Merge branch 'develop' into notdoor_outlook_macros

Author: patel-bhavin

detections/application/esxi_malicious_vib_forced_install.yml

@@ -14,58 +14,60 @@ description: Detects potentially malicious installation of VMware Installation
   modules, drivers, or monitoring tools to establish persistence or gain deeper
   control of the hypervisor.
 data_source:
-- VMWare ESXi Syslog
+  - VMWare ESXi Syslog
 search: '`esxi_syslog` Message="* image profile with validation disabled. *" OR
   Message="* image profile bypassing signing and acceptance level verification.
   *" OR Message="* vib without valid signature, *"
   | rex field=_raw "Z (?<dest>[\w\.]+)\s"
   | stats min(_time) as firstTime max(_time) as lastTime count by dest Message
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `esxi_malicious_vib_forced_install_filter`'
-how_to_implement: This is based on syslog data generated by VMware ESXi hosts. To implement this search, 
-  you must configure your ESXi systems to forward syslog output to your Splunk deployment. These logs must 
+how_to_implement:
+  This is based on syslog data generated by VMware ESXi hosts. To implement this search,
+  you must configure your ESXi systems to forward syslog output to your Splunk deployment. These logs must
   be ingested with the appropriate Splunk Technology Add-on for VMware ESXi Logs, which provides field
-  extractions and CIM compatibility. 
+  extractions and CIM compatibility.
 known_false_positives: Some third party vendor VIBs or patches may require the force option.
 references:
-- https://detect.fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823
+  - https://detect.fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823
 drilldown_searches:
-- name: View the detection results for - "$dest$"
-  search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$dest$"
+    search: '%original_detection_search% | search  dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
   message: A VIB was installed on ESXi $dest$ with the force flag.
   risk_objects:
-  - field: dest
-    type: system
-    score: 60
+    - field: dest
+      type: system
+      score: 60
   threat_objects: []
 tags:
   analytic_story:
-  - ESXi Post Compromise
-  - Black Basta Ransomware
-  - China-Nexus Threat Activity
+    - ESXi Post Compromise
+    - Black Basta Ransomware
+    - China-Nexus Threat Activity
   asset_type: Infrastructure
   mitre_attack_id:
-  - T1505.006
+    - T1505.006
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.log
-    source: vmware:esxlog
-    sourcetype: vmw-syslog
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.log
+        source: vmware:esxlog
+        sourcetype: vmw-syslog

detections/application/esxi_ssh_brute_force.yml

@@ -5,11 +5,12 @@ date: '2025-05-12'
 author: Raven Tait, Splunk
 status: production
 type: Anomaly
-description: This detection identifies signs of SSH brute-force attacks by monitoring for a high 
-  number of failed login attempts within a short time frame. Such activity may indicate an 
+description:
+  This detection identifies signs of SSH brute-force attacks by monitoring for a high
+  number of failed login attempts within a short time frame. Such activity may indicate an
   attacker attempting to gain unauthorized access through password guessing.
 data_source:
-- VMWare ESXi Syslog
+  - VMWare ESXi Syslog
 search: '`esxi_syslog` Message="*Authentication failure for*"
   | rex "for (?<user>[\w]+) from (?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
   | rex field=_raw "Z (?<dest>[\w\.]+)\s"
@@ -18,49 +19,51 @@ search: '`esxi_syslog` Message="*Authentication failure for*"
   | where count > 10
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `esxi_ssh_brute_force_filter`'
-how_to_implement: This is based on syslog data generated by VMware ESXi hosts. To implement this search, 
-  you must configure your ESXi systems to forward syslog output to your Splunk deployment. These logs must 
+how_to_implement:
+  This is based on syslog data generated by VMware ESXi hosts. To implement this search,
+  you must configure your ESXi systems to forward syslog output to your Splunk deployment. These logs must
   be ingested with the appropriate Splunk Technology Add-on for VMware ESXi Logs, which provides field
-  extractions and CIM compatibility. 
-known_false_positives: Limited false positives in most environments, however tune
+  extractions and CIM compatibility.
+known_false_positives:
+  Limited false positives in most environments, however tune
   as needed.
 drilldown_searches:
-- name: View the detection results for - "$dest$"
-  search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$dest$"
+    search: '%original_detection_search% | search  dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
   message: Attempted SSH brute force on ESXi host $dest$.
   risk_objects:
-  - field: dest
-    type: system
-    score: 25
+    - field: dest
+      type: system
+      score: 25
   threat_objects: []
 tags:
   analytic_story:
-  - ESXi Post Compromise
-  - Black Basta Ransomware
+    - ESXi Post Compromise
+    - Black Basta Ransomware
   asset_type: Infrastructure
   mitre_attack_id:
-  - T1110
+    - T1110
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: http://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log
-    source: vmware:esxlog
-    sourcetype: vmw-syslog
-
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log
+        source: vmware:esxlog
+        sourcetype: vmw-syslog

detections/endpoint/attacker_tools_on_endpoint.yml

@@ -5,7 +5,8 @@ date: '2025-07-29'
 author: Bhavin Patel, Splunk, sventec, Github Community
 status: production
 type: TTP
-description: The following analytic detects the execution of tools commonly exploited
+description:
+  The following analytic detects the execution of tools commonly exploited
   by cybercriminals, such as those used for unauthorized access, network scanning,
   or data exfiltration. It leverages process activity data from Endpoint Detection
   and Response (EDR) agents, focusing on known attacker tool names. This activity
@@ -14,14 +15,15 @@ description: The following analytic detects the execution of tools commonly expl
   lead to unauthorized access, data theft, or further network compromise, posing a
   severe threat to the organization's security infrastructure.
 data_source:
-- Sysmon EventID 1
-- Windows Event Log Security 4688
-- CrowdStrike ProcessRollup2
-- Cisco Network Visibility Module Flow Data
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  - Sysmon EventID 1
+  - Windows Event Log Security 4688
+  - CrowdStrike ProcessRollup2
+  - Cisco Network Visibility Module Flow Data
+search:
+  '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Processes.process) as process values(Processes.parent_process)
-  as parent_process from datamodel=Endpoint.Processes where 
-  [| inputlookup attacker_tools | rename attacker_tool_names AS Processes.process_name | fields Processes.process_name] AND 
+  as parent_process from datamodel=Endpoint.Processes where
+  [| inputlookup attacker_tools | rename attacker_tool_names AS Processes.process_name | fields Processes.process_name] AND
   Processes.dest!=unknown AND Processes.user!=unknown by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
   Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
@@ -31,7 +33,8 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup
   attacker_tools attacker_tool_names AS process_name OUTPUT description | search description
   !=false| `attacker_tools_on_endpoint_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+how_to_implement:
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.
@@ -40,64 +43,67 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
-known_false_positives: Some administrator activity can be potentially triggered, please
+known_false_positives:
+  Some administrator activity can be potentially triggered, please
   add those users to the filter macro.
 references: []
 drilldown_searches:
-- name: View the detection results for - "$user$" and "$dest$"
-  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$user$" and "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
-    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
-    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
-    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
-    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
-    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$user$" and "$dest$"
+    search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+      "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+      as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+      Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
-  message: An attacker tool $process_name$, listed in attacker_tools.csv is executed
+  message:
+    An attacker tool $process_name$, listed in attacker_tools.csv is executed
     on host $dest$ by User $user$. This process $process_name$ is known to do- $description$
   risk_objects:
-  - field: user
-    type: user
-    score: 64
-  - field: dest
-    type: system
-    score: 64
+    - field: user
+      type: user
+      score: 64
+    - field: dest
+      type: system
+      score: 64
   threat_objects:
-  - field: process_name
-    type: process_name
+    - field: process_name
+      type: process_name
 tags:
   analytic_story:
-  - XMRig
-  - Unusual Processes
-  - SamSam Ransomware
-  - CISA AA22-264A
-  - Compromised Windows Host
-  - PHP-CGI RCE Attack on Japanese Organizations
-  - Cisco Network Visibility Module Analytics
-  - Scattered Spider
+    - XMRig
+    - Unusual Processes
+    - SamSam Ransomware
+    - CISA AA22-264A
+    - Compromised Windows Host
+    - PHP-CGI RCE Attack on Japanese Organizations
+    - Cisco Network Visibility Module Analytics
+    - Scattered Spider
   asset_type: Endpoint
   mitre_attack_id:
-  - T1003
-  - T1036.005
-  - T1595
+    - T1003
+    - T1036.005
+    - T1595
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test - Sysmon
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log
-    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
-- name: True Positive Test - Cisco NVM
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
-    source: not_applicable
-    sourcetype: cisco:nvm:flowdata
+  - name: True Positive Test - Sysmon
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log
+        source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+        sourcetype: XmlWinEventLog
+  - name: True Positive Test - Cisco NVM
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
+        source: not_applicable
+        sourcetype: cisco:nvm:flowdata