splunk
diff --git a/‎detections/endpoint/windows_chrome_auto_update_disabled_via_registry.yml‎
Lines changed: 51 additions & 33 deletions b/‎detections/endpoint/windows_chrome_auto_update_disabled_via_registry.yml‎
Lines changed: 51 additions & 33 deletions
diff --git a/‎detections/endpoint/windows_chrome_enable_extension_loading_via_command_line.yml‎
Lines changed: 34 additions & 23 deletions b/‎detections/endpoint/windows_chrome_enable_extension_loading_via_command_line.yml‎
Lines changed: 34 additions & 23 deletions
diff --git a/‎detections/endpoint/windows_chrome_extension_allowed_registry_modification.yml‎
Lines changed: 7 additions & 7 deletions b/‎detections/endpoint/windows_chrome_extension_allowed_registry_modification.yml‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎detections/endpoint/windows_chrome_extension_load_via_command_line.yml‎
Lines changed: 0 additions & 71 deletions b/‎detections/endpoint/windows_chrome_extension_load_via_command_line.yml‎
Lines changed: 0 additions & 71 deletions
@@ -1,36 +1,54 @@
 name: Windows Chrome Auto-Update Disabled via Registry
 id: 619eac6c-0f03-4699-ae29-5f337877bcf9
 version: 1
-date: '2025-12-17'
+date: '2026-01-12'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects modifications to Windows registry keys that disable Google Chrome auto-updates. Changes to keys such as DisableAutoUpdateChecksCheckboxValue = 1, Update{8A69D345-D564-463C-AFF1-A69D9E530F96} = 0, UpdateDefault = 0, and AutoUpdateCheckPeriodMinutes = 0 can prevent Chrome from receiving security updates. This behavior may indicate attempts to bypass update policies, maintain unauthorized extensions, or facilitate malware persistence. Monitoring these registry changes helps identify potential policy violations or malicious activity targeting browser security.
+description: |
+  The following analytic detects modifications to Windows registry values that disable Google Chrome auto-updates.
+  Changes to values such as DisableAutoUpdateChecksCheckboxValue = 1, Update{8A69D345-D564-463C-AFF1-A69D9E530F96} = 0, UpdateDefault = 0, and AutoUpdateCheckPeriodMinutes = 0 can prevent Chrome from receiving security updates.
+  This behavior may indicate attempts to bypass update policies, maintain unauthorized extensions, or facilitate malware persistence.
+  Monitoring these registry changes helps identify potential policy violations or malicious activity targeting browser security.
 data_source:
-- Sysmon EventID 13
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
-  
-  where Registry.registry_path = "*\\Google\\Update*" AND
-        (Registry.registry_value_name = "DisableAutoUpdateChecksCheckboxValue" AND Registry.registry_value_data = 0x00000001) OR
-        (Registry.registry_value_name = "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" AND Registry.registry_value_data = 0x00000000) OR
-        (Registry.registry_value_name = "UpdateDefault" AND Registry.registry_value_data = 0x00000000) OR
-        (Registry.registry_value_name = "AutoUpdateCheckPeriodMinutes" AND Registry.registry_value_data = 0x00000000) 
-        
-  by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path 
-     Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
+  - Sysmon EventID 13
+search: |
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
+
+  where Registry.registry_path = "*\\Google\\Update*"
+        AND
+        (
+          Registry.registry_value_name = "DisableAutoUpdateChecksCheckboxValue"
+          Registry.registry_value_data = 0x00000001
+        )
+        OR
+        (
+          Registry.registry_value_name  IN (
+            "AutoUpdateCheckPeriodMinutes",
+            "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}",
+            "UpdateDefault"
+          )
+          Registry.registry_value_data = 0x00000000
+        )
+
+  by Registry.action Registry.dest Registry.process_guid Registry.process_id
+     Registry.registry_hive Registry.registry_path Registry.registry_key_name
+     Registry.registry_value_data Registry.registry_value_name
      Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
 
-  | `drop_dm_object_name(Registry)` 
-  | `security_content_ctime(firstTime)` 
-  | `security_content_ctime(lastTime)` 
-  | `windows_chrome_auto_update_disabled_via_registry_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting
+  | `drop_dm_object_name(Registry)`
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `windows_chrome_auto_update_disabled_via_registry_filter`
+how_to_implement: |
+  To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
   endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
-known_false_positives: IT administrators intentionally disabling auto-updates in managed environments for testing, compatibility, or deployment purposes.
