Merge branch 'develop' into nterl0k-T1550-netexec-usage

nasbench · web-flow · commit e8f9c1ddd02b · 2025-01-07T17:45:50.000+01:00
diff --git a/contentctl.yml b/contentctl.yml
@@ -21,8 +21,8 @@ test_instance:
   hec_port: 8088
   web_ui_port: 8000
   api_port: 8089
-  full_image_path: registry.hub.docker.com/splunk/splunk:latest
 container_settings:
+  full_image_path: registry.hub.docker.com/splunk/splunk:9.3
   leave_running: true
   num_containers: 1
 mode: {}
@@ -77,9 +77,9 @@ apps:
 - uid: 5579
   title: Splunk Add-on for CrowdStrike FDR
   appid: Splunk_TA_CrowdStrike_FDR
-  version: 2.0.2
+  version: 2.0.3
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_202.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_203.tgz
 - uid: 3185
   title: Splunk Add-on for Microsoft IIS
   appid: SPLUNK_TA_FOR_IIS
diff --git a/data_sources/crowdstrike_processrollup2.yml b/data_sources/crowdstrike_processrollup2.yml
@@ -10,7 +10,7 @@ separator: event_simpleName
 supported_TA:
 - name: Splunk Add-on for CrowdStrike FDR
   url: https://splunkbase.splunk.com/app/5579
-  version: 2.0.2
+  version: 2.0.3
 fields:
 - AuthenticationId
 - AuthenticationId_meaning
diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml
@@ -1,7 +1,7 @@
 name: Detect Exchange Web Shell
 id: 8c14eeee-2af1-4a4b-bda8-228da0f4862a
-version: '8'
-date: '2024-11-28'
+version: 9
+date: '2024-12-12'
 author: Michael Haag, Shannon Davis, David Dorsey, Splunk
 status: production
 type: TTP
@@ -16,16 +16,18 @@ description: The following analytic identifies the creation of suspicious .aspx
 data_source:
 - Sysmon EventID 1 AND Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
-  where Processes.process_name=System  by _time span=1h Processes.process_id Processes.process_name
-  Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid,
-  _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*",
-  "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name
-  IN( "*.aspx", "*.ashx") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time
-  Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` |
-  fields _time dest user file_create_time file_name file_path process_name process_path
-  process] | dedup file_create_time | table dest user file_create_time, file_name,
-  file_path, process_name | `detect_exchange_web_shell_filter`'
+    where Processes.process_name=System by _time span=1h Processes.process_guid Processes.process_name Processes.process
+    Processes.dest Processes.user 
+| `drop_dm_object_name(Processes)` 
+| join process_guid, _time 
+    [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+        as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*",
+        "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name
+        IN( "*.aspx", "*.ashx") by _time span=1h Filesystem.process_guid Filesystem.user Filesystem.dest Filesystem.file_create_time
+        Filesystem.file_name Filesystem.file_path 
+    | `drop_dm_object_name(Filesystem)` ]
+    | dedup file_create_time 
+    | table _time dest user file_create_time file_name file_path process_name process process_guid | `detect_exchange_web_shell_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the process responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem`
diff --git a/detections/endpoint/windows_detect_network_scanner_behavior.yml b/detections/endpoint/windows_detect_network_scanner_behavior.yml
@@ -0,0 +1,76 @@
+name: Windows Detect Network Scanner Behavior
+id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7
+version: 1
+date: '2024-12-26'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.
+data_source: 
+- Sysmon EventID 3
+search: '| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m
+| `drop_dm_object_name(All_Traffic)`
+| rex field=app ".*\\\(?<process_name>.*)$"
+| where port_count > 10 OR dest_count > 10
+| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name
+| `security_content_ctime(firstTime)`
+| `security_content_ctime(lastTime)`
+| `windows_detect_network_scanner_behavior_filter`'
+how_to_implement: This detection relies on Sysmon EventID 3 events being ingested AND tagged into the Network_Traffic datamodel.
+known_false_positives: Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed.
+references:
+- https://attack.mitre.org/techniques/T1595
+drilldown_searches:
+- name: View the detection results for - "$src$" and "$user$"
+  search: '%original_detection_search% | search  src = "$src$" user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$" and "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Network Discovery
+  - Windows Discovery Techniques
+  asset_type: Endpoint
+  confidence: 50
+  impact: 50
+  message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$
+  mitre_attack_id: 
+  - T1595
+  - T1595.001
+  - T1595.002
+  observable: 
+  - name: src
+    type: IP Address
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: process_name
+    type: Process
+    role:
+    - Attacker
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields: 
+  - All_Traffic.dest_port
+  - host
+  - All_Traffic.app
+  - All_Traffic.src
+  - All_Traffic.src_ip
+  - All_Traffic.user 
+  - _time
+  risk_score: 25
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/macros/f5_bigip_rogue.yml b/macros/f5_bigip_rogue.yml
@@ -1,4 +1,4 @@
-definition: index=netops sourcetype="f5:bigip:rogue"
+definition: sourcetype="f5:bigip:rogue"
 description: customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environment.
 name: f5_bigip_rogue
diff --git a/macros/zeek_rpc.yml b/macros/zeek_rpc.yml
@@ -1,4 +1,4 @@
-definition: index=zeek sourcetype="zeek:rpc:json"
+definition: sourcetype="zeek:rpc:json"
 description: customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environment.
 name: zeek_rpc
diff --git a/macros/zeek_ssl.yml b/macros/zeek_ssl.yml
@@ -1,4 +1,4 @@
-definition: index=zeek sourcetype="zeek:ssl:json"
+definition: sourcetype="zeek:ssl:json"
 description: customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environment.
 name: zeek_ssl
