command-line executions from your
   endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the