diff --git a/bin/contentctl_project/contentctl_core/domain/entities/detection.py b/bin/contentctl_project/contentctl_core/domain/entities/detection.py index 57d1c1a02a..23a3dcdf15 100644 --- a/bin/contentctl_project/contentctl_core/domain/entities/detection.py +++ b/bin/contentctl_project/contentctl_core/domain/entities/detection.py @@ -75,6 +75,7 @@ class Detection(BaseModel, SecurityContentObject): nes_fields: str = None providing_technologies: list = None runtime: str = None + internalVersion: str = None # @validator('name')v # def name_max_length(cls, v, values): diff --git a/bin/contentctl_project/contentctl_core/domain/entities/detection_tags.py b/bin/contentctl_project/contentctl_core/domain/entities/detection_tags.py index 16490246e8..400db14246 100644 --- a/bin/contentctl_project/contentctl_core/domain/entities/detection_tags.py +++ b/bin/contentctl_project/contentctl_core/domain/entities/detection_tags.py @@ -40,7 +40,9 @@ class DetectionTags(BaseModel): risk_level: str = None observable_str: str = None evidence_str: str = None + analytics_story_str: str = None kill_chain_phases_id: list = None + kill_chain_phases_str: str = None research_site_url: str = None event_schema: str = None mappings: list = None diff --git a/bin/contentctl_project/contentctl_infrastructure/adapter/finding_report_writer.py b/bin/contentctl_project/contentctl_infrastructure/adapter/finding_report_writer.py index 44cea37840..9903f219c8 100644 --- a/bin/contentctl_project/contentctl_infrastructure/adapter/finding_report_writer.py +++ b/bin/contentctl_project/contentctl_infrastructure/adapter/finding_report_writer.py @@ -10,6 +10,37 @@ class FindingReportObject(): @staticmethod def writeFindingReport(detection : Detection) -> None: + if detection.tags.confidence < 33: + detection.tags.confidence_id = 1 + elif detection.tags.confidence < 66: + detection.tags.confidence_id = 2 + else: + detection.tags.confidence_id = 3 + + if detection.tags.impact < 20: + detection.tags.impact_id = 1 + elif detection.tags.impact < 40: + detection.tags.impact_id = 2 + elif detection.tags.impact < 60: + detection.tags.impact_id = 3 + elif detection.tags.impact < 80: + detection.tags.impact_id = 4 + else: + detection.tags.impact_id = 5 + + detection.tags.kill_chain_phases_id = dict() + for kill_chain_phase in detection.tags.kill_chain_phases: + detection.tags.kill_chain_phases_id[kill_chain_phase] = SES_KILL_CHAIN_MAPPINGS[kill_chain_phase] + + kill_chain_phase_str = "[" + i = 0 + for kill_chain_phase in detection.tags.kill_chain_phases_id.keys(): + kill_chain_phase_str = kill_chain_phase_str + '{"phase": "' + kill_chain_phase + '", "phase_id": ' + str(detection.tags.kill_chain_phases_id[kill_chain_phase]) + "}" + if not i == (len(detection.tags.kill_chain_phases_id.keys()) - 1): + kill_chain_phase_str = kill_chain_phase_str + ', ' + i = i + 1 + kill_chain_phase_str = kill_chain_phase_str + ']' + detection.tags.kill_chain_phases_str = kill_chain_phase_str if detection.tags.risk_score < 20: detection.tags.risk_level_id = 0 @@ -27,15 +58,23 @@ def writeFindingReport(detection : Detection) -> None: detection.tags.risk_level_id = 4 detection.tags.risk_level = "Critical" - evidence_str = "create_map(" + evidence_str = "{" for i in range(len(detection.tags.observable)): - evidence_str = evidence_str + '"' + detection.tags.observable[i]["name"] + '", ' + detection.tags.observable[i]["name"].replace(".", "_") + evidence_str = evidence_str + '"' + detection.tags.observable[i]["name"] + '": ' + detection.tags.observable[i]["name"].replace(".", "_") if not i == (len(detection.tags.observable) - 1): evidence_str = evidence_str + ', ' - evidence_str = evidence_str + ')' + evidence_str = evidence_str + '}' detection.tags.evidence_str = evidence_str + analytics_story_str = "[" + for i in range(len(detection.tags.analytic_story)): + analytics_story_str = analytics_story_str + '"' + detection.tags.analytic_story[i] + '"' + if not i == (len(detection.tags.analytic_story) - 1): + analytics_story_str = analytics_story_str + ', ' + analytics_story_str = analytics_story_str + ']' + detection.tags.analytics_story_str = analytics_story_str + if "actor.user.name" in detection.tags.required_fields: actor_user_name = "actor_user_name" else: diff --git a/bin/contentctl_project/contentctl_infrastructure/adapter/obj_to_yml_adapter.py b/bin/contentctl_project/contentctl_infrastructure/adapter/obj_to_yml_adapter.py index cc9d0184ba..72e75bf93c 100644 --- a/bin/contentctl_project/contentctl_infrastructure/adapter/obj_to_yml_adapter.py +++ b/bin/contentctl_project/contentctl_infrastructure/adapter/obj_to_yml_adapter.py @@ -66,7 +66,8 @@ def writeObjects(self, objects: list, output_path: str, type: SecurityContentTyp "nist": obj.tags.nist } - obj.runtime = "SPL-DSP" + obj.runtime = "SPL2" + obj.internalVersion = 2 # remove unncessary fields YmlWriter.writeYmlFile(file_path, obj.dict( @@ -84,6 +85,7 @@ def writeObjects(self, objects: list, output_path: str, type: SecurityContentTyp "known_false_positives": True, "references": True, "runtime": True, + "internalVersion": True, "tags": { #"analytic_story": True, diff --git a/bin/contentctl_project/contentctl_infrastructure/adapter/templates/finding_report.j2 b/bin/contentctl_project/contentctl_infrastructure/adapter/templates/finding_report.j2 index 80d533ffb9..feff052006 100644 --- a/bin/contentctl_project/contentctl_infrastructure/adapter/templates/finding_report.j2 +++ b/bin/contentctl_project/contentctl_infrastructure/adapter/templates/finding_report.j2 @@ -1,28 +1,30 @@ - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", {{ detection.tags.evidence_str }}, - "message", concat("{{ detection.name }} has been triggered on ", device_hostname, " by ", {{ actor_user_name }}, "."), - "users", [ - create_map( - "name", {{ actor_user_name }}, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", {{ detection.tags.risk_level_id }}, - "risk_score", {{ detection.tags.risk_score }}, - "severity_id", 0, - "rule", create_map("name", "{{ detection.name }}", "uid", "{{ detection.id }}", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events(); \ No newline at end of file + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {{ detection.tags.evidence_str }}, + message = "{{ detection.name }} has been triggered on " + device_hostname + " by " + {{ actor_user_name }} + ".", + users = [{"name": {{ actor_user_name }}, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = {{ detection.tags.analytics_story_str }}, + class_name = "Detection Report", + confidence = {{ detection.tags.confidence }}, + confidence_id = {{ detection.tags.confidence_id }}, + duration = 0, + impact = {{ detection.tags.impact }}, + impact_id = {{ detection.tags.impact_id }}, + kill_chain = {{ detection.tags.kill_chain_phases_str }}, + nist = ["DE.AE"], + risk_level = "{{ detection.tags.risk_level }}", + category_uid = 2, + class_uid = 102001, + risk_level_id = {{ detection.tags.risk_level_id }}, + risk_score = {{ detection.tags.risk_score }}, + severity_id = 0, + rule = {"name": "{{ detection.name }}", "uid": "{{ detection.id }}", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; \ No newline at end of file diff --git a/bin/contentctl_project/contentctl_infrastructure/builder/backend_splunk_ba.py b/bin/contentctl_project/contentctl_infrastructure/builder/backend_splunk_ba.py index 0cb7cf43f5..b6d745b595 100644 --- a/bin/contentctl_project/contentctl_infrastructure/builder/backend_splunk_ba.py +++ b/bin/contentctl_project/contentctl_infrastructure/builder/backend_splunk_ba.py @@ -33,7 +33,7 @@ class SplunkBABackend(TextQueryBackend): wildcard_single : ClassVar[str] = "%" add_escaped : ClassVar[str] = "\\" - re_expression : ClassVar[str] = "match_regex({field}, /(?i){regex}/)=true" + re_expression : ClassVar[str] = "match({field}, /(?i){regex}/)=true" re_escape_char : ClassVar[str] = "" re_escape : ClassVar[Tuple[str]] = ('"',) @@ -64,7 +64,7 @@ class SplunkBABackend(TextQueryBackend): deferred_separator : ClassVar[str] = " OR " deferred_only_query : ClassVar[str] = "*" - wildcard_match_expression : ClassVar[Optional[str]] = "like({field}, {value})" + wildcard_match_expression : ClassVar[Optional[str]] = "{field} LIKE {value}" def __init__(self, processing_pipeline: Optional["sigma.processing.pipeline.ProcessingPipeline"] = None, collect_errors: bool = False, min_time : str = "-30d", max_time : str = "now", detection : Detection = None, field_mapping: dict = None, **kwargs): @@ -88,32 +88,29 @@ def finalize_query_data_model(self, rule: SigmaRule, query: str, index: int, sta # fields_input_parsing = fields_input_parsing + ', ' detection_str = """ -| from read_ba_enriched_events() -| eval timestamp = ucast(map_get(input_event,"time"),"long", null) -| eval metadata = ucast(map_get(input_event, "metadata"),"map", null) -| eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) +$main = from source +| eval timestamp = time +| eval metadata_uid = metadata.uid """.replace("\n", " ") parsed_fields = [] for field in self.field_mapping["mapping"].keys(): mapped_field = self.field_mapping["mapping"][field] - parent = 'input_event' + parent = 'parent' i = 1 values = mapped_field.split('.') for val in values: - if parent == "input_event": - new_val = val + if parent == "parent": + parent = val + continue else: new_val = parent + '_' + val if new_val in parsed_fields: parent = new_val i = i + 1 continue - if i == len(values): - parser_str = '| eval ' + new_val + '' + '=ucast(map_get(' + parent + ',"' + val + '"), "string", null) ' - else: - parser_str = '| eval ' + new_val + '' + '=ucast(map_get(' + parent + ',"' + val + '"), "map", null) ' + parser_str = '| eval ' + new_val + ' = ' + parent + '.' + val + ' ' detection_str = detection_str + parser_str parsed_fields.append(new_val) parent = new_val @@ -121,8 +118,6 @@ def finalize_query_data_model(self, rule: SigmaRule, query: str, index: int, sta detection_str = detection_str + "| where " + query detection_str = detection_str.replace("\\\\\\\\", "\\\\") - - return detection_str def finalize_output_data_model(self, queries: List[str]) -> List[str]: diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml index b876009bad..25aaf112a1 100644 --- a/detections/application/okta_risk_threshold_exceeded.yml +++ b/detections/application/okta_risk_threshold_exceeded.yml @@ -8,9 +8,7 @@ type: Correlation description: The following correlation will take risk associated with the content from "Suspicious Okta Activity" and "Okta MFA Exhaustion" analytic stories and - tally it up. Once it hits the threshold of 100 (may be changed), it will trigger - an anomaly. As needed, reduce or raise the risk scores assocaited with the anomaly - and TTP analytics tagged to these two stories. + tally it up. Once it hits the threshold of 100 (can be changed), it will trigger an a notable. As needed, reduce or raise the risk scores assocaited with the anomaly and TTP analytics tagged to these two analytic stories. data_source: [] search: '| tstats `security_content_summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, @@ -44,19 +42,13 @@ tags: asset_type: Infrastructure confidence: 80 impact: 70 - message: - Risk threshold exceeded for $risk_object_type$=$risk_object$ related to - Okta events. + message: Risk score $risk_score$ threshold exceeded for $risk_object$ related to Okta events. mitre_attack_id: - T1078 - T1110 observable: - name: risk_object - type: Other - role: - - Victim - - name: risk_object_type - type: Other + type: Hostname role: - Victim product: diff --git a/detections/application/splunk_csrf_in_the_ssg_kvstore_client_endpoint.yml b/detections/application/splunk_csrf_in_the_ssg_kvstore_client_endpoint.yml index 71ace02eea..b223e068ec 100644 --- a/detections/application/splunk_csrf_in_the_ssg_kvstore_client_endpoint.yml +++ b/detections/application/splunk_csrf_in_the_ssg_kvstore_client_endpoint.yml @@ -14,7 +14,7 @@ description: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cr this vulnerability. data_source: [] search: '`splunkda` uri_path="/en-US/splunkd/__raw/services/ssg/kvstore_client" method="GET" - delete_field_value="spacebridge_server" status="200" | table splunk_server status + delete_field_value="spacebridge_server" status="200" | table splunk_server status uri delete_field_value method post_data | `splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter`' how_to_implement: Requires access to internal index. known_false_positives: This hunting search only applies to the affected versions and @@ -31,7 +31,7 @@ tags: cve: - CVE-2023-22942 impact: 50 - message: Potential CSRF exploitation attempt from $host$ + message: Potential CSRF exploitation attempt from $splunk_server$ mitre_attack_id: - T1189 observable: diff --git a/detections/cloud/aws_excessive_security_scanning.yml b/detections/cloud/aws_excessive_security_scanning.yml index d1999abac3..f96acc5ba0 100644 --- a/detections/cloud/aws_excessive_security_scanning.yml +++ b/detections/cloud/aws_excessive_security_scanning.yml @@ -11,7 +11,7 @@ description: This search looks for AWS CloudTrail events and analyse the amount data_source: [] search: '`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime - values(eventName) as eventName values(src) as src values(userAgent) as userAgent + values(eventName) as command values(src) as src values(userAgent) as userAgent by user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This @@ -25,9 +25,7 @@ tags: asset_type: AWS Account confidence: 60 impact: 30 - message: user $user$ has excessive number of api calls $dc_events$ from these IP - addresses $src$, violating the threshold of 50, using the following commands - $command$. + message: User $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$. mitre_attack_id: - T1526 observable: @@ -38,7 +36,7 @@ tags: - name: user type: User role: - - Attacker + - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml index 0f041aec08..bb0f5c051c 100644 --- a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml @@ -5,8 +5,7 @@ date: '2021-01-11' author: Bhavin Patel, Patrick Bareiss, Splunk status: production type: TTP -description: The search looks for AWS CloudTrail events to detect if any network ACLs - were created with all the ports open to a specified CIDR. +description: The search looks for AWS CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR. data_source: [] search: '`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 @@ -14,7 +13,7 @@ search: '`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetwor requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range=''requestParameters.portRange.to'' - ''requestParameters.portRange.from'' | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) - as lastTime by userName userIdentity.principalId eventName requestParameters.ruleAction + as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`' @@ -31,8 +30,7 @@ tags: asset_type: AWS Instance confidence: 80 impact: 60 - message: User $user_arn$ has created network ACLs with all the ports open to a specified - CIDR $requestParameters.cidrBlock$ + message: User $user_arn$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$ mitre_attack_id: - T1562.007 - T1562 @@ -41,14 +39,10 @@ tags: type: IP Address role: - Attacker - - name: userName + - name: user_arn type: User role: - Victim - - name: requestParameters.cidrBlock - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/aws_setdefaultpolicyversion.yml b/detections/cloud/aws_setdefaultpolicyversion.yml index fb1a37ef96..7d84994f1a 100644 --- a/detections/cloud/aws_setdefaultpolicyversion.yml +++ b/detections/cloud/aws_setdefaultpolicyversion.yml @@ -30,7 +30,7 @@ tags: asset_type: AWS Account confidence: 60 impact: 50 - message: From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an + message: From IP address $src$, user $user_arn$ has trigged an event $eventName$ for updating the the default policy version mitre_attack_id: - T1078.004 diff --git a/detections/cloud/aws_updateloginprofile.yml b/detections/cloud/aws_updateloginprofile.yml index 806ad3893f..31a0cb1a29 100644 --- a/detections/cloud/aws_updateloginprofile.yml +++ b/detections/cloud/aws_updateloginprofile.yml @@ -29,7 +29,7 @@ tags: asset_type: AWS Account confidence: 60 impact: 50 - message: From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an + message: From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges mitre_attack_id: diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index 0ea877c255..2399b3bfef 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -14,8 +14,8 @@ search: ' `azuread` (operationName="Enable account" OR operationName="Reset pass OR operationName="Update user") | transaction properties.targetResources{}.userPrincipalName startsWith=(operationName="Enable account") endsWith=(operationName="Reset password (by admin)") maxspan=2m | rename properties.* as * | rename targetResources{}.userPrincipalName - as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats values(operationName) values(initiatedBy) as initiatedBy by _time, userPrincipalName, + as user | rename initiatedBy.user.userPrincipalName as initiatedBy + | stats values(operationName) values(initiatedBy) as initiatedBy by _time, user, result | `azure_ad_user_enabled_and_password_reset_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). @@ -36,12 +36,12 @@ tags: mitre_attack_id: - T1098 observable: - - name: userPrincipalName - type: User Name + - name: user + type: User role: - Victim - name: initiatedBy - type: User Name + type: User role: - Attacker product: diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml index ecfe277fb4..626e844cc3 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml @@ -46,7 +46,7 @@ tags: asset_type: AWS Instance confidence: 60 impact: 30 - message: User $user$ is starting or creating an instance $dest$ for the first time + message: User $user$ is starting or creating an instance $object$ for the first time in City $City$ from IP address $src$ mitre_attack_id: - T1078 @@ -54,7 +54,7 @@ tags: - name: user type: User role: - - Attacker + - Victim - name: src type: IP Address role: diff --git a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml index 740f6c5ece..5670f96f0a 100644 --- a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml @@ -36,8 +36,7 @@ tags: asset_type: Google Cloud Platform tenant confidence: 90 impact: 60 - message: Multiple failed login attempts against users $tried_accounts$ seen from - $src_ip$ + message: Multiple failed login attempts against users $tried_accounts$ seen from $src$ mitre_attack_id: - T1586 - T1586.003 diff --git a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml index 142571201b..df4609147b 100644 --- a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml @@ -44,7 +44,7 @@ tags: confidence: 90 impact: 60 message: Unusual number of failed console login attempts against users $tried_accounts$ - seen from $src_ip$ + seen from $src$ mitre_attack_id: - T1586 - T1586.003 diff --git a/detections/cloud/o365_add_app_role_assignment_grant_user.yml b/detections/cloud/o365_add_app_role_assignment_grant_user.yml index a2024a7d5e..217c60ab6d 100644 --- a/detections/cloud/o365_add_app_role_assignment_grant_user.yml +++ b/detections/cloud/o365_add_app_role_assignment_grant_user.yml @@ -11,7 +11,7 @@ description: This search is designed to detect the creation of a new Federation providing an additional layer of security for your environment. data_source: [] search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment grant to user." - | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type by UserId dest ResultStatus + | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) as modified_properties_name by user dest ResultStatus Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`' @@ -30,16 +30,15 @@ tags: asset_type: Office 365 confidence: 60 impact: 30 - message: User $Actor.ID$ has created a new federation setting on $dest$ from IP - Address $ActorIpAddress$ + message: User $user$ has created a new federation setting $modified_properties_name$ on $dest$ mitre_attack_id: - T1136.003 - T1136 observable: - - name: UserId + - name: user type: User role: - - Attacker + - Victim - name: dest type: Endpoint role: diff --git a/detections/cloud/o365_disable_mfa.yml b/detections/cloud/o365_disable_mfa.yml index c01ae46697..72c712d7b2 100644 --- a/detections/cloud/o365_disable_mfa.yml +++ b/detections/cloud/o365_disable_mfa.yml @@ -25,8 +25,7 @@ tags: asset_type: Office 365 confidence: 80 impact: 80 - message: User $user$ has executed an operation $Operation$ for this destination - $dest$ + message: User $src_user$ has executed an operation $action$ for user $user$ mitre_attack_id: - T1556 observable: diff --git a/detections/cloud/o365_excessive_sso_logon_errors.yml b/detections/cloud/o365_excessive_sso_logon_errors.yml index 2df173c3d7..d31bcd99a4 100644 --- a/detections/cloud/o365_excessive_sso_logon_errors.yml +++ b/detections/cloud/o365_excessive_sso_logon_errors.yml @@ -6,10 +6,9 @@ author: Rod Soto, Splunk status: production type: Anomaly description: The following analytic detects accounts with high number of Single Sign ON (SSO) - logon errors. Excessive logon errors may indicate attempts to bruteforce of password - or single sign on token hijack or reuse. + logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse. data_source: [] -search: '`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime by user src_ip LogonError user_agent UserId Operation Workload authentication_method authentication_service| where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`' +search: '`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip signature user_agent authentication_service action| where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`' how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity known_false_positives: Logon errors may not be malicious in nature however it may @@ -23,8 +22,7 @@ tags: asset_type: Office 365 confidence: 80 impact: 80 - message: User $user$ has caused excessive number of SSO logon errors from $src_ip$ - using UserAgent $UserAgent$. + message: Excessive number of SSO logon errors from $src_ip$ using UserAgent $user_agent$. mitre_attack_id: - T1556 observable: diff --git a/detections/deprecated/detect_mimikatz_using_loaded_images.yml b/detections/deprecated/detect_mimikatz_using_loaded_images.yml index f7eb47d242..02d6963b9f 100644 --- a/detections/deprecated/detect_mimikatz_using_loaded_images.yml +++ b/detections/deprecated/detect_mimikatz_using_loaded_images.yml @@ -3,17 +3,15 @@ id: 29e307ba-40af-4ab2-91b2-3c6b392bbba0 version: 1 date: '2019-12-03' author: Patrick Bareiss, Splunk -status: production +status: deprecated type: TTP description: This search looks for reading loaded Images unique to credential dumping - with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon - Event Code. + with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code. data_source: - Sysmon Event ID 7 search: '`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) - as ProcessId by Computer, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll - ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | rename - Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + as ProcessId by dest, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll + ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`' how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named @@ -40,7 +38,7 @@ tags: confidence: 80 impact: 80 message: A process, $Image$, has loaded $ImageLoaded$ that are typically related - to credential dumping on $Computer$. Review for further details. + to credential dumping on $dest$. Review for further details. mitre_attack_id: - T1003.001 - T1003 @@ -49,18 +47,10 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim - - name: ImageLoaded - type: Process - role: - - Other - - name: Image - type: Process - role: - - Child Process product: - Splunk Enterprise - Splunk Enterprise Security @@ -70,7 +60,7 @@ tags: - EventCode - ImageLoaded - ProcessId - - Computer + - dest - Image risk_score: 64 security_domain: endpoint diff --git a/detections/deprecated/dump_lsass_via_procdump_rename.yml b/detections/deprecated/dump_lsass_via_procdump_rename.yml index 6820afd9da..fece52245f 100644 --- a/detections/deprecated/dump_lsass_via_procdump_rename.yml +++ b/detections/deprecated/dump_lsass_via_procdump_rename.yml @@ -17,8 +17,7 @@ description: 'Detect a renamed instance of procdump.exe dumping the lsass proces data_source: - Sysmon Event ID 1 search: '`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 - (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | rename Computer as - dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, + (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter`' how_to_implement: To successfully implement this search you need to be ingesting information @@ -64,7 +63,7 @@ tags: - process_name - EventID - CommandLine - - Computer + - dest - parent_process_name risk_score: 80 security_domain: endpoint diff --git a/detections/deprecated/unsigned_image_loaded_by_lsass.yml b/detections/deprecated/unsigned_image_loaded_by_lsass.yml index ba81b78806..9651f6f1c8 100644 --- a/detections/deprecated/unsigned_image_loaded_by_lsass.yml +++ b/detections/deprecated/unsigned_image_loaded_by_lsass.yml @@ -10,8 +10,8 @@ description: This search detects loading of unsigned images by LSASS. Deprecated data_source: - Sysmon Event ID 7 search: '`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) - as firstTime max(_time) as lastTime by Computer, Image, ImageLoaded, Signed, SHA1 - | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1 + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter` ' how_to_implement: This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. diff --git a/detections/endpoint/access_lsass_memory_for_dump_creation.yml b/detections/endpoint/access_lsass_memory_for_dump_creation.yml index e78f2ab86d..ddd92bf6a8 100644 --- a/detections/endpoint/access_lsass_memory_for_dump_creation.yml +++ b/detections/endpoint/access_lsass_memory_for_dump_creation.yml @@ -9,8 +9,8 @@ description: The following analytic is designed to detect potentially malicious data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* - | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, - TargetProcessId, SourceImage, SourceProcessId | rename Computer as dest | `security_content_ctime(firstTime)`| + | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, + TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter` ' how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. @@ -53,7 +53,7 @@ tags: - EventCode - TargetImage - CallTrace - - Computer + - dest - TargetProcessId - SourceImage - SourceProcessId diff --git a/detections/endpoint/adsisearcher_account_discovery.yml b/detections/endpoint/adsisearcher_account_discovery.yml index 778f857b56..85f50039f2 100644 --- a/detections/endpoint/adsisearcher_account_discovery.yml +++ b/detections/endpoint/adsisearcher_account_discovery.yml @@ -13,7 +13,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*objectcategory=user*" ScriptBlockText = "*.findAll()*" | stats count min(_time) - as firstTime max(_time) as lastTime by EventCode Computer ScriptBlockText UserID + as firstTime max(_time) as lastTime by EventCode Computer ScriptBlockText UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adsisearcher_account_discovery_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or @@ -31,16 +31,16 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: powershell process having commandline $Message$ for user enumeration + message: Powershell process having commandline "AdsiSearcher" used for user enumeration on $dest$ mitre_attack_id: - T1087.002 - T1087 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: UserID + - name: user type: User role: - Victim diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 72fac955c1..b41aa519dd 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -29,6 +29,7 @@ tags: - Prohibited Traffic Allowed or Protocol Mismatch - Windows Registry Abuse - Azorult + - NjRAT asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/allow_network_discovery_in_firewall.yml b/detections/endpoint/allow_network_discovery_in_firewall.yml index 8e199753be..3a4d4ca549 100644 --- a/detections/endpoint/allow_network_discovery_in_firewall.yml +++ b/detections/endpoint/allow_network_discovery_in_firewall.yml @@ -37,6 +37,7 @@ tags: - Ransomware - Revil Ransomware - BlackByte Ransomware + - NjRAT asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index ca7074bc1e..9630cb7627 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -15,7 +15,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process="* - /c *" by Processes.dest Processes.user Processes.parent_process Processes.process_name + /c *" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`' @@ -50,14 +50,14 @@ tags: - Azorult - Data Destruction - Warzone RAT + - NjRAT asset_type: Endpoint automated_detection_testing: passed confidence: 50 cve: - CVE-2021-44228 impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting spawn a new process. + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting spawn a new process. mitre_attack_id: - T1059.003 - T1059 diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index 693ad67b71..422d1da8a8 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -13,7 +13,7 @@ data_source: search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime - by dest Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` + by dest Image ImageLoaded process_name EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you @@ -49,7 +49,7 @@ tags: - Image - ImageLoaded - process_name - - Computer + - dest - EventCode - Signed - ProcessId diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml index 5433cd8edb..df2eeb30af 100644 --- a/detections/endpoint/cobalt_strike_named_pipes.yml +++ b/detections/endpoint/cobalt_strike_named_pipes.yml @@ -22,8 +22,7 @@ data_source: search: '`sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNamePipe*, \\srvsvc_*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*, \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime - by Computer, process_name, process_id process_path, PipeName | rename Computer as - dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + by dest, process_name, process_id process_path, PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -70,7 +69,7 @@ tags: - _time - EventID - PipeName - - Computer + - dest - process_name - process_path - process_id diff --git a/detections/endpoint/create_remote_thread_in_shell_application.yml b/detections/endpoint/create_remote_thread_in_shell_application.yml index ee0424a20e..ced72a63b5 100644 --- a/detections/endpoint/create_remote_thread_in_shell_application.yml +++ b/detections/endpoint/create_remote_thread_in_shell_application.yml @@ -13,7 +13,7 @@ data_source: - Sysmon Event ID 8 search: '`sysmon` EventCode=8 TargetImage IN ("*\\cmd.exe", "*\\powershell*") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId - SourceProcessId EventCode StartAddress SourceImage Computer | `security_content_ctime(firstTime)` + SourceProcessId EventCode StartAddress SourceImage dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_in_shell_application_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -31,11 +31,11 @@ tags: confidence: 100 impact: 70 message: process $SourceImage$ create a remote thread to shell app process $TargetImage$ - in host $Computer$ + in host $dest$ mitre_attack_id: - T1055 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -55,7 +55,7 @@ tags: - SourceProcessId - StartAddress - EventCode - - Computer + - dest risk_score: 70 security_domain: endpoint tests: diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml index 2e74c5ef1d..c6cfcfe66d 100644 --- a/detections/endpoint/create_remote_thread_into_lsass.yml +++ b/detections/endpoint/create_remote_thread_into_lsass.yml @@ -9,8 +9,7 @@ description: The following analytic developed to detect potential credential dum data_source: - Sysmon Event ID 8 search: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime - max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | rename - Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`' how_to_implement: This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. @@ -50,7 +49,7 @@ tags: - _time - EventID - TargetImage - - Computer + - dest - EventCode - TargetImage - TargetProcessId diff --git a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml index 528d4c9825..ae36aee297 100644 --- a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml +++ b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml @@ -13,8 +13,8 @@ description: Detect the hands on keyboard behavior of Windows Task Manager creat data_source: - Sysmon Event ID 1 search: '`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | - stats count min(_time) as firstTime max(_time) as lastTime by Computer, object_category, - process_name, TargetFilename | rename Computer as dest | `security_content_ctime(firstTime)` + stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category, + process_name, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`' how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an @@ -54,7 +54,7 @@ tags: - EventID - process_name - TargetFilename - - Computer + - dest - object_category risk_score: 80 security_domain: endpoint diff --git a/detections/endpoint/creation_of_shadow_copy.yml b/detections/endpoint/creation_of_shadow_copy.yml index cdb2792e49..e59dd0cab6 100644 --- a/detections/endpoint/creation_of_shadow_copy.yml +++ b/detections/endpoint/creation_of_shadow_copy.yml @@ -13,7 +13,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user - Processes.process_name Processes.process Processes.parent_process Processes.process_id + Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection diff --git a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml index 82999f056a..a49a723f23 100644 --- a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml @@ -39,7 +39,7 @@ tags: role: - Victim - name: user - type: User Name + type: User role: - Victim - name: command diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml index ffcf2e0b12..97b66f74b4 100644 --- a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml +++ b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml @@ -10,9 +10,8 @@ description: This search looks for reading lsass memory consistent with credenti data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) - | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SourceImage, - SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | rename - Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, + SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter` ' how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. @@ -32,7 +31,7 @@ tags: asset_type: Windows confidence: 100 impact: 80 - message: The $source_image$ has attempted access to read $TargetImage$ was identified + message: The $SourceImage$ has attempted access to read $TargetImage$ was identified on endpoint $dest$, this is indicative of credential dumping and should be investigated. mitre_attack_id: @@ -56,7 +55,7 @@ tags: - EventCode - TargetImage - GrantedAccess - - Computer + - dest - SourceImage - SourceProcessId - TargetImage diff --git a/detections/endpoint/detect_excessive_user_account_lockouts.yml b/detections/endpoint/detect_excessive_user_account_lockouts.yml index 3f9ba0a98d..2644b27abc 100644 --- a/detections/endpoint/detect_excessive_user_account_lockouts.yml +++ b/detections/endpoint/detect_excessive_user_account_lockouts.yml @@ -26,8 +26,7 @@ tags: asset_type: Windows confidence: 60 impact: 60 - message: Multiple accounts have been locked out. Review $nodename$ and $result$ - related to $user$. + message: Excessive user account lockouts for $user$ in a short period of time mitre_attack_id: - T1078 - T1078.003 @@ -36,10 +35,6 @@ tags: type: User role: - Victim - - name: result - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/detect_html_help_renamed.yml b/detections/endpoint/detect_html_help_renamed.yml index 27efe7de4c..de16d4386f 100644 --- a/detections/endpoint/detect_html_help_renamed.yml +++ b/detections/endpoint/detect_html_help_renamed.yml @@ -46,8 +46,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: The following $process_name$ has been identified as renamed, spawning from - $parent_process_name$. + message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by $user$ mitre_attack_id: - T1218 - T1218.001 @@ -56,7 +55,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/detect_mshta_renamed.yml b/detections/endpoint/detect_mshta_renamed.yml index 29581ca7de..2765370da8 100644 --- a/detections/endpoint/detect_mshta_renamed.yml +++ b/detections/endpoint/detect_mshta_renamed.yml @@ -39,8 +39,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: The following $process_name$ has been identified as renamed, spawning from - $parent_process_name$. + message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by user $user$ mitre_attack_id: - T1218 - T1218.005 @@ -49,7 +48,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml index db557ac2ae..e5b50e6f9f 100644 --- a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml +++ b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml @@ -36,8 +36,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ running prohibited applications. + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running prohibited applications. mitre_attack_id: - T1059 - T1059.003 @@ -46,7 +45,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/detect_regasm_with_network_connection.yml b/detections/endpoint/detect_regasm_with_network_connection.yml index 78b7249d1d..b681e2fe61 100644 --- a/detections/endpoint/detect_regasm_with_network_connection.yml +++ b/detections/endpoint/detect_regasm_with_network_connection.yml @@ -18,7 +18,7 @@ description: The following analytic identifies regasm.exe with a network connect data_source: - Sysmon Event ID 3 search: '`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 - process_name=regasm.exe | rename Computer as dest | stats count min(_time) as firstTime + process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -40,7 +40,7 @@ tags: confidence: 100 impact: 80 message: An instance of $process_name$ contacting a remote destination was identified - on endpoint $Computer$ by user $user$. This behavior is not normal for $process_name$. + on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$. mitre_attack_id: - T1218 - T1218.009 @@ -66,7 +66,7 @@ tags: - EventID - dest_ip - process_name - - Computer + - dest - user - src_ip - dest_host diff --git a/detections/endpoint/detect_regsvcs_with_network_connection.yml b/detections/endpoint/detect_regsvcs_with_network_connection.yml index 7bcae617d9..4bd8dc8242 100644 --- a/detections/endpoint/detect_regsvcs_with_network_connection.yml +++ b/detections/endpoint/detect_regsvcs_with_network_connection.yml @@ -18,7 +18,7 @@ description: The following analytic identifies Regsvcs.exe with a network connec data_source: - Sysmon Event ID 3 search: '`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 - process_name=regsvcs.exe | rename Computer as dest | stats count min(_time) as firstTime + process_name=regsvcs.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -40,7 +40,7 @@ tags: confidence: 100 impact: 80 message: An instance of $process_name$ contacting a remote destination was identified - on endpoint $Computer$ by user $user$. This behavior is not normal for $process_name$. + on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$. mitre_attack_id: - T1218 - T1218.009 @@ -66,7 +66,7 @@ tags: - EventID - dest_ip - process_name - - Computer + - dest - user - src_ip - dest_host diff --git a/detections/endpoint/detect_wmi_event_subscription_persistence.yml b/detections/endpoint/detect_wmi_event_subscription_persistence.yml index be4bbf3640..5a61bbb4e9 100644 --- a/detections/endpoint/detect_wmi_event_subscription_persistence.yml +++ b/detections/endpoint/detect_wmi_event_subscription_persistence.yml @@ -64,7 +64,7 @@ tags: required_fields: - _time - Destination - - Computer + - dest - User risk_score: 63 security_domain: endpoint diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index 92db5125fe..64d5484233 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -29,6 +29,7 @@ tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse + - NjRAT asset_type: Endpoint confidence: 100 impact: 40 diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index 817240a760..f76ee91f89 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -28,6 +28,7 @@ tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse + - NjRAT asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index 82c83ff3ff..c54d46907b 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -31,6 +31,7 @@ tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse + - NjRAT asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index f1fca5a4c6..19e51f98d7 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -29,6 +29,7 @@ tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse + - NjRAT asset_type: Endpoint confidence: 60 impact: 70 diff --git a/detections/endpoint/download_files_using_telegram.yml b/detections/endpoint/download_files_using_telegram.yml index 88ccd207af..cfa5cd9800 100644 --- a/detections/endpoint/download_files_using_telegram.yml +++ b/detections/endpoint/download_files_using_telegram.yml @@ -13,8 +13,8 @@ description: The following analytic will identify a suspicious download by the T data_source: - Sysmon Event ID 15 search: '`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier" - |stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode - Image process_id TargetFilename Hash | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode + process_name process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that @@ -45,7 +45,7 @@ tags: - Splunk Cloud required_fields: - _time - - Computer + - dest - EventCode - Image - process_id diff --git a/detections/endpoint/drop_icedid_license_dat.yml b/detections/endpoint/drop_icedid_license_dat.yml index 660afbd740..4d12967262 100644 --- a/detections/endpoint/drop_icedid_license_dat.yml +++ b/detections/endpoint/drop_icedid_license_dat.yml @@ -12,7 +12,7 @@ data_source: - Sysmon Event ID 11 search: '`sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time) - as lastTime by TargetFilename EventCode process_id process_name Computer | `security_content_ctime(firstTime)` + as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -27,16 +27,16 @@ tags: asset_type: Endpoint confidence: 90 impact: 70 - message: process $SourceImage$ create a file $TargetImage$ in host $Computer$ + message: A process $process_name$ created a file $TargetFilename$ on host $dest$ mitre_attack_id: - T1204 - T1204.002 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: SourceImage + - name: process_name type: Process role: - Attacker @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/detections/endpoint/elevated_group_discovery_with_powerview.yml b/detections/endpoint/elevated_group_discovery_with_powerview.yml index 75ca964e34..2a5635e87c 100644 --- a/detections/endpoint/elevated_group_discovery_with_powerview.yml +++ b/detections/endpoint/elevated_group_discovery_with_powerview.yml @@ -17,7 +17,7 @@ data_source: search: '`powershell` EventCode=4104 (Message = "*Get-DomainGroupMember*") AND Message IN ("*Domain Admins*","*Enterprise Admins*", "*Schema Admins*", "*Account Operators*" , "*Server Operators*", "*Protected Users*", "*Dns Admins*") | stats count min(_time) - as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` + as firstTime max(_time) as lastTime by EventCode Message ComputerName User | rename ComputerName as dest, User as user | `security_content_ctime(firstTime)` | `elevated_group_discovery_with_powerview_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here diff --git a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml index c6482b97fe..11120b0e82 100644 --- a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml +++ b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml @@ -15,7 +15,7 @@ data_source: - Sysmon Event ID 23 search: '`sysmon` EventCode=23 TargetFilename = "*\\ProgramData\\Microsoft\\Windows Defender*" | stats values(TargetFilename) as deleted_files min(_time) as firstTime - max(_time) as lastTime count by user EventCode Image ProcessID Computer |where count + max(_time) as lastTime count by user EventCode Image ProcessID dest |where count >=50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_file_deletion_in_windefender_folder_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -33,7 +33,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: High frequency file deletion activity detected on host $Computer$ + message: High frequency file deletion activity detected on host $dest$ mitre_attack_id: - T1485 observable: @@ -41,7 +41,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -57,7 +57,7 @@ tags: - _time - EventCode - TargetFilename - - Computer + - dest - user - Image - ProcessID diff --git a/detections/endpoint/excessive_usage_of_nslookup_app.yml b/detections/endpoint/excessive_usage_of_nslookup_app.yml index 41ab84599f..4680328347 100644 --- a/detections/endpoint/excessive_usage_of_nslookup_app.yml +++ b/detections/endpoint/excessive_usage_of_nslookup_app.yml @@ -14,8 +14,8 @@ description: This search is to detect potential DNS exfiltration using nslookup data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode = 1 process_name = "nslookup.exe" | bucket _time span=1m - | stats count as numNsLookup by Computer, _time | eventstats avg(numNsLookup) as - avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by Computer | + | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as + avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by dest | eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter`' @@ -37,12 +37,12 @@ tags: asset_type: Endpoint confidence: 70 impact: 40 - message: Excessive usage of nslookup.exe has been detected on $Computer$. This detection + message: Excessive usage of nslookup.exe has been detected on $dest$. This detection is triggered as as it violates the dynamic threshold mitre_attack_id: - T1048 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -52,7 +52,7 @@ tags: - Splunk Cloud required_fields: - _time - - Computer + - dest - process_name - EventCode risk_score: 28 diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml index fa530484ea..3de8764d66 100644 --- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml +++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml @@ -12,8 +12,8 @@ description: This search is to detect a suspicious excessive usage of sc.exe in data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode = 1 process_name = "sc.exe" | bucket _time span=15m | - stats values(process) as process count as numScExe by Computer, _time | eventstats - avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by Computer + stats values(process) as process count as numScExe by dest, _time | eventstats + avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter`' @@ -37,7 +37,7 @@ tags: - T1569 - T1569.002 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index 8b25eaaaa0..ff0ec7f027 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -36,6 +36,7 @@ tags: - CISA AA22-264A - AgentTesla - CISA AA22-277A + - NjRAT asset_type: Endpoint confidence: 70 impact: 40 diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index cf58957157..5f81c219c1 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -62,6 +62,7 @@ tags: - Amadey - BlackByte Ransomware - Warzone RAT + - NjRAT asset_type: Endpoint confidence: 50 impact: 40 diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml index f0751603bd..2b4ad06cff 100644 --- a/detections/endpoint/firewall_allowed_program_enable.yml +++ b/detections/endpoint/firewall_allowed_program_enable.yml @@ -38,6 +38,7 @@ tags: - Windows Defense Evasion Tactics - Azorult - BlackByte Ransomware + - NjRAT asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml index 91b8958f1d..85ecebbf31 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml @@ -14,7 +14,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText ="*Get-ADDefaultDomainPasswordPolicy*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or @@ -30,16 +30,15 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: powershell process having commandline $Message$ to query domain password - policy + message: Powershell process having commandline "Get-ADDefaultDomainPasswordPolicy" to query domain password policy on $dest$ mitre_attack_id: - T1201 observable: - - name: ComputerName + - name: dest type: Hostname role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/get_aduser_with_powershell_script_block.yml b/detections/endpoint/get_aduser_with_powershell_script_block.yml index 24b617bd7b..d9adbe1106 100644 --- a/detections/endpoint/get_aduser_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduser_with_powershell_script_block.yml @@ -14,7 +14,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*get-aduser*" ScriptBlockText = "*-filter*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode - ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or @@ -30,16 +30,16 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: powershell process having commandline $Message$ for user enumeration + message: Powershell process having commandline "get-aduser" for user enumeration on $dest$ mitre_attack_id: - T1087.002 - T1087 observable: - - name: ComputerName + - name: dest type: Hostname role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/get_domainuser_with_powershell_script_block.yml b/detections/endpoint/get_domainuser_with_powershell_script_block.yml index 0e2d6b7b33..23446ccfdc 100644 --- a/detections/endpoint/get_domainuser_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainuser_with_powershell_script_block.yml @@ -14,7 +14,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainUser*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or @@ -28,16 +28,16 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: powershell process having commandline $Message$ for user enumeration + message: Powershell process having commandline "*Get-DomainUser*" for user enumeration on $dest$ mitre_attack_id: - T1087.002 - T1087 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: UserID + - name: user type: User role: - Victim diff --git a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml index c964f3a42d..a7596529f1 100644 --- a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml +++ b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml @@ -22,7 +22,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-WMIObject*" AND ScriptBlockText = "*Win32_Group*" | stats count min(_time) as firstTime max(_time) as lastTime by - EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` + EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here diff --git a/detections/endpoint/getadgroup_with_powershell_script_block.yml b/detections/endpoint/getadgroup_with_powershell_script_block.yml index 1e1a3355aa..28fd99b2e3 100644 --- a/detections/endpoint/getadgroup_with_powershell_script_block.yml +++ b/detections/endpoint/getadgroup_with_powershell_script_block.yml @@ -13,8 +13,7 @@ description: The following analytic utilizes PowerShell Script Block Logging (Ev data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ADGroup*" | stats count - min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer - user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -47,8 +46,8 @@ tags: - _time - EventCode - Message - - ComputerName - - User + - Computer + - UserID risk_score: 15 security_domain: endpoint tests: diff --git a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml index 3ecca28632..ddd5a9f185 100644 --- a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml +++ b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml @@ -14,7 +14,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*" ScriptBlockText = "*GetCurrent()*" | stats count min(_time) as firstTime max(_time) as lastTime - by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` + by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -30,7 +30,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 30 - message: System user discovery on $dest$ + message: System user discovery on $dest$ by $user$ mitre_attack_id: - T1033 observable: diff --git a/detections/endpoint/high_process_termination_frequency.yml b/detections/endpoint/high_process_termination_frequency.yml index de642be9aa..355fd1457d 100644 --- a/detections/endpoint/high_process_termination_frequency.yml +++ b/detections/endpoint/high_process_termination_frequency.yml @@ -13,7 +13,7 @@ description: This analytic is designed to identify a high frequency of process t data_source: - Sysmon Event ID 5 search: '`sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated - min(_time) as firstTime max(_time) as lastTime count by _time Computer EventCode + min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `high_process_termination_frequency_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -32,11 +32,11 @@ tags: confidence: 80 impact: 90 message: High frequency process termination (more than 15 processes within 3s) detected - on host $Computer$ + on host $dest$ mitre_attack_id: - T1486 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -51,7 +51,7 @@ tags: required_fields: - EventCode - Image - - Computer + - dest - _time - ProcessID risk_score: 72 diff --git a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml index 71682a28b8..76074f6cc3 100644 --- a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml +++ b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml @@ -12,7 +12,7 @@ data_source: - Sysmon Event ID 11 search: '`sysmon` EventCode= 11 (TargetFilename = "*\\passff.tar" OR TargetFilename = "*\\cookie.tar") |stats count min(_time) as firstTime max(_time) as lastTime by - TargetFilename EventCode process_id process_name Computer | `security_content_ctime(firstTime)` + TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -27,16 +27,16 @@ tags: asset_type: Endpoint confidence: 90 impact: 80 - message: process $SourceImage$ create a file $TargetImage$ in host $Computer$ + message: Process $process_name$ create a file $TargetImage$ on host $dest$ mitre_attack_id: - T1560.001 - T1560 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: SourceImage + - name: process_name type: Process role: - Attacker @@ -50,7 +50,7 @@ tags: - EventCode - process_id - process_name - - Computer + - dest risk_score: 72 security_domain: endpoint tests: @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml index b5f72ec88e..e7f1ce59ed 100644 --- a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml @@ -44,8 +44,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 90 - message: A Kerberos Service TTicket request with RC4 encryption was requested from - $Client_Address$ + message: A Kerberos Service TTicket request with RC4 encryption was requested from $dest$ mitre_attack_id: - T1558 - T1558.001 diff --git a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml index f2f343371f..51b758c619 100644 --- a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml +++ b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml @@ -35,7 +35,7 @@ tags: asset_type: endpoint confidence: 70 impact: 70 - message: a $process_name$ deleting a SSH key in $dest$ + message: SSH Config and keys are deleted on $dest$ by Process GUID - $process_guid$ mitre_attack_id: - T1485 - T1070.004 @@ -45,6 +45,10 @@ tags: type: Hostname role: - Victim + - name: process_guid + type: Process + role: + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/linux_deletion_of_cron_jobs.yml b/detections/endpoint/linux_deletion_of_cron_jobs.yml index 4e851873b7..e13e11495f 100644 --- a/detections/endpoint/linux_deletion_of_cron_jobs.yml +++ b/detections/endpoint/linux_deletion_of_cron_jobs.yml @@ -35,7 +35,7 @@ tags: asset_type: endpoint confidence: 70 impact: 70 - message: a $process_name$ deleting cron jobs in $dest$ + message: Linux cron jobs are deleted on host $dest$ by process GUID- $process_guid$ mitre_attack_id: - T1485 - T1070.004 @@ -45,6 +45,10 @@ tags: type: Hostname role: - Victim + - name: process_guid + type: Process + role: + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/linux_deletion_of_init_daemon_script.yml b/detections/endpoint/linux_deletion_of_init_daemon_script.yml index 52b9b4bbaf..7c1ab2ee37 100644 --- a/detections/endpoint/linux_deletion_of_init_daemon_script.yml +++ b/detections/endpoint/linux_deletion_of_init_daemon_script.yml @@ -37,7 +37,7 @@ tags: asset_type: endpoint confidence: 70 impact: 70 - message: a $process_name$ deleting a daemon script in $dest$ + message: Init daemon script deleted on host $dest$ by process GUID- $process_guid$ mitre_attack_id: - T1485 - T1070.004 @@ -47,6 +47,10 @@ tags: type: Hostname role: - Victim + - name: process_guid + type: Process + role: + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/linux_deletion_of_services.yml b/detections/endpoint/linux_deletion_of_services.yml index e5254716b4..35b9511e79 100644 --- a/detections/endpoint/linux_deletion_of_services.yml +++ b/detections/endpoint/linux_deletion_of_services.yml @@ -39,7 +39,7 @@ tags: asset_type: endpoint confidence: 80 impact: 80 - message: a $process_name$ deleting a services in $dest$ + message: A services file $file_name$ deteted on host $dest$ by process GUID - $process_guid$ mitre_attack_id: - T1485 - T1070.004 @@ -49,6 +49,10 @@ tags: type: Hostname role: - Victim + - name: process_guid + type: Process + role: + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/linux_deletion_of_ssl_certificate.yml