Fix incorrect data sources

nasbench · nasbench · commit a91c2aa7d94d · 2025-06-10T16:04:59.000+02:00
diff --git a/detections/endpoint/detect_remote_access_software_usage_registry.yml b/detections/endpoint/detect_remote_access_software_usage_registry.yml
@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage Registry
 id: 33804986-25dd-43cf-bb6b-dc14956c7cbc
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -11,7 +11,6 @@ description: The following analytic detects when a known remote access software
   in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review
   the lookup for the entire list and add any others.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` latest(Registry.process_guid) as
   process_guid  count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml
@@ -1,7 +1,7 @@
 name: Disable Defender Enhanced Notification
 id: dc65678c-301f-11ec-8e30-acde48001122
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-06-10'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
@@ -15,7 +15,6 @@ description: The following analytic detects the modification of the registry to
   mechanisms, maintain persistence, and escalate their activities without triggering
   alerts.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path = "*Microsoft\\Windows Defender\\Reporting*" Registry.registry_value_name
diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml
@@ -1,7 +1,7 @@
 name: Set Default PowerShell Execution Policy To Unrestricted or Bypass
 id: c2590137-0b08-4985-9ec5-6ae23d92f63d
-version: 16
-date: '2025-05-02'
+version: 17
+date: '2025-06-10'
 author: Steven Dick, Patrick Bareiss, Splunk
 status: production
 type: TTP
@@ -13,7 +13,6 @@ description: The following analytic detects changes to the PowerShell ExecutionP
   confirmed malicious, this could enable an attacker to execute arbitrary code, leading
   to further compromise of the system and potential escalation of privileges.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path=*Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell*
diff --git a/detections/endpoint/silentcleanup_uac_bypass.yml b/detections/endpoint/silentcleanup_uac_bypass.yml
@@ -1,7 +1,7 @@
 name: SilentCleanup UAC Bypass
 id: 56d7cfcc-da63-11eb-92d4-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-06-10'
 author: Steven Dick, Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -14,7 +14,6 @@ description: The following analytic detects suspicious modifications to the regi
   this could lead to unauthorized administrative access, enabling further system compromise
   and persistence.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\Environment\\windir" Registry.registry_value_data
diff --git a/detections/endpoint/windows_ad_dsrm_account_changes.yml b/detections/endpoint/windows_ad_dsrm_account_changes.yml
@@ -1,12 +1,11 @@
 name: Windows AD DSRM Account Changes
 id: 08cb291e-ea77-48e8-a95a-0799319bf056
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: Dean Luxton
 type: TTP
 status: production
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic identifies changes to the Directory Services Restore
   Mode (DSRM) account behavior via registry modifications. It detects alterations
diff --git a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml
@@ -1,7 +1,7 @@
 name: Windows Modify Registry Qakbot Binary Data Registry
 id: 2e768497-04e0-4188-b800-70dd2be0e30d
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-06-10'
 author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -15,7 +15,6 @@ description:
   data. If confirmed malicious, this could allow attackers to maintain persistence
   and execute arbitrary code on the compromised system.
 data_source:
-  - Sysmon EventID 1 AND Sysmon EventID 12
   - Sysmon EventID 1 AND Sysmon EventID 13
 search:
   '| tstats `security_content_summariesonly` count dc(registry_value_name) as
diff --git a/detections/endpoint/windows_process_executed_from_removable_media.yml b/detections/endpoint/windows_process_executed_from_removable_media.yml
@@ -1,7 +1,7 @@
 name: Windows Process Executed From Removable Media
 id: b483804a-4cc0-49a4-9f00-ac29ba844d08
-version: 4
-date: '2025-05-02'
+version: 5
+date: '2025-06-10'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -11,7 +11,6 @@ description: This analytic is used to identify when a removable media device is
   media devices for several malicious activities, including initial access, execution,
   and exfiltration.
 data_source:
-- Sysmon EventID 1 AND Sysmon EventID 12
 - Sysmon EventID 1 AND Sysmon EventID 13
 search: "| tstats `security_content_summariesonly` count values(Processes.process)\
   \ as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes\
diff --git a/detections/endpoint/windows_runmru_command_execution.yml b/detections/endpoint/windows_runmru_command_execution.yml
@@ -1,13 +1,10 @@
 name: Windows RunMRU Command Execution
 id: a15aa1ab-2b79-467f-8201-65e0f32d5b1a
-version: 7
-date: '2025-05-14'
+version: 8
+date: '2025-06-10'
 author: Nasreddine Bencherchali, Michael Haag, Splunk
-data_source:
-- Sysmon EventID 12
-- Sysmon EventID 13
-type: Anomaly
 status: production
+type: Anomaly
 description: The following analytic detects modifications to the Windows RunMRU registry
   key, which stores a history of commands executed through the Run dialog box (Windows+R).
   It leverages Endpoint Detection and Response (EDR) telemetry to monitor registry
@@ -16,6 +13,8 @@ description: The following analytic detects modifications to the Windows RunMRU
   If confirmed malicious, this could indicate an attacker using indirect command execution
   techniques for defense evasion or persistence. The detection excludes MRUList value
   changes to focus on actual command entries.
+data_source:
+- Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" NOT Registry.registry_value_name="MRUList" NOT Registry.registry_value_data="unknown" by Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_hive Registry.registry_value_name Registry.status Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_runmru_command_execution_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