+known_false_positives: |
+  IT administrators intentionally disabling auto-updates in managed environments for testing, compatibility, or deployment purposes.
 references:
-- https://www.gdatasoftware.com/blog/2025/11/38298-learning-about-browser-hijacking
+  - https://www.gdatasoftware.com/blog/2025/11/38298-learning-about-browser-hijacking
 drilldown_searches:
   - name: View the detection results for - "$dest$"
     search: '%original_detection_search% | search  dest = "$dest$"'
@@ -49,24 +67,24 @@ drilldown_searches:
 rba:
   message: Chrome Auto-update in $registry_path$ was disabled on $dest$
   risk_objects:
-  - field: dest
-    type: system
-    score: 20
+    - field: dest
+      type: system
+      score: 20
   threat_objects: []
 tags:
   analytic_story:
-  - Browser Hijacking
+    - Browser Hijacking
   asset_type: Endpoint
   mitre_attack_id:
-  - T1185
+    - T1185
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/disable_chrome_update/disable_chrome_update.log
-    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+  - name: True Positive Test
+    attack_data:
+    - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/disable_chrome_update/disable_chrome_update.log
+      source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+      sourcetype: XmlWinEventLog
@@ -1,26 +1,33 @@
 name: Windows Chrome Enable Extension Loading via Command-Line
 id: da355155-1d23-48f9-bf95-e534ae273ab0
 version: 1
-date: '2025-12-17'
+date: '2026-01-12'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects instances where Google Chrome is started with the --disable-features=DisableLoadExtensionCommandLineSwitch flag, effectively enabling the loading of extensions via the command line. This may indicate attempts to bypass enterprise extension policies, load unauthorized or malicious extensions, or manipulate browser behavior. Monitoring this activity helps identify potential security policy violations, malware persistence techniques, or other suspicious Chrome modifications.
+description: |
+  The following analytic detects instances where Google Chrome is started with the --disable-features=DisableLoadExtensionCommandLineSwitch flag, effectively enabling the loading of extensions via the command line.
+  This may indicate attempts to bypass enterprise extension policies, load unauthorized or malicious extensions, or manipulate browser behavior.
+  Monitoring this activity helps identify potential security policy violations, malware persistence techniques, or other suspicious Chrome modifications.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
-  where  Processes.process_name = "Chrome.exe" Processes.process= "*--disable-features=DisableLoadExtensionCommandLineSwitch*"
+search: |
+  | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime
+  from datamodel=Endpoint.Processes where
+    Processes.process_name = "Chrome.exe"
+    Processes.process= "*--disable-features*"
+    Processes.process= "*DisableLoadExtensionCommandLineSwitch*"
   by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
-  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
-  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
-  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
-  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` 
-  | `security_content_ctime(firstTime)` 
-  | `security_content_ctime(lastTime)` 
-  | `windows_chrome_enable_extension_loading_via_command_line_filter`'
+     Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
+     Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
+     Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
+     Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `windows_chrome_enable_extension_loading_via_command_line_filter`
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the process responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
@@ -44,28 +51,32 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: a chrome.exe process commandline $process$ that enable browser extension loading in commandline on $dest$.
+  message: A $process_name$ process attempted to enable browser extension loading via command line $process$ on $dest$.
   risk_objects:
   - field: dest
     type: system
     score: 30
   threat_objects:
   - field: parent_process_name
     type: parent_process_name
+  - field: process_name
+    type: process_name
+  - field: process
+    type: process
 tags:
   analytic_story:
-  - Browser Hijacking
+    - Browser Hijacking
   asset_type: Endpoint
   mitre_attack_id:
-  - T1185
+    - T1185
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/chrome_load_extensions/chrome_load_extension.log
-    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+  - name: True Positive Test
+    attack_data:
+    - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/chrome_load_extensions/chrome_load_extension.log
+      source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+      sourcetype: XmlWinEventLog
@@ -1,21 +1,21 @@
 name: Windows Chrome Extension Allowed Registry Modification
 id: 2846089a-ffe9-4881-a2a2-43f3be2b8cc7
 version: 1
-date: '2025-12-17'
+date: '2026-01-12'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 description: The following analytic detects modifications to the Windows registry keys that control the Chrome Extension Install Allowlist. Unauthorized changes to these keys may indicate attempts to bypass Chrome extension restrictions or install unapproved extensions. This detection helps identify potential security policy violations or malicious activity targeting Chrome extension settings.
 data_source:
-- Sysmon EventID 13
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
+  - Sysmon EventID 13
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
   where Registry.registry_path = "*\\Google\\Chrome\\ExtensionInstallAllowlist*"
   by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path
   Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
   Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
-  | `drop_dm_object_name(Registry)` 
-  | `security_content_ctime(firstTime)` 
-  | `security_content_ctime(lastTime)` 
+  | `drop_dm_object_name(Registry)`
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
   | `windows_chrome_extension_allowed_registry_modification_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
@@ -40,7 +40,7 @@ drilldown_searches:
     earliest_offset: $info_min_time$
     latest_offset: $info_max_time$
 rba:
-  message: ExtensionInstallAllowlist Policy in $registry_path$ was modified on $dest$
+  message: Chrome ExtensionInstallAllowlist Policy in $registry_path$ was modified on $dest$
   risk_objects:
   - field: dest
     type: system