headless_bee

Author: tccontre

detections/endpoint/windows_anonymous_pipe_activity.yml

@@ -0,0 +1,63 @@
+name: Windows Anonymous Pipe Activity
+id: ee301e1e-cd81-4011-a911-e5f049b9e3d5
+version: 1
+date: '2025-02-11'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects the creation or connection of anonymous pipes for inter-process communication (IPC) within a Windows environment. Anonymous pipes are commonly used by legitimate system processes, services, and applications to transfer data between related processes. However, adversaries frequently abuse anonymous pipes to facilitate stealthy process injection, command-and-control (C2) communication, credential theft, or privilege escalation. This detection monitors for unusual anonymous pipe activity, particularly involving non-system processes, unsigned executables, or unexpected parent-child process relationships. While legitimate use cases exist—such as Windows services, software installers, or security tools—unusual or high-frequency anonymous pipe activity should be investigated for potential malware, persistence mechanisms, or lateral movement techniques.
+data_source:
+- __UPDATE__ zero or more data_sources
+search: '`sysmon` EventCode IN (17,18) PipeName="*Anonymous Pipe*" NOT( Image IN ("*\\Program Files\\*"))
+  | stats  min(_time) as firstTime max(_time) as lastTime count by dest user EventCode PipeName signature Image process_id process_guid EventType 
+  | rename Image as process_name 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `windows_anonymous_pipe_activity_filter`'
+how_to_implement:  To successfully implement this search, you need to be ingesting
+  logs with the process name and pipename from your endpoints. If you are using Sysmon,
+  you must have at least version 6.0.4 of the Sysmon TA. .
+known_false_positives: Automation tool might use anonymous pipe for task orchestration or process communication.
+references:
+- https://www.trendmicro.com/en_nl/research/24/k/earth-estries.html
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: An anonymous Pipe Channel activity on [$dest$].
+  risk_objects:
+  - field: dest
+    type: system
+    score: 30
+  - field: user
+    type: user
+tags:
+  analytic_story:
+  - SnappyBee
+  - Nexus APT Threat Activity
+  - Earth Estries
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1559
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1559/anonymous_pipe/anonymouspipe.log
+    sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    source: XmlWinEventLog

detections/endpoint/windows_create_test_registry.yml

@@ -0,0 +1,66 @@
+name: Windows Create Test Registry
+id: 80402396-d78a-4c6e-ade5-7697ea670adf
+version: 1
+date: '2025-02-11'
+author: Teoderick Contreras, Splunk
+status: production
+type: TTP
+description: The following analytic detects modifications to the Windows registry under `SOFTWARE\Microsoft\Test`, a location rarely used by legitimate applications in a production environment. Monitoring this key is crucial, as adversaries may create or alter values here for persistence, privilege escalation, or system manipulation. The detection leverages **Sysmon Event ID 13** (Registry Value Set) to identify unauthorized changes. Analysts should investigate processes associated with these modifications, particularly unsigned executables or suspicious command-line activity, as they may indicate malware or unauthorized software behavior.
+data_source:
+- Sysmon EventID 13
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
+  WHERE Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Test\\*"
+  BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user 
+  | `drop_dm_object_name(Registry)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_create_test_registry_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on process that include the name of the process responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure
+  that this registry was included in your config files ex. sysmon config to be monitored.
+known_false_positives: Administrators and third party software may create this registry entry.
+references:
+- https://www.trendmicro.com/en_nl/research/24/k/earth-estries.html
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: a Test registry Entry [$registry_path$] was created on [$dest$].
+  risk_objects:
+  - field: dest
+    type: system
+    score: 60
+  - field: user
+    type: user
+    score: 60
+tags:
+  analytic_story:
+  - SnappyBee
+  - Nexus APT Threat Activity
+  - Earth Estries
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1112
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/test_registry/test_reg.log
+    sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    source: XmlWinEventLog

detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml

@@ -0,0 +1,72 @@
+name: Windows Svchost.exe Parent Process Anomaly
+id: 1d38e5e9-2ff8-4c47-872c-bf1657cefab5
+version: 1
+date: '2025-02-11'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects an anomaly where a svchost.exe process is spawned by a parent process other than the standard services.exe. In a typical Windows environment, svchost.exe is a system process that hosts Windows services and is expected to be a child of services.exe. A process deviation from this hierarchy may indicate suspicious behavior, such as malicious code attempting to masquerade as a legitimate system process or evade detection. It is essential to investigate the parent process and associated behavior for further signs of compromise or unauthorized activity.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name != "services.exe" AND Processes.process_name = "svchost.exe" AND Processes.process != unknown
+  by Processes.parent_process_name Processes.parent_process_path Processes.parent_process Processes.process_path Processes.process Processes.original_file_name Processes.dest Processes.user 
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `windows_svchost_exe_parent_process_anomaly_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: Windows Update or other Windows Installer processes may launch their own svchost.exe processes that are not directly spawned by services.exe in certain edge cases (e.g., during patches or updates).
+references:
+- https://attack.mitre.org/techniques/T1036/009/
+- https://www.trendmicro.com/en_nl/research/24/k/earth-estries.html
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A svchost.exe process was spawned by an unexpected parent process [$parent_process_name$] instead of services.exe on [$dest$].
+  risk_objects:
+  - field: dest
+    type: system
+    score: 50
+  - field: user
+    type: user
+    score: 50
+tags:
+  analytic_story:
+  - SnappyBee
+  - Nexus APT Threat Activity
+  - Earth Estries
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1036.009
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1035.009/suspicious_spawn_svchost/susp_svchost_proc.log
+    sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    source: XmlWinEventLog

detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml

@@ -0,0 +1,72 @@
+name: Windows Unusual SysWOW64 Process Run System32 Executable
+id: e4602172-db86-4315-86df-da66fb40bcde
+version: 1
+date: '2025-02-11'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects an unusual process execution pattern where a process running from C:\Windows\SysWOW64\ attempts to execute a binary from C:\Windows\System32\. In a typical Windows environment, 32-bit processes under SysWOW64 should primarily interact with 32-bit binaries within the same directory. However, an execution flow where a 32-bit process spawns a 64-bit binary from System32 can indicate potential process injection, privilege escalation, evasion techniques, or unauthorized execution hijacking.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
+  where Processes.process_path = "*\\Windows\\SysWOW64\\*" AND Processes.process = "*windows\\system32\\*"
+  by Processes.parent_process_name Processes.process_path Processes.process Processes.original_file_name Processes.dest Processes.user 
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_unusual_syswow64_process_run_system32_executable_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: some legitimate system processes, software updaters, or compatibility tools may trigger this behavior, occurrences involving unknown, unsigned, or unusual parent processes should be investigated for potential malware activity, persistence mechanisms, or execution flow hijacking.
+references:
+- https://www.trendmicro.com/en_nl/research/24/k/earth-estries.html
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: a 32 bit process execute 64 bit executable on [$dest$].
+  risk_objects:
+  - field: dest
+    type: system
+    score: 40
+  - field: process_path
+    type: process_name
+    score: 40
+tags:
+  analytic_story:
+  - Nexus APT Threat Activity
+  - DarkGate Malware
+  - Earth Estries
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1036.009
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.009/32bit_process_execute_64bit/32bit_spawn_64bit.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog