Merge branch 'develop' into nterl0k-t1114.003-o365-transport-rule-change

Author: patel-bhavin

detections/cloud/o365_sharepoint_suspicious_search_behavior.yml

@@ -0,0 +1,67 @@
+name: O365 SharePoint Suspicious Search Behavior
+id: 6ca919db-52f3-4c95-a4e9-7b189e8a043d
+version: 1
+date: '2025-01-08'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic identifies when the O365 SharePoint users search for suspicious keywords or have an excessive number of queries within a limited timeframe. This behavior may indicate malicious actor enumeration of SharePoint based data within O365.
+data_source: 
+- Office 365 Universal Audit Log
+search: |-
+  `o365_management_activity` Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search*
+  | where NOT (match(SearchQueryText, "\*") OR match(SearchQueryText,"(\*)"))
+  | eval signature_id = CorrelationId, signature=Operation, src = ClientIP, user = UserId, object_name=EventData, command = SearchQueryText, -time = _time 
+  | bin _time span=1hr
+  | stats values(object_name) as object_name values(command) as command, values(src) as src, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time
+  | where count > 20 OR match(command, "(?i)password|credential|passwd|shadow|active directory|account|username|network|computer|access|MFA|bank|deposit|payroll|EFT|Electonic Funds|routing")
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_sharepoint_suspicious_search_behavior_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds and match terms set within the analytic are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.
+known_false_positives: Users searching excessively or possible false positives related to matching conditions.
+references:
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
+- https://attack.mitre.org/techniques/T1213/002/
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate search behavior by $user$ 
+  search: '`o365_management_activity` Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search* AND UserId = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: The SharePoint Online was searched suspiciously by $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects:
+  - field: src
+    type: ip_address
+tags:
+  analytic_story: 
+  - Azure Active Directory Persistence
+  - Office 365 Account Takeover
+  - CISA AA22-320A
+  asset_type: O365 Tenant
+  mitre_attack_id: 
+  - T1213.002 
+  - T1552
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log
+    source: o365
+    sourcetype: o365:management:activity

detections/endpoint/known_services_killed_by_ransomware.yml renamed to detections/deprecated/known_services_killed_by_ransomware.yml

@@ -1,11 +1,11 @@
 name: Known Services Killed by Ransomware
 id: 3070f8e0-c528-11eb-b2a0-acde48001122
-version: 7
-date: '2024-12-10'
+version: 8
+date: '2025-02-07'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects the suspicious termination of known services
+description: This analytic has been deprecated in favor of a new analytic - Windows Security And Backup Services Stop. The following analytic detects the suspicious termination of known services
   commonly targeted by ransomware before file encryption. It leverages Windows System
   Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow
   Copy, backup, and antivirus services are stopped. This activity is significant because
@@ -75,4 +75,4 @@ tests:
   - data: 
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/windows-xml.log
     source: XmlWinEventLog:System
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/suspicious_driver_loaded_path.yml renamed to detections/deprecated/suspicious_driver_loaded_path.yml

@@ -1,11 +1,11 @@
 name: Suspicious Driver Loaded Path
 id: f880acd4-a8f1-11eb-a53b-acde48001122
-version: 4
-date: '2024-11-13'
+version: 6
+date: '2025-02-06'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects the loading of drivers from suspicious
+description: This search has been deprecated in favour of - Windows Suspicious Driver Loaded Path. The following analytic detects the loading of drivers from suspicious
   paths, which is a technique often used by malicious software such as coin miners
   (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard
   directories. This activity is significant because legitimate drivers typically reside

detections/endpoint/suspicious_process_file_path.yml renamed to detections/deprecated/suspicious_process_file_path.yml

@@ -1,11 +1,11 @@
 name: Suspicious Process File Path
 id: 9be25988-ad82-11eb-a14f-acde48001122
-version: 6
-date: '2024-12-10'
+version: 7
+date: '2025-02-10'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic identifies processes running from file paths not
+description: This search has been deprecated in favour of -  Windows Suspicious Process File Path. The following analytic identifies processes running from file  paths not
   typically associated with legitimate software. It leverages data from Endpoint Detection
   and Response (EDR) agents, focusing on specific process paths within the Endpoint
   data model. This activity is significant because adversaries often use unconventional
@@ -117,4 +117,4 @@ tests:
   - data: 
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/detect_remote_access_software_usage_file.yml

@@ -1,6 +1,6 @@
 name: Detect Remote Access Software Usage File
 id: 3bf5541a-6a45-4fdc-b01d-59b899fff961
-version: 5
+version: 6
 date: '2024-11-13'
 author: Steven Dick
 status: production
@@ -54,6 +54,10 @@ drilldown_searches:
     by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+- name: Investigate files on $dest$ 
+  search: '| from datamodel:Endpoint.Filesystem | search dest=$dest$ file_name=$file_name$'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: A file for known a remote access software [$file_name$] was created on
     $dest$ by $user$.
@@ -67,13 +71,16 @@ rba:
   threat_objects:
   - field: file_name
     type: file_name
+  - field: signature
+    type: signature
 tags:
   analytic_story:
   - Insider Threat
   - Command And Control
   - Ransomware
   - Gozi Malware
   - CISA AA24-241A
+  - Remote Monitoring and Management Software
   asset_type: Endpoint
   mitre_attack_id:
   - T1219

detections/endpoint/detect_remote_access_software_usage_fileinfo.yml

@@ -1,6 +1,6 @@
 name: Detect Remote Access Software Usage FileInfo
 id: ccad96d7-a48c-4f13-8b9c-9f6a31cba454
-version: 5
+version: 6
 date: '2024-11-13'
 author: Steven Dick
 status: production
@@ -47,22 +47,32 @@ drilldown_searches:
     | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+- name: Investigate processes on $dest$ 
+  search: '| from datamodel:Endpoint.Processes| search dest=$dest$ process_name=$process_name$'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: A file attributes for known a remote access software [$process_name$] was
     detected on $dest$
   risk_objects:
   - field: dest
     type: system
     score: 25
+  - field: user
+    type: user
+    score: 25    
   threat_objects:
   - field: process_name
     type: process_name
+  - field: signature
+    type: signature
 tags:
   analytic_story:
   - Insider Threat
   - Command And Control
   - Ransomware
   - Gozi Malware
+  - Remote Monitoring and Management Software
   asset_type: Endpoint
   mitre_attack_id:
   - T1219

detections/endpoint/detect_remote_access_software_usage_process.yml

@@ -1,6 +1,6 @@
 name: Detect Remote Access Software Usage Process
 id: ffd5e001-2e34-48f4-97a2-26dc4bb08178
-version: 5
+version: 6
 date: '2024-11-13'
 author: Steven Dick
 status: production
@@ -59,6 +59,10 @@ drilldown_searches:
     by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+- name: Investigate processes on $dest$ 
+  search: '| from datamodel:Endpoint.Processes| search dest=$dest$ process_name=$process_name$'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: A process for a known remote access software $process_name$ was identified
     on $dest$.
@@ -72,13 +76,16 @@ rba:
   threat_objects:
   - field: process_name
     type: process_name
+  - field: signature
+    type: signature
 tags:
   analytic_story:
   - Insider Threat
   - Command And Control
   - Ransomware
   - Gozi Malware
   - CISA AA24-241A
+  - Remote Monitoring and Management Software
   asset_type: Endpoint
   mitre_attack_id:
   - T1219

detections/endpoint/detect_remote_access_software_usage_registry.yml

@@ -1,6 +1,6 @@
 name: Detect Remote Access Software Usage Registry
 id: 33804986-25dd-43cf-bb6b-dc14956c7cbc
-version: 2
+version: 3
 date: '2025-01-10'
 author: Steven Dick
 status: production
@@ -60,6 +60,7 @@ tags:
   - Ransomware
   - Gozi Malware
   - CISA AA24-241A
+  - Remote Monitoring and Management Software
   asset_type: Endpoint
   mitre_attack_id: 
   - T1219

detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml

@@ -1,10 +1,10 @@
 name: Linux Auditd File Permissions Modification Via Chattr
 id: f2d1110d-b01c-4a58-9975-90a9edeb083a
-version: 3
-date: '2025-01-16'
+version: 4
+date: '2025-02-03'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic detects suspicious file permissions modifications using the chattr command, which may indicate an attacker attempting to manipulate file attributes to evade detection or prevent alteration. The chattr command can be used to make files immutable or restrict deletion, which can be leveraged to protect malicious files or disrupt system operations. By monitoring for unusual or unauthorized chattr usage, this analytic helps identify potential tampering with critical files, enabling security teams to quickly respond to and mitigate threats associated with unauthorized file attribute changes.
 data_source:
 - Linux Auditd Execve
@@ -28,7 +28,7 @@ rba:
   risk_objects:
   - field: dest
     type: system
-    score: 49
+    score: 30
   threat_objects: []
 tags:
   analytic_story:

detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml

@@ -1,14 +1,14 @@
 name: Linux Auditd Find Credentials From Password Managers
 id: 784241aa-85a5-4782-a503-d071bd3446f9
-version: 3
-date: '2025-01-16'
+version: 4
+date: '2025-02-03'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 description: The following analytic detects suspicious attempts to find credentials stored in password managers, which may indicate an attacker's effort to retrieve sensitive login information. Password managers are often targeted by adversaries seeking to access stored passwords for further compromise or lateral movement within a network. By monitoring for unusual or unauthorized access to password manager files or processes, this analytic helps identify potential credential theft attempts, enabling security teams to respond quickly to protect critical accounts and prevent further unauthorized access.
 data_source:
 - Linux Auditd Execve
-search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where  (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%KeePass\.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_managers_filter`'
+search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where  (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_managers_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names  to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed
 known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.
 references: