auditd_detection_updates

Author: t-contreras

detections/endpoint/any_powershell_downloadfile.yml

@@ -1,7 +1,7 @@
 name: Any Powershell DownloadFile
 id: 1a93b7ea-7af7-11eb-adb5-acde48001122
-version: 11
-date: '2025-02-10'
+version: '12'
+date: '2025-02-24'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -71,18 +71,18 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - Data Destruction
   - Ingress Tool Transfer
+  - China-Nexus Threat Activity
+  - Crypto Stealer
+  - Hermetic Wiper
   - DarkCrystal RAT
-  - PXA Stealer
-  - Braodo Stealer
-  - Phemedrone Stealer
-  - Log4Shell CVE-2021-44228
   - Malicious PowerShell
-  - Hermetic Wiper
-  - Crypto Stealer
-  - Nexus APT Threat Activity
   - Earth Estries
+  - Phemedrone Stealer
+  - Braodo Stealer
+  - PXA Stealer
+  - Data Destruction
+  - Log4Shell CVE-2021-44228
   asset_type: Endpoint
   cve:
   - CVE-2021-44228
@@ -97,7 +97,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/detect_renamed_psexec.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed PSExec
 id: 683e6196-b8e8-11eb-9a79-acde48001122
-version: 11
-date: '2025-02-10'
+version: '12'
+date: '2025-02-24'
 author: Michael Haag, Splunk, Alex Oberkircher, Github Community
 status: production
 type: Hunting
@@ -39,18 +39,18 @@ references:
 - https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
   - BlackByte Ransomware
+  - HAFNIUM Group
   - DHS Report TA18-074A
-  - DarkSide Ransomware
-  - SamSam Ransomware
   - CISA AA22-320A
-  - HAFNIUM Group
-  - Sandworm Tools
+  - DarkSide Ransomware
   - Active Directory Lateral Movement
-  - Nexus APT Threat Activity
   - DarkGate Malware
-  - Earth Estries
+  - Sandworm Tools
   - Rhysida Ransomware
+  - Earth Estries
+  - SamSam Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1569.002
@@ -62,7 +62,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/detect_renamed_winrar.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed WinRAR
 id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122
-version: 9
-date: '2025-02-10'
+version: '10'
+date: '2025-02-24'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -38,10 +38,10 @@ references:
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - CISA AA22-277A
   - Collection and Staging
   - Earth Estries
-  - Nexus APT Threat Activity
-  - CISA AA22-277A
   asset_type: Endpoint
   mitre_attack_id:
   - T1560.001
@@ -53,7 +53,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 10
-date: '2025-01-27'
+version: '11'
+date: '2025-02-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -61,46 +61,46 @@ rba:
     type: file_name
 tags:
   analytic_story:
-  - Chaos Ransomware
+  - BlackByte Ransomware
+  - Brute Ratel C4
   - Trickbot
   - Snake Keylogger
-  - CISA AA23-347A
-  - Industroyer2
-  - WinDealer RAT
-  - Qakbot
+  - Graceful Wipe Out Attack
+  - PlugX
+  - Handala Wiper
+  - Earth Estries
   - Warzone RAT
-  - IcedID
   - ValleyRAT
-  - Azorult
-  - Handala Wiper
+  - NjRAT
   - LockBit Ransomware
-  - Meduza Stealer
-  - Brute Ratel C4
+  - Double Zero Destructor
+  - Swift Slicer
+  - DarkCrystal RAT
   - AsyncRAT
-  - AcidPour
+  - Volt Typhoon
+  - Chaos Ransomware
+  - Hermetic Wiper
   - Derusbi
-  - DarkGate Malware
-  - Graceful Wipe Out Attack
-  - NjRAT
-  - WhisperGate
-  - Data Destruction
-  - BlackByte Ransomware
+  - XMRig
   - AgentTesla
-  - Swift Slicer
+  - WinDealer RAT
+  - RedLine Stealer
+  - Remcos
+  - Rhysida Ransomware
+  - China-Nexus Threat Activity
   - Crypto Stealer
-  - Hermetic Wiper
+  - Qakbot
+  - IcedID
+  - Meduza Stealer
+  - AcidPour
   - MoonPeak
-  - Double Zero Destructor
-  - XMRig
-  - PlugX
+  - CISA AA23-347A
+  - DarkGate Malware
+  - Industroyer2
+  - Azorult
+  - Data Destruction
   - Amadey
-  - DarkCrystal RAT
-  - Remcos
-  - Nexus APT Threat Activity
-  - Earth Estries
-  - Rhysida Ransomware
-  - RedLine Stealer
-  - Volt Typhoon
+  - WhisperGate
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

