adding nltm objects

patel-bhavin · patel-bhavin · commit c5eb9374a365 · 2025-02-21T12:49:37.000-08:00
diff --git a/data_sources/ntlm_operational_8004.yml b/data_sources/ntlm_operational_8004.yml
@@ -0,0 +1,16 @@
+name: NTLM Operational 8004
+id: fd08cb77-c26e-464c-a43e-2867e232127e
+version: 1
+date: '2025-02-21'
+author: Bhavin Patel, Splunk
+description: Data source object for NTLM Operational 8004
+source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+sourcetype: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 9.0.1
+fields:
+- _time
+example_log: |-
diff --git a/data_sources/ntlm_operational_8005.yml b/data_sources/ntlm_operational_8005.yml
@@ -0,0 +1,16 @@
+name: NTLM Operational 8005
+id: ad15a1cf-4b21-43de-81e4-6307c69172fb
+version: 1
+date: '2025-02-21'
+author: Bhavin Patel, Splunk
+description: Data source object for NTLM Operational 8005
+source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+sourcetype: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 9.0.1
+fields:
+- _time
+example_log: |-
diff --git a/data_sources/ntlm_operational_8006.yml b/data_sources/ntlm_operational_8006.yml
@@ -0,0 +1,16 @@
+name: NTLM Operational 8006
+id: 9f50a672-6f7d-4621-a3bd-69468c6b7a7f
+version: 1
+date: '2025-02-21'
+author: Bhavin Patel, Splunk
+description: Data source object for NTLM Operational 8006
+source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+sourcetype: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 9.0.1
+fields:
+- _time
+example_log: |-
diff --git a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml
@@ -12,7 +12,9 @@ description: The following analytic detects when a device is the target of numer
   a large number of EventID 4776 events in tandem, however these events will not indicate
   the attacker or target device
 data_source:
-- NTLM Operational 8004,8005,8006
+- NTLM Operational 8004
+- NTLM Operational 8005
+- NTLM Operational 8006
 search: '`ntlm_audit` EventCode IN (8004,8005,8006) DomainName=NULL UserName!=NULL
   | eval src = replace(WorkstationName,"\\\\","")  ```CIM alignment, remove leading
   \\ from some auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM
diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml
@@ -11,7 +11,9 @@ description: The following analytic detects when an unusual number NTLM authenti
   to a multiple domain joined Windows devices using an NTLM based process/attack.
   This same activity may also generate a large number of EventID 4776 events as well.
 data_source:
-- NTLM Operational 8004,8005,8006
+- NTLM Operational 8004
+- NTLM Operational 8005
+- NTLM Operational 8006
 search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | eval src
   = replace(WorkstationName,"\\\\","")  ```CIM alignment, remove leading \\ from some
   auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment```
diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml
@@ -11,7 +11,9 @@ description: The following analytic detects when an unusual number of NTLM authe
   authenticate to numerous domain joined Windows devices using an NTLM based process/attack.
   This same activity may also generate a large number of EventID 4776 events as well.
 data_source:
-- NTLM Operational 8004,8005,8006
+- NTLM Operational 8004
+- NTLM Operational 8005
+- NTLM Operational 8006
 search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | eval src
   = replace(WorkstationName,"\\\\","")  ```CIM alignment, remove leading \\ from some
   auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment```
diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml
@@ -12,7 +12,9 @@ description: The following analytic detects when a device is the target of numer
   a large number of EventID 4776 events in tandem, however these events will not indicate
   the attacker or target device.
 data_source:
-- NTLM Operational 8004,8005,8006
+- NTLM Operational 8004
+- NTLM Operational 8005
+- NTLM Operational 8006
 search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | eval src
   = replace(WorkstationName,"\\\\","")  ```CIM alignment, remove leading \\ from some
   auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment```
diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml
@@ -11,7 +11,9 @@ description: The following analytic detects when an unusual number of NTLM authe
   Windows device using an NTLM based process/attack. This same activity may also generate
   a large number of EventID 4776 events in as well.
 data_source:
-- NTLM Operational 8004,8005,8006
+- NTLM Operational 8004
+- NTLM Operational 8005
+- NTLM Operational 8006
 search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | eval src
   = replace(WorkstationName,"\\\\","")  ```CIM alignment, remove leading \\ from some
   auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment```
