Merge pull request #3971 from splunk/detections_improvement

Improved detections based on telemetry.

Author: P4T12ICK

…o_add_certificate_to_untrusted_store.yml …o_add_certificate_to_untrusted_store.ymldetections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml renamed to detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml renamed to detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml

@@ -1,9 +1,9 @@
 name: Attempt To Add Certificate To Untrusted Store
 id: 6bc5243e-ef36-45dc-9b12-f4a6be131159
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-03-26'
 author: Patrick Bareiss, Rico Valdez, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: |
     The following analytic detects attempts to add a certificate to the untrusted

…ions/endpoint/chcp_command_execution.yml …ns/deprecated/chcp_command_execution.ymldetections/endpoint/chcp_command_execution.yml renamed to detections/deprecated/chcp_command_execution.yml detections/endpoint/chcp_command_execution.yml renamed to detections/deprecated/chcp_command_execution.yml

@@ -1,9 +1,9 @@
 name: CHCP Command Execution
 id: 21d236ec-eec1-11eb-b23e-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-23'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic detects the execution of the chcp.com utility, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration.
 data_source:

…s/endpoint/processes_launching_netsh.yml …deprecated/processes_launching_netsh.ymldetections/endpoint/processes_launching_netsh.yml renamed to detections/deprecated/processes_launching_netsh.yml detections/endpoint/processes_launching_netsh.yml renamed to detections/deprecated/processes_launching_netsh.yml

@@ -1,9 +1,9 @@
 name: Processes launching netsh
 id: b89919ed-fe5f-492c-b139-95dbb162040e
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-26'
 author: Michael Haag, Josef Kuepker, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic identifies processes launching netsh.exe, a command-line utility used to modify network configurations. It detects this activity by analyzing data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This behavior is significant because netsh.exe can be exploited to execute malicious helper DLLs, serving as a persistence mechanism. If confirmed malicious, an attacker could gain persistent access, modify network settings, and potentially escalate privileges, posing a severe threat to the network's integrity and security.
 data_source:

…sc_exe_manipulating_windows_services.yml …sc_exe_manipulating_windows_services.ymldetections/endpoint/sc_exe_manipulating_windows_services.yml renamed to detections/deprecated/sc_exe_manipulating_windows_services.yml detections/endpoint/sc_exe_manipulating_windows_services.yml renamed to detections/deprecated/sc_exe_manipulating_windows_services.yml

@@ -1,9 +1,9 @@
 name: Sc exe Manipulating Windows Services
 id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-26'
 author: Rico Valdez, Splunk
-status: production
+status: deprecated
 type: TTP
 description: The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment.
 data_source:

detections/endpoint/anomalous_usage_of_7zip.yml

@@ -1,7 +1,7 @@
 name: Anomalous usage of 7zip
 id: 9364ee8e-a39a-11eb-8f1d-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-26'
 author: Michael Haag, Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -12,7 +12,7 @@ data_source:
     - CrowdStrike ProcessRollup2
 search: |-
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z*
+      WHERE (Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z*) AND NOT Processes.process_path = "C:\\Program Files\\VMware\\VMware Tools\\7za.exe"
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

detections/endpoint/conti_common_exec_parameter.yml

@@ -1,7 +1,7 @@
 name: Conti Common Exec parameter
 id: 624919bc-c382-11eb-adcc-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-26'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -12,13 +12,7 @@ data_source:
     - CrowdStrike ProcessRollup2
 search: |-
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE Processes.process = "*-m local*"
-        OR
-        Processes.process = "*-m net*"
-        OR
-        Processes.process = "*-m all*"
-        OR
-        Processes.process = "*-nomutex*"
+      WHERE Processes.process IN ("*-m local", "*-m local *", "*-m net", "*-m net *", "*-m all","*-m all *", "*-nomutex", "*-nomutex *")
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

detections/endpoint/detect_rundll32_inline_hta_execution.yml

@@ -1,7 +1,7 @@
 name: Detect Rundll32 Inline HTA Execution
 id: 91c79f14-5b41-11eb-ae93-0242ac130002
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-26'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -14,9 +14,7 @@ search: |-
     | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
       WHERE `process_rundll32` (Processes.process=*vbscript*
         OR
-        Processes.process=*javascript*
-        OR
-        Processes.process=*about*)
+        Processes.process=*javascript*)
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

detections/endpoint/disable_schedule_task.yml

@@ -1,10 +1,10 @@
 name: Disable Schedule Task
 id: db596056-3019-11ec-a9ff-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-26'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic detects the execution of a command to disable an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Disabling scheduled tasks is significant as it is a common tactic used by adversaries, including malware like IcedID, to disable security applications and evade detection. If confirmed malicious, this activity could allow attackers to persist undetected, disable critical security defenses, and further compromise the targeted host.
 data_source:
     - Sysmon EventID 1

detections/endpoint/modify_acl_permission_to_files_or_folder.yml

@@ -1,7 +1,7 @@
 name: Modify ACL permission To Files Or Folder
 id: 7e8458cc-acca-11eb-9e3f-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -19,7 +19,7 @@ search: |
     from datamodel=Endpoint.Processes where
       Processes.process_name IN ("icacls.exe", "cacls.exe", "xcacls.exe")
       Processes.process IN ("*/grant*", "*/g:*", "*/g *")
-      Processes.process IN ("* Everyone:*", "* SYSTEM:*", "* S-1-1-0:*")
+      Processes.process IN ("* SYSTEM:*", "* S-1-1-0:*")
     by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
     Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
     Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec

detections/endpoint/possible_lateral_movement_powershell_spawn.yml

@@ -1,7 +1,7 @@
 name: Possible Lateral Movement PowerShell Spawn
 id: cb909b3e-512b-11ec-aa31-3e22fbd008af
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-26'
 author: Mauricio Velazco, Michael Haag, Splunk
 status: production
 type: TTP