detections/endpoint/linux_common_process_for_elevation_control.yml

@@ -1,7 +1,7 @@
 name: Linux Common Process For Elevation Control
 id: 66ab15c0-63d0-11ec-9e70-acde48001122
-version: 6
-date: '2025-02-10'
+version: '7'
+date: '2025-02-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -44,10 +44,10 @@ references:
 - https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/privilege_escalation/T1548.001_ElevationControl_CommonProcesses.xml
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Linux Living Off The Land
-  - Linux Persistence Techniques
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
@@ -60,7 +60,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log
     source: Syslog:Linux-Sysmon/Operational
     sourcetype: sysmon:linux

detections/endpoint/linux_file_creation_in_init_boot_directory.yml

@@ -1,7 +1,7 @@
 name: Linux File Creation In Init Boot Directory
 id: 97d9cfb2-61ad-11ec-bb2d-acde48001122
-version: 7
-date: '2025-02-10'
+version: '8'
+date: '2025-02-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -49,11 +49,11 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Linux Privilege Escalation
+  - China-Nexus Threat Activity
   - Backdoor Pingpong
   - Linux Persistence Techniques
   - XorDDos
-  - Nexus APT Threat Activity
+  - Linux Privilege Escalation
   asset_type: Endpoint
   mitre_attack_id:
   - T1037.004
@@ -65,7 +65,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log
     source: Syslog:Linux-Sysmon/Operational
     sourcetype: sysmon:linux

detections/endpoint/linux_iptables_firewall_modification.yml

@@ -1,7 +1,7 @@
 name: Linux Iptables Firewall Modification
 id: 309d59dc-1e1b-49b2-9800-7cf18d12f7b7
-version: 8
-date: '2025-02-10'
+version: '9'
+date: '2025-02-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -66,10 +66,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Sandworm Tools
+  - China-Nexus Threat Activity
   - Backdoor Pingpong
-  - Nexus APT Threat Activity
   - Cyclops Blink
+  - Sandworm Tools
   asset_type: Endpoint
   mitre_attack_id:
   - T1562.004
@@ -81,7 +81,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log
     source: Syslog:Linux-Sysmon/Operational
     sourcetype: sysmon:linux

detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml

@@ -1,7 +1,7 @@
 name: Linux NOPASSWD Entry In Sudoers File
 id: ab1e0d52-624a-11ec-8e0b-acde48001122
-version: 6
-date: '2025-02-10'
+version: '7'
+date: '2025-02-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -58,10 +58,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Earth Estries
-  - Nexus APT Threat Activity
-  - Linux Persistence Techniques
   asset_type: Endpoint
   mitre_attack_id:
   - T1548.003
@@ -73,7 +73,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log
     source: Syslog:Linux-Sysmon/Operational
     sourcetype: sysmon:linux

detections/endpoint/linux_possible_access_to_credential_files.yml

@@ -1,7 +1,7 @@
 name: Linux Possible Access To Credential Files
 id: 16107e0e-71fc-11ec-b862-acde48001122
-version: 7
-date: '2025-02-10'
+version: '8'
+date: '2025-02-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -57,10 +57,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Linux Privilege Escalation
+  - China-Nexus Threat Activity
   - Linux Persistence Techniques
   - XorDDos
-  - Nexus APT Threat Activity
+  - Linux Privilege Escalation
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
@@ -73,7 +73,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log
     source: Syslog:Linux-Sysmon/Operational
     sourcetype: sysmon:linux