More stragglers

ljstella · ljstella · commit ad772ee1eeae · 2025-01-09T14:57:36.000-06:00
diff --git a/detections/endpoint/windows_detect_network_scanner_behavior.yml b/detections/endpoint/windows_detect_network_scanner_behavior.yml
@@ -1,7 +1,7 @@
 name: Windows Detect Network Scanner Behavior
 id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7
-version: 1
-date: '2024-12-26'
+version: 2
+date: '2025-01-09'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -29,31 +29,29 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$
+  risk_objects:
+  - field: src
+    type: system
+    score: 25
+  - field: user
+    type: user
+    score: 25
+  threat_objects:
+  - field: process_name
+    type: process_name
 tags:
   analytic_story:
   - Network Discovery
   - Windows Discovery Techniques
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$
   mitre_attack_id: 
   - T1595
   - T1595.001
   - T1595.002
-  observable: 
-  - name: src
-    type: IP Address
-    role:
-    - Victim
-  - name: user
-    type: User
-    role:
-    - Victim
-  - name: process_name
-    type: Process
-    role:
-    - Attacker
   product: 
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml
@@ -1,7 +1,7 @@
 name: Windows Process With NetExec Command Line Parameters
 id: adbff89c-c1f2-4a2e-88a4-b5e645856510
-version: 1
-date: '2024-12-19'
+version: 2
+date: '2025-01-09'
 author: Steven Dick, Github Community
 status: production
 type: TTP
@@ -34,33 +34,31 @@ drilldown_searches:
   search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_name = $process_name$'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba: 
+  message: NetExec command line parameters were used on $dest$ by $user$
+  risk_objects: 
+  - field: user
+    type: user
+    score: 64
+  - field: dest
+    type: system
+    score: 64
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
 tags:
   analytic_story: 
   - Active Directory Kerberos Attacks
   - Active Directory Privilege Escalation
   asset_type: Endpoint
   confidence: 80
   impact: 80
-  message: NetExec command line parameters were used on $dest$ by $user$
   mitre_attack_id: 
   - T1550
   - T1550.003
   - T1558
   - T1558.003
   - T1558.004
-  observable: 
-  - name: user
-    type: User
-    role:
-    - Victim
-  - name: dest
-    type: Hostname
-    role:
-    - Victim
-  - name: parent_process_name
-    type: Process
-    role:
-    - Attacker
   product: 
   - Splunk Enterprise
   - Splunk Enterprise Security
