quick fixes and updates

Author: nasbench

detections/endpoint/cmd_carry_out_string_command_parameter.yml

@@ -1,6 +1,6 @@
 name: CMD Carry Out String Command Parameter
 id: 54a6ed00-3256-11ec-b031-acde48001122
-version: '12'
+version: 12
 date: '2025-05-26'
 author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production

detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml

@@ -1,6 +1,6 @@
 name: Hiding Files And Directories With Attrib exe
 id: 6e5a3ae4-90a3-462d-9aa6-0119f638c0f1
-version: '13'
+version: 13
 date: '2025-05-26'
 author: Bhavin Patel, Splunk
 status: production

detections/endpoint/lolbas_with_network_traffic.yml

@@ -1,6 +1,6 @@
 name: LOLBAS With Network Traffic
 id: 2820f032-19eb-497e-8642-25b04a880359
-version: '11'
+version: 11
 date: '2025-05-26'
 author: Steven Dick
 status: production

detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml

@@ -5,13 +5,16 @@ date: '2025-05-26'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
-description: The following analytic detects instances where a Chrome or Chromium-based browser is launched with the --no-sandbox flag, a known indicator of potentially malicious or suspicious behavior. While this flag is occasionally used during software development or testing, it is rarely seen in normal user activity. Threat actors often abuse this setting to disable Chrome’s built-in security sandbox, making it easier to execute malicious code or escape browser isolation. This behavior is commonly observed in malware droppers or loaders that embed Chromium components for command and control, credential theft, or UI spoofing. Analysts should investigate such events, especially if they originate from unusual parent processes (e.g., powershell.exe, cmd.exe, or unknown binaries), or if accompanied by other indicators such as file drops, process injection, or outbound network activity. Filtering by command-line arguments and process ancestry can help reduce false positives and surface high-fidelity detections.
+description: |
+  The following analytic detects instances where a Chrome or Chromium-based browser is launched with the --no-sandbox flag, a known indicator of potentially malicious or suspicious behavior. While this flag is occasionally used during software development or testing, it is rarely seen in normal user activity. Threat actors often abuse this setting to disable Chrome's built-in security sandbox, making it easier to execute malicious code or escape browser isolation. This behavior is commonly observed in malware droppers or loaders that embed Chromium components for command and control, credential theft, or UI spoofing. Analysts should investigate such events, especially if they originate from unusual parent processes (e.g., powershell.exe, cmd.exe, or unknown binaries), or if accompanied by other indicators such as file drops, process injection, or outbound network activity. Filtering by command-line arguments and process ancestry can help reduce false positives and surface high-fidelity detections.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe")
+search: |
+  | tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where 
+  Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe")
   Processes.process = "*--no-sandbox*" 
   by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
@@ -21,8 +24,9 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_
   | `drop_dm_object_name(Processes)` 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)`
-  | `windows_chromium_browser_no_security_sandbox_process_filter`'
-how_to_implement: To successfully implement this search you need to be ingesting information
+  | `windows_chromium_browser_no_security_sandbox_process_filter`
+how_to_implement: |
+  To successfully implement this search you need to be ingesting information
   on process that include the name of the process responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
   confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
@@ -46,7 +50,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A chrome process with the --no-sandbox flag was launched on $dest$ by user $user$.
+  message: A chromium process with the --no-sandbox flag was launched on $dest$ by user $user$.
   risk_objects:
   - field: dest
     type: system

detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml

@@ -5,14 +5,18 @@ date: '2025-05-26'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects instances where the Chromium-based browser (e.g., Google Chrome, Microsoft Edge) is launched with the --user-data-dir command-line argument. While this flag is legitimate and used for multi-profile support or automation, it is frequently leveraged by malware and adversaries to run Chrome in an isolated environment for stealth operations, credential harvesting, phishing delivery, or evasion of user session artifacts.
+description: |
+  The following analytic detects instances where the Chromium-based browser (e.g., Google Chrome, Microsoft Edge) is launched with the --user-data-dir command-line argument. While this flag is legitimate and used for multi-profile support or automation, it is frequently leveraged by malware and adversaries to run Chrome in an isolated environment for stealth operations, credential harvesting, phishing delivery, or evasion of user session artifacts.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chrome.exe", "msedge.exe", "brave.exe")
-  Processes.process = "*--user-data-dir*" Processes.process IN ("*--disable-gpu*", "*--disable-3d-apis*")
+search: |
+  | tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where 
+  Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe")
+  Processes.process = "*--user-data-dir*" 
+  Processes.process IN ("*--disable-gpu*", "*--disable-3d-apis*")
   by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
@@ -21,8 +25,9 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_
   | `drop_dm_object_name(Processes)` 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
-  | `windows_chromium_browser_with_custom_user_data_directory_filter`'
-how_to_implement: To successfully implement this search you need to be ingesting information
+  | `windows_chromium_browser_with_custom_user_data_directory_filter`
+how_to_implement: |
+  To successfully implement this search you need to be ingesting information
   on process that include the name of the process responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
   confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
@@ -46,7 +51,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A chrome process with the --user-data-dir flag was launched on $dest$ by user $user$.
+  message: A chromium process with the --user-data-dir flag was launched on $dest$ by user $user$.
   risk_objects:
   - field: dest
     type: system

detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml

@@ -1,6 +1,6 @@
 name: Windows Credentials from Password Stores Chrome LocalState Access
 id: 3b1d09a8-a26f-473e-a510-6c6613573657
-version: '12'
+version: 12
 date: '2025-05-26'
 author: Teoderick Contreras, Splunk
 status: production

detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml

@@ -1,6 +1,6 @@
 name: Windows Credentials from Password Stores Chrome Login Data Access
 id: 0d32ba37-80fc-4429-809c-0ba15801aeaf
-version: '12'
+version: 12
 date: '2025-05-26'
 author: Teoderick Contreras, Splunk
 status: production

detections/endpoint/windows_disable_browser_extensions.yml renamed to detections/endpoint/windows_disable_internet_explorer_addons.yml

