Add New Analytics - February Batch (#3886)

* add percent encoded curl exec

* Fix #3916

* Add other calc process names entries

* apply formatting

* add more color

* add cisco sd-wan stuff

* update tags

* Update cisco_sd_wan___low_frequency_rogue_peer.yml

* add ds and maps it

---------

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>

Author: nasbench

data_sources/cisco_sd_wan_ntce_1000001.yml

@@ -0,0 +1,13 @@
+name: Cisco SD-WAN NTCE 1000001
+id: 350c4a45-24df-4339-ba57-8b8c09f2865f
+version: 1
+date: '2026-03-03'
+author: Nasreddine Bencherchali, Splunk
+description: Data source object for Cisco SD-WAN Notification Event 1000001
+source: /var/log/vsyslog
+sourcetype: cisco:sdwan:syslog
+supported_TA: []
+fields:
+    - _time
+    - _raw
+example_log: 'Feb 20 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanage peer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005'

detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml

@@ -16,7 +16,8 @@ search: |
     `cisco_network_visibility_module_flowdata`
     process_name IN (
             "notepad.exe", "write.exe", "mspaint.exe", "calc.exe",
-            "addinutil.exe", "cmstp.exe", "dialer.exe", "eqnedt32.exe", "IMEWDBLD.exe"
+            "win32calc.exe", "addinutil.exe", "cmstp.exe", "dialer.exe",
+            "eqnedt32.exe", "IMEWDBLD.exe"
             )
     NOT dest IN (
             "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",

detections/endpoint/curl_execution_with_percent_encoded_url.yml

@@ -0,0 +1,124 @@
+name: Curl Execution with Percent Encoded URL
+id: 9a8d5516-4c5e-11ef-9d42-acde48001122
+version: 1
+date: '2026-02-02'
+author: Nasreddine Bencherchali, Splunk
+status: production
+type: Anomaly
+description: |
+    The following analytic detects the execution of the curl utility where the command line includes percent-encoded characters and explicit file output options (such as -o or --output).
+    It leverages process execution telemetry from Endpoint Detection and Response (EDR) data sources to identify curl commands that may be using URL encoding to obfuscate download locations or payload paths.
+    This behavior is notable because percent-encoded URLs are commonly used by adversaries to evade simple string-based detections, hide malicious infrastructure, or bypass network security controls.
+    When combined with file download behavior, this activity may indicate malware staging, payload retrieval, or secondary tool deployment.
+    Analysts should review the decoded URL, destination host, parent process, and downloaded file to determine whether the activity is authorized or malicious.
+    The analytic calculates the number of percent (%) characters in the curl command line and triggers when a threshold of three or more is met, indicating potential URL encoding.
+    Adjust the threshold as needed based on your environment and tuning requirements.
+data_source:
+    - CrowdStrike ProcessRollup2
+    - Sysmon EventID 1
+    - Sysmon for Linux EventID 1
+    - Windows Event Log Security 4688
+search: |
+    | tstats `security_content_summariesonly`
+      count min(_time) as firstTime
+            max(_time) as lastTime
+    from datamodel=Endpoint.Processes where
+    (
+      Processes.process_name IN ("curl.exe", "curl")
+      OR
+      Processes.original_file_name="curl.exe"
+    )
+    Processes.process IN (
+      "* --output *",
+      "* -o *" /* Covers both options since the search is case insensitive */,
+    )
+    Processes.process IN ("*%*")
+    by Processes.action Processes.dest Processes.original_file_name
+       Processes.parent_process Processes.parent_process_exec
+       Processes.parent_process_guid Processes.parent_process_id
+       Processes.parent_process_name Processes.parent_process_path
+       Processes.process Processes.process_exec Processes.process_guid
+       Processes.process_hash Processes.process_id
+       Processes.process_integrity_level Processes.process_name
+       Processes.process_path Processes.user
+       Processes.user_id Processes.vendor_product
+
+    | `drop_dm_object_name(Processes)`
+
+    ```
+      Count the number of % characters in the process command line.
+      Change this threshold based on your environment and tuning needs.
+    ```
+    | eval percent_count = mvcount(split(process, "%")) - 1
+    | where percent_count >= 3
+
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `curl_execution_with_percent_encoded_url_filter`
+how_to_implement: |
+    The detection is based on data that originates from Endpoint Detection
+    and Response (EDR) agents. These agents are designed to provide security-related
+    telemetry from the endpoints where the agent is installed. To implement this search,
+    you must ingest logs that contain the process GUID, process name, and parent process.
+    Additionally, you must ingest complete command-line executions. These logs must
+    be processed using the appropriate Splunk Technology Add-ons that are specific to
+    the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+    data model. Use the Splunk Common Information Model (CIM) to normalize the field
+    names and speed up the data modeling process.
+known_false_positives: |
+    No false positives have been identified at this time.
+references:
+    - https://github.com/nasbench/Misc-Research/blob/main/LOLBINs/Curl.md
+    - https://attack.mitre.org/techniques/T1027/
+    - https://attack.mitre.org/techniques/T1105/
+    - https://curl.se/docs/manpage.html
+drilldown_searches:
+    - name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+rba:
+    message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ with URL-encoded parameters $process$.
+    risk_objects:
+        - field: user
+          type: user
+          score: 50
+        - field: dest
+          type: system
+          score: 50
+    threat_objects:
+        - field: parent_process_name
+          type: parent_process_name
+        - field: process_name
+          type: process_name
+        - field: process
+          type: process
+tags:
+    analytic_story:
+        - Compromised Windows Host
+        - Ingress Tool Transfer
+        - Living Off The Land
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1027
+        - T1105
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test - Sysmon Linux
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/url_encoded_curl/linux-sysmon.log
+          source: Syslog:Linux-Sysmon/Operational
+          sourcetype: sysmon:linux
+    - name: True Positive Test - Sysmon Windows
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/url_encoded_curl/windows-sysmon.log
+          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+          sourcetype: XmlWinEventLog

detections/endpoint/lolbas_with_network_traffic.yml

@@ -75,7 +75,7 @@ search: |
         "*\\Xwizard.exe"
         )
 
-    NOT All_Traffic IN (
+    NOT All_Traffic.dest_ip IN (
             "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
             "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
             "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",

detections/endpoint/windows_dll_side_loading_in_calc.yml

@@ -1,18 +1,37 @@
 name: Windows DLL Side-Loading In Calc
 id: af01f6db-26ac-440e-8d89-2793e303f137
-version: 9
-date: '2026-01-14'
+version: 10
+date: '2026-02-23'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
-description: The following analytic detects suspicious DLL modules loaded by calc.exe that are not located in the %systemroot%\system32 or %systemroot%\sysWoW64 directories. This detection leverages Sysmon EventCode 7 to identify DLL side-loading, a technique often used by Qakbot malware to execute malicious DLLs. This activity is significant as it indicates potential malware execution through a trusted process, which can bypass security controls. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges within the environment.
+description: The following analytic detects the loading of the "WindowsCodecs.dll" by calc.exe from a non-standard location This could be indicative of a potential DLL side-loading technique. This detection leverages Sysmon EventCode 7 to identify the DLL side-loading activity. In previous versions of the "calc.exe" binary, namely on Windows 7, it was vulnerable to DLL side-loading, where an attacker is able to load an arbitrary DLL named "WindowsCodecs.dll". This technique has been observed in Qakbot malware. This activity is significant as it indicates potential malware execution through a trusted process, which can bypass security controls. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges within the environment.
 data_source:
     - Sysmon EventID 7
-search: '`sysmon` EventCode=7 Image = "*\calc.exe" AND NOT (Image IN ("*:\\windows\\system32\\*", "*:\\windows\\sysWow64\\*")) AND NOT(ImageLoaded IN("*:\\windows\\system32\\*", "*:\\windows\\sysWow64\\*", "*:\\windows\\WinSXS\\*")) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_in_calc_filter`'
+search: |
+    '`sysmon`
+    EventCode=7
+    Image="*\\calc.exe"
+    ImageLoaded="*\\WindowsCodecs.dll"
+    NOT Image IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*")
+    NOT ImageLoaded IN("*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*", "*:\\Windows\\WinSXS\\*")
+
+    | fillnull
+    | stats count min(_time) as firstTime max(_time) as lastTime
+
+    by Image ImageLoaded dest loaded_file loaded_file_path original_file_name
+       process_exec process_guid process_hash process_id process_name
+       process_path service_dll_signature_exists service_dll_signature_verified
+       signature signature_id user_id vendor_product
+
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `windows_dll_side_loading_in_calc_filter`
 how_to_implement: To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
 known_false_positives: No false positives have been identified at this time.
 references:
     - https://www.bitdefender.com/blog/hotforsecurity/new-qakbot-malware-strain-replaces-windows-calculator-dll-to-infected-pcs/
+    - https://www.menlosecurity.com/blog/an-anatomy-of-heat-attacks-used-by-qakbot-campaigns
 drilldown_searches:
     - name: View the detection results for - "$dest$"
       search: '%original_detection_search% | search  dest = "$dest$"'
@@ -23,7 +42,7 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
 rba:
-    message: a dll modules is loaded by calc.exe in $ImageLoaded$ that are not in common windows OS installation folder on $dest$
+    message: The [ $image$ ] process loaded the [ $ImageLoaded$ ] DLL from a non-standard location on [ $dest$ ]
     risk_objects:
         - field: dest
           type: system

detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml

@@ -1,28 +1,29 @@
 name: Windows DLL Side-Loading Process Child Of Calc
 id: 295ca9ed-e97b-4520-90f7-dfb6469902e1
 version: 10
-date: '2026-02-25'
+date: '2026-02-23'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
     - Sysmon EventID 1
     - Windows Event Log Security 4688
     - CrowdStrike ProcessRollup2
-description: The following analytic identifies suspicious child processes spawned by calc.exe, indicative of DLL side-loading techniques. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, and parent processes. This activity is significant as it is commonly associated with Qakbot malware, which uses calc.exe to load malicious DLLs via regsvr32.exe. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges, posing a severe threat to the environment.
-search: |-
-    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE (
-            Processes.parent_process_name = "calc.exe"
-        )
-        AND Processes.process_name != "win32calc.exe"
-      BY Processes.action Processes.dest Processes.original_file_name
-         Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
-         Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
-         Processes.process Processes.process_exec Processes.process_guid
-         Processes.process_hash Processes.process_id Processes.process_integrity_level
-         Processes.process_name Processes.process_path Processes.user
-         Processes.user_id Processes.vendor_product
+description: The following analytic identifies suspicious child processes spawned by calc.exe, indicative of a potential DLL side-loading technique. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, and parent processes. In previous versions of the "calc.exe" binary, namely on Windows 7, it was vulnerable to DLL side-loading, where an attacker is able to load an arbitrary DLL named "WindowsCodecs.dll". This activity was observed in Qakbot malware, back in 2022. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges, posing a severe threat to the environment.
+search: |
+    | tstats `security_content_summariesonly`
+      count min(_time) as firstTime
+            max(_time) as lastTime
+    from datamodel=Endpoint.Processes where
+        Processes.parent_process_name = "calc.exe"
+        Processes.process_name != "win32calc.exe"
+
+    by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
+       Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
+       Processes.parent_process_name Processes.parent_process_path Processes.process
+       Processes.process_exec Processes.process_guid Processes.process_hash
+       Processes.process_id Processes.process_integrity_level Processes.process_name
+       Processes.process_path Processes.user Processes.user_id Processes.vendor_product
     | `drop_dm_object_name("Processes")`
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
@@ -31,6 +32,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D
 known_false_positives: No false positives have been identified at this time.
 references:
     - https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot
+    - https://www.menlosecurity.com/blog/an-anatomy-of-heat-attacks-used-by-qakbot-campaigns
 drilldown_searches:
     - name: View the detection results for - "$dest$"
       search: '%original_detection_search% | search  dest = "$dest$"'
@@ -41,12 +43,14 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
 rba:
-    message: calc.exe has a child process $process_name$ on $dest$
+    message: $parent_process_name$ spawned a child process of $process_name$ on $dest$
     risk_objects:
         - field: dest
           type: system
           score: 81
-    threat_objects: []
+    threat_objects:
+        - field: process_name
+          type: process_name
 tags:
     analytic_story:
         - Qakbot