b/detections/endpoint/linux_deletion_of_ssl_certificate.yml index e1b58f85e6..fd52a426e5 100644 --- a/detections/endpoint/linux_deletion_of_ssl_certificate.yml +++ b/detections/endpoint/linux_deletion_of_ssl_certificate.yml @@ -36,7 +36,7 @@ tags: asset_type: endpoint confidence: 70 impact: 70 - message: a $process_name$ deleting a SSL certificate in $dest$ + message: SSL certificate deleted on host $dest$ by process GUID- $process_guid$ mitre_attack_id: - T1485 - T1070.004 @@ -46,6 +46,10 @@ tags: type: Hostname role: - Victim + - name: process_guid + type: Process + role: + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml index 7e520ee8e6..7f66749d45 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml @@ -36,7 +36,7 @@ tags: asset_type: endpoint confidence: 80 impact: 100 - message: a $process_name$ deleting multiple files in /boot/ folder in $dest$ + message: Multiple files detection in /boot/ folder on $dest$ by process GUID - $process_guid$ mitre_attack_id: - T1485 - T1070.004 @@ -46,6 +46,10 @@ tags: type: Hostname role: - Victim + - name: process_guid + type: Process + role: + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml index 59eb6fc4dd..b8f38ac6c9 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml @@ -35,7 +35,7 @@ tags: asset_type: endpoint confidence: 70 impact: 70 - message: a $process_name$ deleting multiple files in /etc/ folder in $dest$ + message: Multiple files delted in /etc/ folder on $dest$ by process GUID - $process_guid$ mitre_attack_id: - T1485 - T1070.004 @@ -45,6 +45,10 @@ tags: type: Hostname role: - Victim + - name: process_guid + type: Process + role: + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/loading_of_dynwrapx_module.yml b/detections/endpoint/loading_of_dynwrapx_module.yml index 4e640260e7..b067e89407 100644 --- a/detections/endpoint/loading_of_dynwrapx_module.yml +++ b/detections/endpoint/loading_of_dynwrapx_module.yml @@ -18,7 +18,7 @@ data_source: search: '`sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileName = "dynwrapx.dll" OR Product = "DynamicWrapperX") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name - Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `loading_of_dynwrapx_module_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from @@ -43,12 +43,12 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: dynwrapx.dll loaded by process $process_name$ on $Computer$ + message: dynwrapx.dll loaded by process $process_name$ on $dest$ mitre_attack_id: - T1055 - T1055.001 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -63,7 +63,7 @@ tags: - OriginalFileName - Product - process_name - - Computer + - dest - EventCode - Signed - ProcessId diff --git a/detections/endpoint/modification_of_wallpaper.yml b/detections/endpoint/modification_of_wallpaper.yml index 08a4df62e2..01cfbce688 100644 --- a/detections/endpoint/modification_of_wallpaper.yml +++ b/detections/endpoint/modification_of_wallpaper.yml @@ -14,7 +14,7 @@ data_source: search: '`sysmon` EventCode =13 (TargetObject= "*\\Control Panel\\Desktop\\Wallpaper" AND Image != "*\\explorer.exe") OR (TargetObject= "*\\Control Panel\\Desktop\\Wallpaper" AND Details = "*\\temp\\*") | stats count min(_time) as firstTime max(_time) as - lastTime by EventCode Image TargetObject Details Computer process_guid process_id + lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -54,7 +54,7 @@ tags: - Image - TargetObject - Details - - Computer + - dest - process_guid - process_id - user_id diff --git a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml index e54c641eff..0ca2331c06 100644 --- a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml @@ -54,7 +54,7 @@ tags: - process_name - ProcessId - ProcessGuid - - Computer + - dest - ImageLoaded risk_score: 9 security_domain: endpoint diff --git a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml index 512917c0eb..f738be7129 100644 --- a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml @@ -55,7 +55,7 @@ tags: - process_name - ProcessId - ProcessGuid - - Computer + - dest - ImageLoaded risk_score: 9 security_domain: endpoint diff --git a/detections/endpoint/mshtml_module_load_in_office_product.yml b/detections/endpoint/mshtml_module_load_in_office_product.yml index d2cfe95ce0..9583ef9bec 100644 --- a/detections/endpoint/mshtml_module_load_in_office_product.yml +++ b/detections/endpoint/mshtml_module_load_in_office_product.yml @@ -14,8 +14,8 @@ data_source: - Sysmon Event ID 7 search: '`sysmon` EventID=7 parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe","Graph.exe","winproj.exe") ImageLoaded IN ("*\\mshtml.dll", "*\\Microsoft.mshtml.dll","*\\IE.Interop.MSHTML.dll","*\\MshtmlDac.dll","*\\MshtmlDed.dll","*\\MshtmlDer.dll") - | stats count min(_time) as firstTime max(_time) as lastTime by Computer, process_name, - ImageLoaded, OriginalFileName, ProcessGuid | rename Computer as dest | `security_content_ctime(firstTime)` + | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name, + ImageLoaded, OriginalFileName, ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using diff --git a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml index f8f2e94605..0cd85a1380 100644 --- a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml +++ b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml @@ -27,7 +27,7 @@ data_source: - Sysmon Event ID 7 search: '`sysmon` EventCode=7 ImageLoaded="*\\msi.dll" NOT (Image IN ("*\\System32\\*","*\\syswow64\\*","*\\windows\\*", "*\\winsxs\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by - Image ImageLoaded process_name Computer EventCode ProcessId | `security_content_ctime(firstTime)` + Image ImageLoaded process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you @@ -49,7 +49,7 @@ tags: - CVE-2021-41379 impact: 80 message: The following module $ImageLoaded$ was loaded by $Image$ outside of the - normal system paths on endpoint $Computer$, potentally related to DLL side-loading. + normal system paths on endpoint $dest$, potentally related to DLL side-loading. mitre_attack_id: - T1574.002 - T1574 @@ -67,7 +67,7 @@ tags: - Image - ImageLoaded - process_name - - Computer + - dest - EventCode - ProcessId risk_score: 56 diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 0823d14c8f..f4632537f6 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -34,6 +34,7 @@ tags: - RedLine Stealer - FIN7 - Warzone RAT + - NjRAT asset_type: Endpoint confidence: 70 impact: 50 diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 25dded39df..8eefc06bef 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -34,6 +34,8 @@ tags: - AgentTesla - RedLine Stealer - FIN7 + - Warzone RAT + - NjRAT asset_type: Endpoint confidence: 70 impact: 50 diff --git a/detections/endpoint/office_document_creating_schedule_task.yml b/detections/endpoint/office_document_creating_schedule_task.yml index 5ee8c40f84..e97db0098f 100644 --- a/detections/endpoint/office_document_creating_schedule_task.yml +++ b/detections/endpoint/office_document_creating_schedule_task.yml @@ -57,7 +57,7 @@ tags: required_fields: - ImageLoaded - AllImageLoaded - - Computer + - dest - EventCode - Image - process_name diff --git a/detections/endpoint/office_document_executing_macro_code.yml b/detections/endpoint/office_document_executing_macro_code.yml index 1af79666b3..f5ec5dec14 100644 --- a/detections/endpoint/office_document_executing_macro_code.yml +++ b/detections/endpoint/office_document_executing_macro_code.yml @@ -60,7 +60,7 @@ tags: required_fields: - ImageLoaded - AllImageLoaded - - Computer + - dest - EventCode - Image - process_name diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index f1bfcbf548..48d40271d2 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -44,6 +44,7 @@ tags: - AsyncRAT - Data Destruction - IcedID + - NjRAT confidence: 80 impact: 70 message: A suspicious powershell script contains base64 command in $ScriptBlockText$ diff --git a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml index c7d6ed0e18..c09b5614d7 100644 --- a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml +++ b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml @@ -16,7 +16,7 @@ search: '`sysmon` EventCode = 8 parent_process_name IN ("powershell_ise.exe", "p TargetImage IN ("*\\svchost.exe","*\\csrss.exe" "*\\gpupdate.exe", "*\\explorer.exe","*\\services.exe","*\\winlogon.exe","*\\smss.exe","*\\wininit.exe","*\\userinit.exe","*\\spoolsv.exe","*\\taskhost.exe") | stats min(_time) as firstTime max(_time) as lastTime count by SourceImage process_name SourceProcessId SourceProcessGuid TargetImage TargetProcessId NewThreadId StartAddress - Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_thread_to_known_windows_process_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are @@ -32,11 +32,11 @@ tags: confidence: 90 impact: 70 message: A suspicious powershell process $process_name$ that tries to create a remote - thread on target process $TargetImage$ with eventcode $EventCode$ in host $Computer$ + thread on target process $TargetImage$ with eventcode $EventCode$ in host $dest$ mitre_attack_id: - T1055 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -58,7 +58,7 @@ tags: - TargetProcessId - NewThreadId - StartAddress - - Computer + - dest - EventCode risk_score: 63 security_domain: endpoint diff --git a/detections/endpoint/process_deleting_its_process_file_path.yml b/detections/endpoint/process_deleting_its_process_file_path.yml index 5600e1845b..97f37ae181 100644 --- a/detections/endpoint/process_deleting_its_process_file_path.yml +++ b/detections/endpoint/process_deleting_its_process_file_path.yml @@ -14,15 +14,19 @@ data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode=1 CommandLine = "* /c *" CommandLine = "* del*" Image = "*\\cmd.exe" | eval result = if(like(process,"%".parent_process."%"), "Found", - "Not Found") | stats min(_time) as firstTime max(_time) as lastTime count by Computer + "Not Found") | stats min(_time) as firstTime max(_time) as lastTime count by dest user ParentImage ParentCommandLine Image CommandLine EventCode ProcessID result | where result = "Found" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_deleting_its_process_file_path_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft @@ -38,11 +42,11 @@ tags: confidence: 100 impact: 60 message: A process $Image$ tries to delete its process path in commandline $CommandLine$ - as part of defense evasion in host $Computer$ + as part of defense evasion in host $dest$ mitre_attack_id: - T1070 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -56,7 +60,7 @@ tags: - Splunk Cloud required_fields: - EventCode - - Computer + - dest - user - ParentImage - ParentCommandLine diff --git a/detections/endpoint/ransomware_notes_bulk_creation.yml b/detections/endpoint/ransomware_notes_bulk_creation.yml index d55742e283..7902d5bc46 100644 --- a/detections/endpoint/ransomware_notes_bulk_creation.yml +++ b/detections/endpoint/ransomware_notes_bulk_creation.yml @@ -53,7 +53,7 @@ tags: - file_name - _time - TargetFilename - - Computer + - dest - Image - user risk_score: 81 diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 8e119c4e3c..2b457ad733 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -69,6 +69,7 @@ tags: - Sneaky Active Directory Persistence Tricks - BlackByte Ransomware - Warzone RAT + - NjRAT asset_type: Endpoint confidence: 95 impact: 80 diff --git a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml index 8c4641e56e..114c116a6d 100644 --- a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml +++ b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml @@ -21,8 +21,8 @@ search: ' `sysmon` EventCode=10 TargetImage=C:\\Windows\\system32\\winlogon.exe (SourceImage!=C:\\Windows\\system32\\svchost.exe AND SourceImage!=C:\\Windows\\system32\\lsass.exe AND SourceImage!=C:\\Windows\\system32\\LogonUI.exe AND SourceImage!=C:\\Windows\\system32\\smss.exe AND SourceImage!=C:\\Windows\\system32\\wbem\\wmiprvse.exe) | stats count min(_time) - as firstTime max(_time) as lastTime by Computer, SourceImage, SourceProcessId, TargetImage, - TargetProcessId, EventCode, GrantedAccess | rename Computer as dest | `security_content_ctime(firstTime)`| + as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, + TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `rubeus_kerberos_ticket_exports_through_winlogon_access_filter`' how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly @@ -63,7 +63,7 @@ tags: - EventCode - TargetImage - CallTrace - - Computer + - dest - TargetProcessId - SourceImage - SourceProcessId diff --git a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml index cd6aab98e4..6c992802fd 100644 --- a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml +++ b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml @@ -13,7 +13,7 @@ data_source: - Sysmon Event ID 8 search: '`sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage = "*.exe" | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage - TargetProcessId SourceProcessId StartAddress EventCode Computer | `security_content_ctime(firstTime)` + TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_create_remote_thread_to_a_process_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints @@ -30,11 +30,11 @@ tags: confidence: 80 impact: 70 message: rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ - in host $Computer$ + in host $dest$ mitre_attack_id: - T1055 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -54,7 +54,7 @@ tags: - SourceProcessId - StartAddress - EventCode - - Computer + - dest risk_score: 56 security_domain: endpoint tests: diff --git a/detections/endpoint/rundll32_createremotethread_in_browser.yml b/detections/endpoint/rundll32_createremotethread_in_browser.yml index f511192356..3365424c33 100644 --- a/detections/endpoint/rundll32_createremotethread_in_browser.yml +++ b/detections/endpoint/rundll32_createremotethread_in_browser.yml @@ -14,7 +14,7 @@ data_source: search: '`sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage IN ("*\\firefox.exe", "*\\chrome.exe", "*\\iexplore.exe","*\\microsoftedgecp.exe") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId - StartAddress EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_createremotethread_in_browser_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints @@ -31,11 +31,11 @@ tags: confidence: 100 impact: 70 message: rundl32 process $SourceImage$ create a remote thread to browser process - $TargetImage$ in host $Computer$ + $TargetImage$ in host $dest$ mitre_attack_id: - T1055 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -55,7 +55,7 @@ tags: - SourceProcessId - StartAddress - EventCode - - Computer + - dest risk_score: 70 security_domain: endpoint tests: diff --git a/detections/endpoint/rundll32_dnsquery.yml b/detections/endpoint/rundll32_dnsquery.yml index 9ec4e915ef..f415b629d7 100644 --- a/detections/endpoint/rundll32_dnsquery.yml +++ b/detections/endpoint/rundll32_dnsquery.yml @@ -13,7 +13,7 @@ description: This search is to detect a suspicious rundll32.exe process having a data_source: - Sysmon Event ID 22 search: '`sysmon` EventCode=22 process_name="rundll32.exe" | stats count min(_time) - as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer + as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. @@ -30,12 +30,12 @@ tags: confidence: 80 impact: 70 message: rundll32 process $process_name$ having a dns query to $QueryName$ in host - $Computer$ + $dest$ mitre_attack_id: - T1218 - T1218.011 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -53,7 +53,7 @@ tags: - QueryName - QueryStatus - ProcessId - - Computer + - dest risk_score: 56 security_domain: endpoint tests: diff --git a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml index e5ba6ac518..d9d8831f4a 100644 --- a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml +++ b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml @@ -19,7 +19,7 @@ data_source: search: '`sysmon` EventCode=11 TargetFilename = "*\\Windows\\SchCache\\*" TargetFilename = "*.sch*" NOT (Image IN ("*\\Windows\\system32\\mmc.exe")) |stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename EventCode process_id process_name - Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schcache_change_by_app_connect_and_create_adsi_object_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -36,12 +36,12 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: process $Image$ create a file $TargetFilename$ in host $Computer$ + message: process $Image$ create a file $TargetFilename$ in host $dest$ mitre_attack_id: - T1087.002 - T1087 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -56,7 +56,7 @@ tags: - EventCode - process_id - process_name - - Computer + - dest risk_score: 25 security_domain: endpoint tests: diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index ce195e5cb0..9cac42368f 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -56,6 +56,7 @@ tags: - Azorult - Amadey - Scheduled Tasks + - NjRAT asset_type: Endpoint confidence: 80 impact: 70 diff --git a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml index 9845b79633..3c0a06f885 100644 --- a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml +++ b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml @@ -46,7 +46,7 @@ tags: required_fields: - _time - Image - - Computer + - dest - EventCode - ImageLoaded risk_score: 72 diff --git a/detections/endpoint/spoolsv_suspicious_process_access.yml b/detections/endpoint/spoolsv_suspicious_process_access.yml index 7590a3d1eb..10abf4d645 100644 --- a/detections/endpoint/spoolsv_suspicious_process_access.yml +++ b/detections/endpoint/spoolsv_suspicious_process_access.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode=10 SourceImage = "*\\spoolsv.exe" CallTrace = "*\\Windows\\system32\\spool\\DRIVERS\\x64\\*" TargetImage IN ("*\\rundll32.exe", "*\\spoolsv.exe") GrantedAccess = 0x1fffff | - stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage + stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace EventCode ProcessID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_process_access_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -36,11 +36,11 @@ tags: - CVE-2021-34527 impact: 80 message: $SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint - $Computer$. This behavior is suspicious and related to PrintNightmare. + $dest$. This behavior is suspicious and related to PrintNightmare. mitre_attack_id: - T1068 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim diff --git a/detections/endpoint/suspicious_driver_loaded_path.yml b/detections/endpoint/suspicious_driver_loaded_path.yml index a963f6ed94..a34fd82972 100644 --- a/detections/endpoint/suspicious_driver_loaded_path.yml +++ b/detections/endpoint/suspicious_driver_loaded_path.yml @@ -17,7 +17,7 @@ data_source: - Sysmon Event ID 6 search: '`sysmon` EventCode=6 ImageLoaded = "*.sys" NOT (ImageLoaded IN("*\\WINDOWS\\inf","*\\WINDOWS\\System32\\drivers\\*", "*\\WINDOWS\\System32\\DriverStore\\FileRepository\\*")) | stats min(_time) as - firstTime max(_time) as lastTime count by Computer ImageLoaded Hashes IMPHASH Signature + firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_driver_loaded_path_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -37,12 +37,12 @@ tags: asset_type: Endpoint confidence: 90 impact: 70 - message: Suspicious driver $ImageLoaded$ on $Computer$ + message: Suspicious driver $ImageLoaded$ on $dest$ mitre_attack_id: - T1543.003 - T1543 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -56,7 +56,7 @@ tags: - Splunk Cloud required_fields: - _time - - Computer + - dest - ImageLoaded - Hashes - IMPHASH diff --git a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml index 22bea94be5..380824a0c5 100644 --- a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml @@ -17,7 +17,7 @@ data_source: search: '`sysmon` EventCode=22 QueryName IN ("*pastebin*", "*discord*", "*telegram*", "*t.me*") process_name IN ("cmd.exe", "*powershell*", "pwsh.exe", "wscript.exe", "cscript.exe") | stats count min(_time) as firstTime max(_time) as lastTime by Image - QueryName QueryStatus process_name QueryResults Computer | `security_content_ctime(firstTime)` + QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter`' how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. @@ -35,12 +35,12 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: suspicious process $process_name$ has a dns query in $QueryName$ on $Computer$ + message: suspicious process $process_name$ has a dns query in $QueryName$ on $dest$ mitre_attack_id: - T1059.005 - T1059 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -59,7 +59,7 @@ tags: - QueryStatus - process_name - QueryResults - - Computer + - dest risk_score: 64 security_domain: endpoint tests: diff --git a/detections/endpoint/suspicious_process_with_discord_dns_query.yml b/detections/endpoint/suspicious_process_with_discord_dns_query.yml index 8d88afd54f..e84f359f30 100644 --- a/detections/endpoint/suspicious_process_with_discord_dns_query.yml +++ b/detections/endpoint/suspicious_process_with_discord_dns_query.yml @@ -15,7 +15,7 @@ data_source: search: '`sysmon` EventCode=22 QueryName IN ("*discord*") Image != "*\\AppData\\Local\\Discord\\*" AND Image != "*\\Program Files*" AND Image != "discord.exe" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name - QueryResults Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_with_discord_dns_query_filter`' how_to_implement: his detection relies on sysmon logs with the Event ID 22, DNS Query. known_false_positives: Noise and false positive can be seen if the following instant @@ -32,12 +32,12 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: suspicious process $process_name$ has a dns query in $QueryName$ on $Computer$ + message: suspicious process $process_name$ has a dns query in $QueryName$ on $dest$ mitre_attack_id: - T1059.005 - T1059 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -56,7 +56,7 @@ tags: - QueryStatus - process_name - QueryResults - - Computer + - dest risk_score: 64 security_domain: endpoint tests: diff --git a/detections/endpoint/trickbot_named_pipe.yml b/detections/endpoint/trickbot_named_pipe.yml index cf1c1d7c39..3fb57b83c1 100644 --- a/detections/endpoint/trickbot_named_pipe.yml +++ b/detections/endpoint/trickbot_named_pipe.yml @@ -10,7 +10,7 @@ description: this search is to detect potential trickbot infection through the c c2 to post or get command during infection. data_source: [] search: '`sysmon` EventCode IN (17,18) PipeName="\\pipe\\*lacesomepipe" | stats min(_time) - as firstTime max(_time) as lastTime count by Computer user_id EventCode PipeName + as firstTime max(_time) as lastTime count by dest user_id EventCode PipeName signature Image process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -26,11 +26,11 @@ tags: asset_type: Endpoint confidence: 60 impact: 70 - message: Possible Trickbot namedpipe created on $Computer$ by $Image$ + message: Possible Trickbot namedpipe created on $dest$ by $Image$ mitre_attack_id: - T1055 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -44,7 +44,7 @@ tags: - Splunk Cloud required_fields: - _time - - Computer + - dest - user_id - EventCode - PipeName diff --git a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml index 1aec04f65d..89b57fb244 100644 --- a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml +++ b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml @@ -13,7 +13,7 @@ data_source: - Sysmon Event ID 7 search: '`sysmon` EventCode=7 ImageLoaded = "*.dll" Image = "*\\mmc.exe" Signed=false Company != "Microsoft Corporation" | stats count min(_time) as firstTime max(_time) - as lastTime by Image ImageLoaded Signed ProcessId OriginalFileName Computer EventCode + as lastTime by Image ImageLoaded Signed ProcessId OriginalFileName dest EventCode Company | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_mmc_load_unsigned_dll_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -29,14 +29,14 @@ tags: asset_type: Endpoint confidence: 90 impact: 70 - message: Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $Computer$ + message: Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $dest$ with EventCode $EventCode$ mitre_attack_id: - T1548.002 - T1548 - T1218.014 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -51,7 +51,7 @@ tags: - Signed - ProcessId - OriginalFileName - - Computer + - dest - EventCode - Company risk_score: 63 diff --git a/detections/endpoint/uac_bypass_with_colorui_com_object.yml b/detections/endpoint/uac_bypass_with_colorui_com_object.yml index 4dc76a4ded..f0eaf1cd60 100644 --- a/detections/endpoint/uac_bypass_with_colorui_com_object.yml +++ b/detections/endpoint/uac_bypass_with_colorui_com_object.yml @@ -10,7 +10,9 @@ description: This search is to detect a possible uac bypass using the colorui.dl where it make use of the colorui.dll COM CLSID to bypass UAC. data_source: - Sysmon Event ID 7 -search: '`sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colorcpl.exe" NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest parent_process_name process_name ImageLoaded signature_id signature Signed user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colorcpl.exe" + NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as + firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -26,8 +28,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 60 - message: The following module $ImageLoaded$ was loaded by a non-standard application $parent_process_name$ - on endpoint $dest$ by user $user_id$. + message: The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$. mitre_attack_id: - T1218 - T1218.003 @@ -49,7 +50,7 @@ tags: - Image - ImageLoaded - process_name - - Computer + - dest - EventCode - Signed - ProcessId diff --git a/detections/endpoint/wbemprox_com_object_execution.yml b/detections/endpoint/wbemprox_com_object_execution.yml index 11de816407..6d562984e2 100644 --- a/detections/endpoint/wbemprox_com_object_execution.yml +++ b/detections/endpoint/wbemprox_com_object_execution.yml @@ -17,7 +17,7 @@ data_source: search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\fastprox.dll", "*\\wbemprox.dll", "*\\wbemcomn.dll") NOT (process_name IN ("wmiprvse.exe", "WmiApSrv.exe", "unsecapp.exe")) NOT(Image IN("*\\windows\\*","*\\program files*", "*\\wbem\\*")) | stats count min(_time) - as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode + as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wbemprox_com_object_execution_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -36,12 +36,12 @@ tags: asset_type: Endpoint confidence: 50 impact: 70 - message: Suspicious COM Object Execution on $Computer$ + message: Suspicious COM Object Execution on $dest$ mitre_attack_id: - T1218 - T1218.003 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -54,7 +54,7 @@ tags: - Image - ImageLoaded - process_name - - Computer + - dest - EventCode - Signed - ProcessId diff --git a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml index 4dfd50a168..68189b7f21 100644 --- a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml +++ b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml @@ -19,7 +19,7 @@ search: '`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN ("*wtfism "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org","*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name - ProcessId QueryName QueryStatus QueryResults Computer EventCode | rename Computer as dest| `security_content_ctime(firstTime)` + ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from @@ -56,7 +56,7 @@ tags: - QueryName - QueryStatus - QueryResults - - Computer + - dest - EventCode risk_score: 56 security_domain: endpoint diff --git a/detections/endpoint/windows_abused_web_services.yml b/detections/endpoint/windows_abused_web_services.yml new file mode 100644 index 0000000000..e3578a6827 --- /dev/null +++ b/detections/endpoint/windows_abused_web_services.yml @@ -0,0 +1,67 @@ +name: Windows Abused Web Services +id: 01f0aef4-8591-4daa-a53d-0ed49823b681 +version: 1 +date: '2023-09-20' +author: Teoderick Contreras, Splunk +status: production +type: TTP +data_source: +- Sysmon Event ID 22 +description: This analytic detects a suspicious process making a DNS query via known, + abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution + platforms used to download external files. This technique is abused by adversaries, + malware actors, and red teams to download a malicious file on the target host. This + is a good TTP indicator for possible initial access techniques. A user will experience + false positives if the following instant messaging is allowed or common applications + like telegram or discord are allowed in the corporate network. +search: '`sysmon` EventCode=22 QueryName IN ("*pastebin*",""*textbin*"", "*ngrok.io*", "*discord*", "*duckdns.org*", "*pasteio.com*") + | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer + | rename Computer as dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_abused_web_services_filter`' +how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query. + We suggest you run this detection at least once a day over the last 14 days. +known_false_positives: Noise and false positive can be seen if the following instant + messaging is allowed to use within corporate network. In this case, a filter is + needed. +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +tags: + analytic_story: + - NjRAT + asset_type: Endpoint + confidence: 60 + impact: 60 + message: a network connection on known abused web services from $dest$ + mitre_attack_id: + - T1102 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 36 + required_fields: + - _time + - Image + - QueryName + - QueryStatus + - process_name + - QueryResults + - Computer + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1102/njrat_ngrok_connection/ngrok.