Merge branch 'develop' into auto-ta-update-189

Author: patel-bhavin

data_sources/linux_auditd_add_user.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Add User
 id: 30f79353-e1d2-4585-8735-1e0359559f3f
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Add User Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

data_sources/linux_auditd_execve.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Execve
 id: 9ef6364d-cc67-480e-8448-3306829a6a24
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Execve Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

data_sources/linux_auditd_path.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Path
 id: 3d86125c-0496-4a5a-aae3-0d355a4f3d7d
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Path Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

data_sources/linux_auditd_proctitle.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Proctitle
 id: 5a25984a-2789-400a-858b-d75c923e06b1
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Proctitle Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

data_sources/linux_auditd_service_stop.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Service Stop
 id: 0643483c-bc62-455c-8d6e-1630e5f0e00d
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Service Stop Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

data_sources/linux_auditd_syscall.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Syscall
 id: 4dff7047-0d43-4096-bb3f-b756c889bbad
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Syscall Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

detections/endpoint/any_powershell_downloadfile.yml

@@ -1,7 +1,7 @@
 name: Any Powershell DownloadFile
 id: 1a93b7ea-7af7-11eb-adb5-acde48001122
-version: 11
-date: '2025-02-10'
+version: '12'
+date: '2025-02-24'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -71,18 +71,18 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - Data Destruction
   - Ingress Tool Transfer
+  - China-Nexus Threat Activity
+  - Crypto Stealer
+  - Hermetic Wiper
   - DarkCrystal RAT
-  - PXA Stealer
-  - Braodo Stealer
-  - Phemedrone Stealer
-  - Log4Shell CVE-2021-44228
   - Malicious PowerShell
-  - Hermetic Wiper
-  - Crypto Stealer
-  - Nexus APT Threat Activity
   - Earth Estries
+  - Phemedrone Stealer
+  - Braodo Stealer
+  - PXA Stealer
+  - Data Destruction
+  - Log4Shell CVE-2021-44228
   asset_type: Endpoint
   cve:
   - CVE-2021-44228
@@ -97,7 +97,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/detect_renamed_psexec.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed PSExec
 id: 683e6196-b8e8-11eb-9a79-acde48001122
-version: 11
-date: '2025-02-10'
+version: '12'
+date: '2025-02-24'
 author: Michael Haag, Splunk, Alex Oberkircher, Github Community
 status: production
 type: Hunting
@@ -39,18 +39,18 @@ references:
 - https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
   - BlackByte Ransomware
+  - HAFNIUM Group
   - DHS Report TA18-074A
-  - DarkSide Ransomware
-  - SamSam Ransomware
   - CISA AA22-320A
-  - HAFNIUM Group
-  - Sandworm Tools
+  - DarkSide Ransomware
   - Active Directory Lateral Movement
-  - Nexus APT Threat Activity
   - DarkGate Malware
-  - Earth Estries
+  - Sandworm Tools
   - Rhysida Ransomware
+  - Earth Estries
+  - SamSam Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1569.002
@@ -62,7 +62,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/detect_renamed_winrar.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed WinRAR
 id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122
-version: 9
-date: '2025-02-10'
+version: '10'
+date: '2025-02-24'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -38,10 +38,10 @@ references:
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - CISA AA22-277A
   - Collection and Staging
   - Earth Estries
-  - Nexus APT Threat Activity
-  - CISA AA22-277A
   asset_type: Endpoint
   mitre_attack_id:
   - T1560.001
@@ -53,7 +53,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 10
-date: '2025-01-27'
+version: '11'
+date: '2025-02-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -61,46 +61,46 @@ rba:
     type: file_name
 tags:
   analytic_story:
-  - Chaos Ransomware
+  - BlackByte Ransomware
+  - Brute Ratel C4
   - Trickbot
   - Snake Keylogger
-  - CISA AA23-347A
-  - Industroyer2
-  - WinDealer RAT
-  - Qakbot
+  - Graceful Wipe Out Attack
+  - PlugX
+  - Handala Wiper
+  - Earth Estries
   - Warzone RAT
-  - IcedID
   - ValleyRAT
-  - Azorult
-  - Handala Wiper
+  - NjRAT
   - LockBit Ransomware
-  - Meduza Stealer
-  - Brute Ratel C4
+  - Double Zero Destructor
+  - Swift Slicer
+  - DarkCrystal RAT
   - AsyncRAT
-  - AcidPour
+  - Volt Typhoon
+  - Chaos Ransomware
+  - Hermetic Wiper
   - Derusbi
-  - DarkGate Malware
-  - Graceful Wipe Out Attack
-  - NjRAT
-  - WhisperGate
-  - Data Destruction
-  - BlackByte Ransomware
+  - XMRig
   - AgentTesla
-  - Swift Slicer
+  - WinDealer RAT
+  - RedLine Stealer
+  - Remcos
+  - Rhysida Ransomware
+  - China-Nexus Threat Activity
   - Crypto Stealer
-  - Hermetic Wiper
+  - Qakbot
+  - IcedID
+  - Meduza Stealer
+  - AcidPour
   - MoonPeak
-  - Double Zero Destructor
-  - XMRig
-  - PlugX
+  - CISA AA23-347A
+  - DarkGate Malware
+  - Industroyer2
+  - Azorult
+  - Data Destruction
   - Amadey
-  - DarkCrystal RAT
-  - Remcos
-  - Nexus APT Threat Activity
-  - Earth Estries
-  - Rhysida Ransomware
-  - RedLine Stealer
-  - Volt Typhoon
+  - WhisperGate
   asset_type: Endpoint
   mitre_attack_id:
   - T1036