update additional analytics

nasbench · nasbench · commit c1bee7dc5864 · 2025-01-17T12:57:09.000+01:00
diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml
@@ -1,14 +1,14 @@
-name: PowerShell Loading DotNET into Memory via Reflection
+name: PowerShell Loading DotNET Into Memory via Reflection
 id: 85bc3f30-ca28-11eb-bd21-acde48001122
-version: 5
-date: '2024-09-30'
+version: 6
+date: '2025-01-16'
 author: Michael Haag, Splunk
 status: production
-type: TTP
+type: Anomaly
 data_source:
 - Powershell Script Block Logging 4104
-description: The following analytic detects the use of PowerShell to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.
-search: '`powershell` EventCode=4104 ScriptBlockText IN ("*[system.reflection.assembly]::load(*","*[reflection.assembly]*", "*reflection.assembly*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`'
+description: The following analytic detects the use of PowerShell scripts to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.
+search: '`powershell` EventCode=4104 ScriptBlockText IN ("*Reflection.Assembly]::Load*", "*Reflection.Assembly.Load*", "*UnsafeLoadFrom*", "*.LoadFrom(*", "*.LoadModule(*", "*.LoadWithPartialName*", "*ReflectionOnlyLoad*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`'
 how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
 known_false_positives: False positives should be limited as day to day scripts do not use this method.
 references:
@@ -37,7 +37,7 @@ tags:
   asset_type: Endpoint
   confidence: 80
   impact: 70
-  message: A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in host $Computer$
+  message: A suspicious powershell script that contains calls to reflective class assembly command in $ScriptBlockText$ is potentially trying to load malicious .NET code in memory in host $Computer$
   mitre_attack_id:
   - T1059
   - T1059.001
diff --git a/detections/endpoint/windows_new_default_file_association_value_set.yml b/detections/endpoint/windows_new_default_file_association_value_set.yml
@@ -1,17 +1,16 @@
-name: Windows Change Default File Association
+name: Windows New Default File Association Value Set
 id: 462d17d8-1f71-11ec-ad07-acde48001122
 version: 4
 date: '2025-01-15'
 author: Teoderick Contreras, Splunk
 status: production
-type: Anomaly
-description: The following analytic detects suspicious registry modifications that change the default file association to execute a malicious payload. It leverages data from the Endpoint data model, specifically monitoring registry paths under "*\\shell\\open\\command\\*" and "*HKCR\\*". This activity is significant because altering default file associations can allow attackers to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment.
+type: Hunting
+description: The following analytic detects registry changes to the default file association value. It leverages data from the Endpoint data model, specifically monitoring registry paths under "HKCR\\*\\shell\\open\\command\\*". This activity can be significant because, attackers might alter the default file associations in order to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
-search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\shell\\open\\command\\*" Registry.registry_path="*HKCR\\*" by Registry.dest  Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_change_default_file_association_filter`'
+search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\shell\\open\\command\\*" Registry.registry_path IN ("*HKCR\\*", "*HKEY_CLASSES_ROOT\\*") by Registry.dest  Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_new_default_file_association_value_set_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.
-known_false_positives: unknown
+known_false_positives: Windows and third party software will create and modify these file associations during installation or upgrades. Additional filters needs to be applied to tune environment specific false positives.
 references:
 - https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features
 drilldown_searches:
@@ -32,9 +31,9 @@ tags:
   - Windows Persistence Techniques
   - Data Destruction
   asset_type: Endpoint
-  confidence: 100
-  impact: 80
-  message: Registry path $registry_path$ was modified, added, or deleted in $dest$.
+  confidence: 50
+  impact: 50
+  message: Default file association for $registry_path$ was modified to $registry_value_data$ in $dest$.
   mitre_attack_id:
   - T1546.001
   - T1546
@@ -58,7 +57,7 @@ tags:
   - Registry.registry_path
   - Registry.registry_key_name
   - Registry.registry_value_name
-  risk_score: 80
+  risk_score: 25
   security_domain: endpoint
 tests:
 - name: True Positive Test