@@ -1,18 +1,21 @@
-name: Windows Disable Browser Extensions
+name: Windows Disable Internet Explorer Addons
 id: 65224d8b-b95d-44ec-bb44-408d830c1258
 version: 1
 date: '2025-05-26'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
-description: The following analytic detects the execution of iexplore.exe (Internet Explorer) with the -extoff command-line flag, which disables all browser extensions. This flag is commonly abused by adversaries to launch a clean browser session that bypasses security controls such as antivirus browser extensions, toolbars, or group policy-enforced add-ons.
+type: Anomaly
+description: |
+  The following analytic detects the execution of iexplore.exe (Internet Explorer) with the -extoff command-line flag, which disables all browser extensions. This flag is commonly abused by adversaries to launch a clean browser session that bypasses security controls such as antivirus browser extensions, toolbars, or group policy-enforced add-ons.
   Malicious documents or scripts may leverage iexplore.exe -extoff to open phishing pages, command-and-control interfaces, or download additional payloads in an environment free from security monitoring plugins. While this flag may be used legitimately by IT administrators for troubleshooting purposes, its use in modern enterprise environments is rare and should be considered suspicious—particularly when launched by Office applications, scripting engines (e.g., PowerShell, WScript), or scheduled tasks.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "iexplore.exe"
+search: |
+  | tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where 
+  (Processes.process_name = "iexplore.exe" OR Processes.original_file_name="IEXPLORE.EXE")
   Processes.process = "*-extoff*" 
   by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
@@ -22,7 +25,7 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_
   | `drop_dm_object_name(Processes)` 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
-  | `windows_disable_browser_extensions_filter`'
+  | `windows_disable_internet_explorer_addons_filter`
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the process responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
@@ -47,7 +50,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A iexplore.exe process with the -extoff flag was launched on $dest$ by user $user$.
+  message: An iexplore.exe process with the -extoff flag was launched on $dest$ by user $user$.
   risk_objects:
   - field: dest
     type: system

detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml

@@ -1,6 +1,6 @@
 name: Windows DLL Search Order Hijacking Hunt with Sysmon
 id: 79c7d1fc-64c7-91be-a616-ccda752efe81
-version: '11'
+version: 11
 date: '2025-05-26'
 author: Michael Haag, Splunk
 status: production

detections/endpoint/windows_process_with_tinyurl_dns_query.yml renamed to detections/endpoint/windows_dns_query_request_to_tinyurl.yml

@@ -1,26 +1,40 @@
-name: Windows Process with TinyUrl DNS Query
+name: Windows DNS Query Request To TinyUrl
 id: b1ea79da-719c-437c-acaf-5c93f838f425
 version: 1
 date: '2025-06-02'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects a suspicious process making DNS queries to known URL shortening services, specifically tinyurl.com. URL shorteners are frequently used by threat actors to obfuscate malicious destinations, including phishing pages, malware distribution sites, or command-and-control (C2) endpoints. While tinyurl.com is a legitimate service, its use in enterprise environments—particularly by non-browser processes or scripts—should be considered suspicious, especially if correlated with subsequent outbound connections, file downloads, process file path or credential prompts. Analysts should investigate the source process, execution context, and destination domain to determine intent and risk.
+description: |
+  The following analytic detects a process located in a potentially suspicious location making DNS queries to known URL shortening services, specifically tinyurl.
+  URL shorteners are frequently used by threat actors to obfuscate malicious destinations, including phishing pages, malware distribution sites, or command-and-control (C2) endpoints. 
+  While tinyurl.com is a legitimate service, its use in enterprise environments—particularly by non-browser processes or scripts—should be considered suspicious, especially if correlated with subsequent outbound connections, file downloads, process file path or credential prompts. Analysts should investigate the source process, execution context, and destination domain to determine intent and risk.
 data_source:
 - Sysmon EventID 22
-search: '`sysmon` EventCode=22 QueryName = "tinyurl.com"
-  Image IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") 
+search: |
+  `sysmon` 
+  EventCode=22 
+  QueryName = "tinyurl.com"
+  Image IN (
+    "*\\AppData\\*",
+    "*\\Perflogs\\*",
+    "*\\ProgramData\\*",
+    "*\\Temp\\*",
+    "*\\Users\\Public\\*",
+    "*\\Windows\\Tasks\\*"
+    ) 
   | stats count min(_time) as firstTime max(_time) as lastTime 
-  by answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName 
-  QueryResults QueryStatus 
+    by answer answer_count dvc process_exec process_guid process_name query query_count 
+       reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
-  | `windows_process_with_tinyurl_dns_query_filter`'
-how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query.
+  | `windows_dns_query_request_to_tinyurl_filter`
+how_to_implement: |
+  This detection relies on sysmon logs with the Event ID 22, DNS Query.
   We suggest you run this detection at least once a day over the last 14 days.
-known_false_positives: Noise and false positive can be seen if the following instant
-  messaging is allowed to use within corporate network. In this case, a filter is
-  needed.
+known_false_positives: |
+  Noise and false positive can be seen if the following instant 
+  messaging is allowed to use within corporate network. In this case, a filter is needed.
 references:
 - https://x.com/Unit42_Intel/status/1919418143476199869
 drilldown_searches: