Branch was auto-updated.

.gitignore

@@ -1,8 +1,16 @@
 # Ignore example files from contentctl tool
-
+apps/
+test_results/
 detections/*/.yml.example
 stories/*.yml.example
 tests/*/*.yml.example
+artifacts/
+contentctl/*
+dist/DA-ESS-ContentUpdate-*.tar.gz
+dist/DA-ESS-ContentUpdate.tar.gz
+dist/ContentPack-*.appinspect_api_results.html
+dist/ContentPack-*.appinspect_api_results.json
+
 
 # IDE
 .vscode/

.gitlab-ci.yml

@@ -1,27 +1,20 @@
+default:
+  image: docker-hub.repo.splunkdev.net/python:3.9
+
 stages:
-  - publish_build_to_pre_qa
+  - validate
+  - generate
+  - app_inspect
+  - release
+
+include:
+  - local: "pipeline/.validate.yml"
+  - local: "pipeline/.generate.yml"
+  - local: "pipeline/.app_inspect.yml"
+  - local: "pipeline/.release.yml"
 
-publish_build_to_pre_qa:
-  stage: publish_build_to_pre_qa
-  artifacts:
-    when: always
-    paths:
-      - artifacts/*
-  image: python:3.8-alpine
-  before_script:
-    - apk add --update --no-cache make curl bash git
-    - curl -L https://github.com/screwdriver-cd/gitversion/releases/download/v1.1.1/gitversion_linux_amd64 -o /usr/local/bin/gitversion && chmod +x /usr/local/bin/gitversion
-    - eval $(ssh-agent -s)
-  script:
-    - mkdir -p artifacts
-    - pip install requests
-    - VERSION=$(git tag --sort=-creatordate | head -n 1)
-    - echo "Build Version - $VERSION"
-    - python security_content_automation/publish_build_to_pre_qa/publish_build_to_pre_qa.py --version $VERSION --builds DA-ESS-ContentUpdate SSA_Content
-  after_script:
-    - cp publish_build_to_pre_qa.log artifacts/publish_build_to_pre_qa.log
+workflow:
   rules:
-    - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/'
-      when: always
-    - if: '$CI_PIPELINE_SOURCE == "schedule"'
-      when: always
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_COMMIT_TAG
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

.gitmodules

@@ -0,0 +1,4 @@
+[submodule "contentctl"]
+	path = contentctl
+	url = https://github.com/splunk/contentctl.git
+	ignore = all

bin/contentctl_project/contentctl_core/domain/entities/detection.py

@@ -193,14 +193,3 @@ def tests_validate(cls, v, values):
             )
         return v
 
-    @validator("experimental", always=True)
-    def experimental_validate(cls, v, values):
-        if DetectionStatus(values["status"]) == DetectionStatus.experimental:
-            return True
-        return False
-
-    @validator("deprecated", always=True)
-    def deprecated_validate(cls, v, values):
-        if DetectionStatus(values["status"]) == DetectionStatus.deprecated:
-            return True
-        return False

bin/contentctl_project/contentctl_infrastructure/adapter/templates/savedsearches_detections.j2

@@ -5,7 +5,7 @@
 [ESCU - {{ detection.name }} - Rule]
 action.escu = 0
 action.escu.enabled = 1
-{% if detection.deprecated %}
+{% if detection.status == "deprecated" %}
 description = WARNING, this detection has been marked deprecated by the Splunk Threat Research team, this means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. {{ detection.description }} 
 {% else %}
 description = {{ detection.description }}
@@ -52,7 +52,7 @@ cron_schedule = {{ detection.deployment.scheduling.cron_schedule }}
 dispatch.earliest_time = {{ detection.deployment.scheduling.earliest_time }}
 dispatch.latest_time = {{ detection.deployment.scheduling.latest_time }}
 action.correlationsearch.enabled = 1
-{% if detection.deprecated %}
+{% if detection.status == "deprecated" %}
 action.correlationsearch.label = ESCU - Deprecated - {{ detection.name }} - Rule
 {% elif detection.type | lower == "correlation" %}
 action.correlationsearch.label = ESCU - RIR - {{ detection.name }} - Rule

contentctl.yml

@@ -0,0 +1,22 @@
+build:
+  name: DA-ESS-ContentUpdate
+  path_root: dist
+  prefix: ESCU
+  build: 004150
+  version: 4.14.1
+  label: ES Content Updates
+  author_name: Splunk Threat Research Team
+  author_email: research@splunk.com
+  author_company: Splunk
+  description: Explore the Analytic Stories included with ES Content Updates.
+  splunk_app: {}
+  json_objects: null
+  ba_objects: null
+build_ssa:
+  path_root: 'dist/ssa'
+build_api:
+  path_root: 'dist/api'
+enrichments:
+  attack_enrichment: false
+  cve_enrichment: false
+  splunk_app_enrichment: false

contentctl_test.yml

@@ -0,0 +1,70 @@
+version_control_config: null
+infrastructure_config:
+  infrastructure_type: container
+  full_image_path: registry.hub.docker.com/splunk/splunk:latest
+post_test_behavior: always_pause
+mode: all
+detections_list: null
+splunkbase_username: null
+splunkbase_password: null
+apps:
+- uid: 6176
+  appid: Splunk_TA_linux_sysmon
+  title: Add-on for Linux Sysmon
+  description: null
+  release: 1.0.4
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/add-on-for-linux-sysmon_104.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 742
+  appid: Splunk_TA_windows
+  title: Splunk Add-on for Microsoft Windows
+  description: null
+  release: 8.5.0
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-windows_850_PATCHED.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 5709
+  appid: Splunk_TA_microsoft_sysmon
+  title: Splunk Add-on for Sysmon
+  description: null
+  release: 3.0.0
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-sysmon_300.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 833
+  appid: Splunk_TA_nix
+  title: Splunk Add-on for Unix and Linux
+  description: null
+  release: 8.7.0
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-unix-and-linux_860.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 2734
+  appid: utbox
+  title: URL Toolbox
+  description: null
+  release: 1.9.2
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/url-toolbox_192.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 1621
+  appid: Splunk_SA_CIM
+  title: Splunk Common Information Model (CIM)
+  description: null
+  release: 5.0.2
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-common-information-model-cim_501.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false

detections/application/splunk_absolute_path_traversal_using_runshellscript.yml

@@ -7,7 +7,7 @@ status: production
 type: Hunting
 data_source: []
 description: In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.
-search: > 
+search: >- 
   `splunk_python` *runshellscript* 
   | eval log_split=split(_raw, "runshellscript: ")
   | eval array_raw = mvindex(log_split,1)

detections/endpoint/7zip_commandline_to_smb_share_path.yml

@@ -1,5 +1,5 @@
 name: 7zip CommandLine To SMB Share Path
-id: 01d29b48-ff6f-11eb-b81e-acde48001122
+id: 01d29b48-ff6f-11eb-b81e-acde48001123
 version: 1
 date: '2021-08-17'
 author: Teoderick Contreras, Splunk

detections/endpoint/icedid_exfiltrated_archived_file_creation.yml

@@ -27,7 +27,7 @@ tags:
   asset_type: Endpoint
   confidence: 90
   impact: 80
-  message: Process $process_name$ create a file $TargetImage$ on host $dest$
+  message: Process $process_name$ create a file $TargetFilename$ on host $dest$
   mitre_attack_id:
   - T1560.001
   - T1560

detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml

@@ -17,8 +17,11 @@ description: The following analytic leverages Event 4768, A Kerberos authenticat
   ticket may be used to obtain unauthorized access to systems and other network resources.
 data_source:
 - Windows Security 4768
-search: ' `wineventlog_security` EventCode=4768 Ticket_Encryption_Type=0x17 Account_Name!=*$
-  | `kerberos_tgt_request_using_rc4_encryption_filter` '
+search: ' `wineventlog_security` EventCode=4768 Ticket_Encryption_Type=0x17 Account_Name!=*$ 
+  | stats count min(_time) as firstTime max(_time) as lastTime by Account_Name Client_Address dest
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `kerberos_tgt_request_using_rc4_encryption_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   Domain Controller and Kerberos events. The Advanced Security Audit policy setting
   `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.

detections/endpoint/rundll32_dnsquery.yml

@@ -29,8 +29,7 @@ tags:
   asset_type: Endpoint
   confidence: 80
   impact: 70
-  message: rundll32 process $process_name$ having a dns query to $QueryName$ in host
-    $dest$
+  message: rundll32 process $process_name$ made a DNS query for $query$ from host $dest$
   mitre_attack_id:
   - T1218
   - T1218.011

detections/endpoint/windows_admin_permission_discovery.yml

@@ -16,7 +16,7 @@ description: This analytic is developed to identify suspicious file creation in
   similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets.
 search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem 
   where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") 
-  by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guiid Filesystem.file_name Filesystem.file_path Filesystem.user 
+  by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user 
   | `drop_dm_object_name(Filesystem)` 
   | eval dropped_file_path = split(file_path, "\\") 
   | eval dropped_file_path_split_count = mvcount(dropped_file_path) 
@@ -26,7 +26,7 @@ search: '|tstats `security_content_summariesonly` count min(_time) as firstTime
   | `windows_admin_permission_discovery_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that 
   include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
-known_false_positives: administrator is capable of dropping files in root C drive.
+known_false_positives: False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved.
 references:
 - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat
 tags:
@@ -64,6 +64,9 @@ tags:
   - Filesystem.process_id
   - Filesystem.file_name
   - Filesystem.user
+  - Filesystem.dest
+  - Filesystem.process_guid
+  - Filesystem.file_path
   security_domain: endpoint
 tests:
 - name: True Positive Test

detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml

@@ -1,18 +1,18 @@
 name: Confluence CVE-2023-22515 Trigger Vulnerability
 id: 630ea8b2-2800-4f5d-9cbc-d65c567349b0
-version: 1
-date: '2023-10-12'
+version: 2
+date: '2023-10-23'
 author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source: []
 description: The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise.
-search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
+search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
   | `drop_dm_object_name("Web")`
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
-  on Web traffic that include fields relavent for traffic into the `Web` datamodel.
+  on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv. 
 known_false_positives: False positives may be present with legitimate applications.
   Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers.
 references:

detections/web/confluence_data_center_and_server_privilege_escalation.yml

@@ -1,16 +1,14 @@
 name: Confluence Data Center and Server Privilege Escalation
 id: 115bebac-0976-4f7d-a3ec-d1fb45a39a11
-version: 1
-date: '2023-10-04'
+version: 2
+date: '2023-10-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source: []
 description: The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise.
-search: '| tstats count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Web where Web.url IN ("/setup/*.action*") Web.status=200 
-  by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
-  | `drop_dm_object_name("Web")`
+search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/setup/setupadministrator.action*", "*/setup/finishsetup.action*") Web.status=200  by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
+  | `drop_dm_object_name("Web")` 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
@@ -55,7 +53,12 @@ tags:
   - Web.http_user_agent
   security_domain: network
 tests:
-- name: True Positive Test
+- name: Nginx Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log
+    source: nginx:plus:kv
+    sourcetype: nginx:plus:kv
+- name: Suricata Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_cve-2023-22515.log
     source: suricata

detections/web/hunting_for_log4shell.yml

@@ -55,7 +55,7 @@ search: '| from datamodel Web.Web | eval jndi=if(match(_raw, "(\{|%7B)[jJnNdDiI]
   "(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)"),4,0)  | addtotals fieldname=Score,
   jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf,
   lookups | where Score > 2 | stats values(Score) by  jndi, jndi_proto, env_var, uridetect,
-  all_match, jndi_fastmatch, keywords, lookups, obf, _raw | `hunting_for_log4shell_filter`'
+  all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw | `hunting_for_log4shell_filter`'
 how_to_implement: Out of the box, the Web datamodel is required to be pre-filled.
   However, tested was performed against raw httpd access logs. Change the first line
   to any dataset to pass the regex's against.

dist/escu/app.manifest → dist/DA-ESS-ContentUpdate/app.manifest

@@ -1,15 +1,21 @@
+#############
+# Automatically generated by generator.py in splunk/security_content
+# On Date: 2023-10-24T00:38:29 UTC
+# Author: Splunk Threat Research Team - Splunk
+# Contact: research@splunk.com
+#############
 {
   "schemaVersion": "1.0.0", 
   "info": {
-    "title": "ES Content Updates", 
+    "title": "ContentPack", 
     "id": {
       "group": null, 
       "name": "DA-ESS-ContentUpdate", 
       "version": "4.14.0"
     }, 
     "author": [
       {
-        "name": "Splunk Security Research Team", 
+        "name": "Splunk Threat Research Team", 
         "email": "research@splunk.com", 
         "company": "Splunk"
       }

dist/escu/default/analyticstories.conf → dist/DA-ESS-ContentUpdate/default/analyticstories.conf

@@ -1,7 +1,7 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-10-18T20:29:18 UTC
-# Author: Splunk Security Research
+# On Date: 2023-10-24T00:38:29 UTC
+# Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############