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml index ceb1eae9e5..0dc5d5feb3 100644 --- a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml +++ b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml @@ -14,7 +14,7 @@ data_source: search: '`sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId - GrantedAccess CallTrace Computer user_id | `security_content_ctime(firstTime)` | + GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model @@ -32,12 +32,12 @@ tags: confidence: 60 impact: 60 message: A process $SourceImage$ is duplicating the handle token of winlogon.exe - in $Computer$ + in $dest$ mitre_attack_id: - T1134.001 - T1134 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -59,7 +59,7 @@ tags: - TargetProcessId - GrantedAccess - CallTrace - - Computer + - dest - user_id risk_score: 36 security_domain: endpoint diff --git a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml index b887c208bb..75429564cc 100644 --- a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml +++ b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml @@ -62,7 +62,7 @@ tags: - TargetProcessId - GrantedAccess - CallTrace - - Computer + - dest - user_id risk_score: 49 security_domain: endpoint diff --git a/detections/endpoint/windows_admin_permission_discovery.yml b/detections/endpoint/windows_admin_permission_discovery.yml new file mode 100644 index 0000000000..c333138174 --- /dev/null +++ b/detections/endpoint/windows_admin_permission_discovery.yml @@ -0,0 +1,74 @@ +name: Windows Admin Permission Discovery +id: e08620cb-9488-4052-832d-97bcc0afd414 +version: 1 +date: '2023-09-19' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +data_source: +- Sysmon EventID 11 +description: This analytic is developed to identify suspicious file creation in the root drive (C:\). + This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on + the compromised host possesses administrative privileges. + The methodology involves an attempt to create a 'win.dat' file in the C:\ directory. + If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. + This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing + similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem + where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") + by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guiid Filesystem.file_name Filesystem.file_path Filesystem.user + | `drop_dm_object_name(Filesystem)` + | eval dropped_file_path = split(file_path, "\\") + | eval dropped_file_path_split_count = mvcount(dropped_file_path) + | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "C:") AND dropped_file_path_split_count = 2 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_admin_permission_discovery_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that + include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +known_false_positives: administrator is capable of dropping files in root C drive. +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +tags: + analytic_story: + - NjRAT + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A file was created in root drive C:/ on host - $dest$ + mitre_attack_id: + - T1069.001 + observable: + - name: user + type: User + role: + - Victim + - name: process_id + type: Process + role: + - Attacker + - name: file_name + type: File Name + role: + - Other + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 25 + required_fields: + - _time + - Filesystem.file_path + - Filesystem.file_create_time + - Filesystem.process_id + - Filesystem.file_name + - Filesystem.user + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/njrat_admin_check/win_dat.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog + update_timestamp: true diff --git a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml index df67f7c8cf..da712fb072 100644 --- a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml @@ -18,7 +18,7 @@ search: '`sysmon` EventCode IN (17, 18) EventType IN ( "CreatePipe", "ConnectPip "*\\wermgr.exe", "*\\ping.exe", "*\\OneDriveSetup.exe", "*\\dxdiag.exe", "*\\mobsync.exe", "*\\msra.exe", "*\\xwizard.exe") | regex PipeName="^\\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{8}" | stats min(_time) as firstTime max(_time) as lastTime count by Image EventType - ProcessGuid ProcessId PipeName SecurityID EventCode Computer UserID | `security_content_ctime(firstTime)` + ProcessGuid ProcessId PipeName SecurityID EventCode dest UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_app_layer_protocol_qakbot_namedpipe_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, pipename, processguid and named pipe event type from @@ -35,11 +35,11 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: $Image$ is creating or connecting to a named pipe $PipeName$ in $Computer$ + message: $Image$ is creating or connecting to a named pipe $PipeName$ in $dest$ mitre_attack_id: - T1071 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -54,7 +54,7 @@ tags: - ProcessGuid - ProcessId - PipeName - - Computer + - dest - UserID - SecurityID risk_score: 49 diff --git a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml index a222cb278d..320c225175 100644 --- a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml @@ -15,7 +15,7 @@ description: The following analytic identifies a suspicious wermgr.exe process c data_source: [] search: '`sysmon` EventCode IN (17, 18) Image= "*\\wermgr.exe" EventType IN ( "CreatePipe", "ConnectPipe") | stats min(_time) as firstTime max(_time) as lastTime count by - Image EventType ProcessGuid ProcessId PipeName SecurityID EventCode Computer UserID + Image EventType ProcessGuid ProcessId PipeName SecurityID EventCode dest UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, pipename, processguid and named pipe event type from @@ -32,11 +32,11 @@ tags: confidence: 70 impact: 70 message: wermgr.exe process is creating or connecting to a named pipe $PipeName$ - in $Computer$ + in $dest$ mitre_attack_id: - T1071 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -51,7 +51,7 @@ tags: - ProcessGuid - ProcessId - PipeName - - Computer + - dest - UserID - SecurityID risk_score: 49 diff --git a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml index 7f87ae55db..a56e648ad4 100644 --- a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml +++ b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml @@ -17,7 +17,7 @@ data_source: [] search: '`sysmon` EventCode IN (17, 18) EventType IN ( "CreatePipe", "ConnectPipe") PipeName IN ("\\RManFUSServerNotify32", "\\RManFUSCallbackNotify32", "\\RMSPrint*") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventType - ProcessId PipeName Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + ProcessId PipeName dest UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -38,7 +38,7 @@ tags: mitre_attack_id: - T1071 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -52,7 +52,7 @@ tags: - EventType - ProcessId - PipeName - - Computer + - dest - UserID risk_score: 81 security_domain: endpoint diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 515e19a157..c0e6e1c831 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -30,6 +30,7 @@ references: tags: analytic_story: - Chaos Ransomware + - NjRAT asset_type: Endpoint confidence: 90 impact: 90 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 42d159f29f..d1f7a5dcea 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -30,6 +30,7 @@ tags: - RedLine Stealer - Amadey - Warzone RAT + - NjRAT asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index df3f1faa77..502c92cc19 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -30,6 +30,7 @@ tags: - RedLine Stealer - Amadey - Warzone RAT + - NjRAT asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml index f5b25908e0..f0b6b22080 100644 --- a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml +++ b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml @@ -17,7 +17,7 @@ data_source: - Sysmon Event ID 23 search: '`sysmon` EventCode=23 TargetFilename IN ("*.exe", "*.sys", "*.dll") | bin _time span=2m | stats values(TargetFilename) as deleted_files min(_time) as firstTime - max(_time) as lastTime count by Computer user EventCode Image ProcessID | where + max(_time) as lastTime count by dest user EventCode Image ProcessID | where count >=500 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -34,7 +34,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: a big number of executable files being deleted in $Computer$ + message: a big number of executable files being deleted in $dest$ mitre_attack_id: - T1485 observable: @@ -42,7 +42,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -57,7 +57,7 @@ tags: required_fields: - EventCode - TargetFilename - - Computer + - dest - user - Image - ProcessID diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml new file mode 100644 index 0000000000..5b81bcb763 --- /dev/null +++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml @@ -0,0 +1,69 @@ +name: Windows Delete or Modify System Firewall +id: b188d11a-eba7-419d-b8b6-cc265b4f2c4f +version: 1 +date: '2023-09-08' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +data_source: +- Sysmon Event ID 1 +description: This analytic identifies potentially malicious 'netsh' processes that manipulate firewall configurations. + This behavior has been observed in the NJRAT malware, which deletes its added firewall rules as part of its cleanup process. + Leveraging this anomaly detection can be a valuable approach for detecting malware, such as NJRAT, + that makes alterations to firewall configurations as a component of its malicious activities. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_netsh` Processes.process = "* firewall *" Processes.process = "* delete *" + by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest + | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_delete_or_modify_system_firewall_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator may modify or delete firewall configuration. +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +tags: + analytic_story: + - NjRAT + asset_type: Endpoint + confidence: 60 + impact: 60 + message: A $process_name$ deleted a firewall configuration on $dest$ + mitre_attack_id: + - T1562 + - T1562.004 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 36 + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_id + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml new file mode 100644 index 0000000000..593aba2a37 --- /dev/null +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -0,0 +1,78 @@ +name: Windows Disable or Modify Tools Via Taskkill +id: a43ae66f-c410-4b3d-8741-9ce1ad17ddb0 +version: 1 +date: '2023-09-13' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +data_source: +- Sysmon Event ID 1 +description: This analytic is designed to identify potentially malicious processes that terminate other processes using taskkill.exe. + This technique has been observed in various malware instances, employed by adversaries and red teamers alike, to forcibly terminate + other processes whether they be security products or other legitimate applications as part of their malicious activities. + Detecting this anomaly serves as a valuable alert mechanism to identify suspicious processes or malware attempting to evade detection and disrupt system stability. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name = "taskkill.exe" Processes.process IN ("* /f*", "* /t*") Processes.process IN ("* /im*", "* /pid*") + by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest + | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_disable_or_modify_tools_via_taskkill_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Network administrator can use this application to kill process during audit or investigation. +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +tags: + analytic_story: + - NjRAT + asset_type: Endpoint + confidence: 60 + impact: 60 + message: A taskkill process to terminate process is executed on host- $dest$ + mitre_attack_id: + - T1562 + - T1562.001 + observable: + - name: dest + type: Endpoint + role: + - Victim + - name: dest + type: Endpoint + role: + - Victim + - name: parent_process_name + type: Process Name + role: + - Parent Process + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 36 + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_id + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill/taskkill_im.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml index 06fd02574f..07f9d7117a 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml @@ -19,7 +19,7 @@ data_source: - Sysmon Event ID 7 search: '`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary - = True | rename Computer as dest process_name AS ImageLoaded process_path AS Module_Path + = True |rename process_name AS ImageLoaded process_path AS Module_Path | stats values(parent_process_name) count by _time dest ImageLoaded Module_Path | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`' how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 diff --git a/detections/endpoint/windows_dll_side_loading_in_calc.yml b/detections/endpoint/windows_dll_side_loading_in_calc.yml index 3dd424fadc..548062f3fc 100644 --- a/detections/endpoint/windows_dll_side_loading_in_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_in_calc.yml @@ -17,7 +17,7 @@ search: '`sysmon` EventCode=7 Image = "*\calc.exe" AND NOT (Image IN ("*:\\windo "*:\\windows\\sysWow64\\*")) AND NOT(ImageLoaded IN("*:\\windows\\system32\\*", "*:\\windows\\sysWow64\\*", "*:\\windows\\WinSXS\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product - process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` + process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_in_calc_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from @@ -34,12 +34,12 @@ tags: confidence: 100 impact: 90 message: a dll modules is loaded by calc.exe in $ImageLoaded$ that are not in common - windows OS installation folder in $Computer$ + windows OS installation folder in $dest$ mitre_attack_id: - T1574.002 - T1574 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -54,7 +54,7 @@ tags: - OriginalFileName - Product - process_name - - Computer + - dest - EventCode - Signed - ProcessId diff --git a/detections/endpoint/windows_drivers_loaded_by_signature.yml b/detections/endpoint/windows_drivers_loaded_by_signature.yml index 8c66603eb4..67b0127e44 100644 --- a/detections/endpoint/windows_drivers_loaded_by_signature.yml +++ b/detections/endpoint/windows_drivers_loaded_by_signature.yml @@ -14,7 +14,7 @@ description: The following analytic assists with viewing all drivers being loade data_source: - Sysmon Event ID 6 search: '`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime - values(ImageLoaded) count by Computer Signed Signature service_signature_verified + values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_drivers_loaded_by_signature_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -37,12 +37,12 @@ tags: asset_type: Endpoint confidence: 70 impact: 60 - message: A driver has loaded on $Computer$. + message: A driver has loaded on $dest$. mitre_attack_id: - T1014 - T1068 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -53,7 +53,7 @@ tags: required_fields: - _time - ImageLoaded - - Computer + - dest - Signed - Signature - service_signature_verified diff --git a/detections/endpoint/windows_executable_in_loaded_modules.yml b/detections/endpoint/windows_executable_in_loaded_modules.yml new file mode 100644 index 0000000000..092578b463 --- /dev/null +++ b/detections/endpoint/windows_executable_in_loaded_modules.yml @@ -0,0 +1,65 @@ +name: Windows Executable in Loaded Modules +id: 3e27af56-fcf0-4113-988d-24969b062be7 +version: 1 +date: '2023-09-12' +author: Teoderick Contreras, Splunk +status: production +type: TTP +data_source: +- Sysmon Event ID 7 +description: This analytic identifies potentially malicious 'ImageLoaded' events, particularly when they involve executable files. + This behavior was observed in NjRAT instances, where, during each instance of loading a module from its C2 server onto the compromised host, + Sysmon recorded the path of the actual Image or Process as an 'ImageLoaded' event, rather than the typical tracking of dynamically loaded DLL modules in memory. + This event holds significance because it tracks processes that load modules and libraries, which are typically in the .dll format rather than .exe. + Leveraging this 'Time-To-Perform' (TTP) detection method can prove invaluable for the identification of NjRAT malware or + other malicious software instances that introduce executable files as modules within a targeted host. +search: '`sysmon` EventCode=7 ImageLoaded= *.exe + | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH + | rename Computer as dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_executable_in_loaded_modules_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: unknown. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +tags: + analytic_story: + - NjRAT + asset_type: Endpoint + confidence: 80 + impact: 80 + message: An executable $Imageloaded$ loaded by $Image$ on $dest$ + mitre_attack_id: + - T1129 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 64 + required_fields: + - _time + - Image + - ImageLoaded + - Signed + - SignatureStatus + - OriginalFileName + - process_name + - Computer + - EventCode + - ProcessId + - Hashes + - IMPHASH + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1129/executable_shared_modules/image_loaded_exe.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml index 98c1610f1c..d27545a579 100644 --- a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml @@ -16,7 +16,7 @@ data_source: search: '`sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\windows\\system32\\*","*\\windows\\SysWOW64\\*")) (DestinationPortName="ftp" OR DestinationPort=21) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname - DestinationIp SourcePort SourcePortName Protocol SourceHostname Computer user | + DestinationIp SourcePort SourcePortName Protocol SourceHostname dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_transfer_protocol_in_non_common_process_path_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your @@ -33,12 +33,12 @@ tags: confidence: 30 impact: 30 message: a process $Image$ is having a FTP connection to $DestinationHostname$ in - $Computer$ + $dest$ mitre_attack_id: - T1071.003 - T1071 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -57,7 +57,7 @@ tags: - SourcePortName - Protocol - DestinationIp - - Computer + - dest - user risk_score: 9 security_domain: endpoint diff --git a/detections/endpoint/windows_fileless_storage_via_registry.yml b/detections/endpoint/windows_fileless_storage_via_registry.yml new file mode 100644 index 0000000000..ac41e4b87e --- /dev/null +++ b/detections/endpoint/windows_fileless_storage_via_registry.yml @@ -0,0 +1,66 @@ +name: Windows Njrat Fileless Storage via Registry +id: a5fffbbd-271f-4980-94ed-4fbf17f0af1c +version: 1 +date: '2023-09-14' +author: Teoderick Contreras, Splunk +status: production +type: TTP +data_source: +- Sysmon EventID 12 +- Sysmon EventID 13 +- Sysmon EventID 14 +description: The following analytic identifies a suspicious registry modification associated with NjRat, + a telltale sign of its fileless technique. NjRat employs this method to manage its keylogs and execute downloaded DLL module plugins discreetly on the compromised host. + This approach is particularly effective at evading conventional file-based detection systems, as it stores indicators of compromise (IOCs) in the registry. + Leveraging this TTP (Tactics, Techniques, and Procedures) detection can significantly enhance the identification of NjRAT infections. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry + where Registry.registry_path="*\\[kl]" OR Registry.registry_value_data IN ("*[ENTER]*", "*[TAP]*", "*[Back]*") + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name Registry.registry_value_name + | `drop_dm_object_name(Registry)` + | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` + | `windows_njrat_fileless_storage_via_registry_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: unknown +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +tags: + analytic_story: + - NjRAT + asset_type: Endpoint + confidence: 100 + impact: 100 + message: a suspicious registry entry related to NjRAT keylloging registry in $dest$ + mitre_attack_id: + - T1027.011 + - T1027 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 100 + required_fields: + - _time + - Registry.registry_key_name + - Registry.registry_path + - Registry.user + - Registry.dest + - Registry.registry_value_name + - Registry.action + - Registry.registry_value_data + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_registry.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_gather_victim_identity_sam_info.yml b/detections/endpoint/windows_gather_victim_identity_sam_info.yml index 241e8715d0..834162364f 100644 --- a/detections/endpoint/windows_gather_victim_identity_sam_info.yml +++ b/detections/endpoint/windows_gather_victim_identity_sam_info.yml @@ -16,7 +16,7 @@ search: '`sysmon` EventCode=7 (ImageLoaded = "*\\samlib.dll" AND OriginalFileNa = "samlib.dll") OR (ImageLoaded = "*\\samcli.dll" AND OriginalFileName = "SAMCLI.DLL") AND NOT (Image IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name - Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_identity_sam_info_filter`' how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to @@ -32,13 +32,13 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: An instance of $Computer$ that loads $ImageLoaded$ that are related to + message: An instance of $dest$ that loads $ImageLoaded$ that are related to accessing to SAM object information. mitre_attack_id: - T1589.001 - T1589 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -50,7 +50,7 @@ tags: - _time - Image - ImageLoaded - - Computer + - dest - EventCode - Signed - ProcessId diff --git a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml index 59f0b58ed7..d91b6070eb 100644 --- a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -15,7 +15,7 @@ search: '`sysmon` EventCode=22 QueryName IN ("*wtfismyip.com", "*checkip.amazon "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*") | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId - QueryName QueryStatus QueryResults Computer EventCode | `security_content_ctime(firstTime)` + QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from @@ -32,12 +32,12 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: process connecting IP location web services on $Computer$ + message: Process connecting IP location web services on $dest$ mitre_attack_id: - T1590.005 - T1590 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -52,7 +52,7 @@ tags: - QueryName - QueryStatus - QueryResults - - Computer + - dest - EventCode risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml index dbfe3341c6..266d15d81d 100644 --- a/detections/endpoint/windows_high_file_deletion_frequency.yml +++ b/detections/endpoint/windows_high_file_deletion_frequency.yml @@ -15,7 +15,7 @@ search: '`sysmon` EventCode=23 TargetFilename IN ("*.cmd", "*.ini","*.gif", "*.j "*.jpeg", "*.db", "*.ps1", "*.doc*", "*.xls*", "*.ppt*", "*.bmp","*.zip", "*.rar", "*.7z", "*.chm", "*.png", "*.log", "*.vbs", "*.js", "*.vhd", "*.bak", "*.wbcat", "*.bkf" , "*.backup*", "*.dsk", "*.win") | stats values(TargetFilename) as deleted_files - min(_time) as firstTime max(_time) as lastTime count by Computer user EventCode + min(_time) as firstTime max(_time) as lastTime count by dest user EventCode Image ProcessID |where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_high_file_deletion_frequency_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -37,7 +37,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 90 - message: High frequency file deletion activity detected on host $Computer$ + message: High frequency file deletion activity detected on host $dest$ mitre_attack_id: - T1485 observable: @@ -45,7 +45,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -60,7 +60,7 @@ tags: required_fields: - EventCode - TargetFilename - - Computer + - dest - user - Image - ProcessID diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index 8e113b49b9..ce44eadcdd 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -17,7 +17,7 @@ data_source: search: '`sysmon` EventCode=7 ImageLoaded = "*\\version.dll" AND (Signed = "false" OR NOT(ImageLoaded IN("*\\windows\\system32*", "*\\windows\\syswow64\\*"))) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name - Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hijack_execution_flow_version_dll_side_load_filter`' how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to @@ -31,12 +31,12 @@ tags: asset_type: Endpoint confidence: 70 impact: 50 - message: a process $Image$ loading $ImageLoaded$ as a side load dll in $Computer$ + message: a process $Image$ loading $ImageLoaded$ as a side load dll in $dest$ mitre_attack_id: - T1574.001 - T1574 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -49,7 +49,7 @@ tags: - Image - ImageLoaded - process_name - - Computer + - dest - EventCode - Signed - ProcessId diff --git a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml index 481a560733..951099e161 100644 --- a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml @@ -13,8 +13,8 @@ description: The following hunting analytic identifies all processes requesting data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as - firstTime max(_time) as lastTime by Computer, TargetImage, GrantedAccess, SourceImage, - SourceProcessId, SourceUser, TargetUser | rename Computer as dest | `security_content_ctime(firstTime)` + firstTime max(_time) as lastTime by dest, TargetImage, GrantedAccess, SourceImage, + SourceProcessId, SourceUser, TargetUser | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -55,7 +55,7 @@ tags: - Splunk Cloud required_fields: - _time - - Computer + - dest - TargetImage - GrantedAccess - SourceImage diff --git a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml index ab9dd4b28c..2b6bab1220 100644 --- a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml +++ b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml @@ -18,7 +18,7 @@ search: '`sysmon` EventCode=7 (ImageLoaded = "*\\credui.dll" AND OriginalFileNa = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", "*:\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime - by Image ImageLoaded OriginalFileName Computer EventCode Signed ProcessId ProcessGuid + by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter`' how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to @@ -34,12 +34,12 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: a process $Image$ loaded $ImageLoaded$ in $Computer$ + message: a process $Image$ loaded $ImageLoaded$ in $dest$ mitre_attack_id: - T1056.002 - T1056 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -52,7 +52,7 @@ tags: - Image - ImageLoaded - process_name - - Computer + - dest - EventCode - Signed - ProcessId diff --git a/detections/endpoint/windows_installutil_credential_theft.yml b/detections/endpoint/windows_installutil_credential_theft.yml index 3518abe2aa..db2542c519 100644 --- a/detections/endpoint/windows_installutil_credential_theft.yml +++ b/detections/endpoint/windows_installutil_credential_theft.yml @@ -24,7 +24,8 @@ data_source: - Sysmon Event ID 7 search: '`sysmon` EventCode=7 parent_process_name=installutil.exe ImageLoaded IN ("*\\samlib.dll", "*\\vaultcli.dll") | stats count min(_time) as firstTime max(_time) - as lastTime by dest, parent_process_name, ImageLoaded, OriginalFileName, ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + as lastTime by dest, parent_process_name, ImageLoaded, OriginalFileName, ProcessId + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. diff --git a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml index c67be6822c..df9702a4a9 100644 --- a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml @@ -17,7 +17,7 @@ search: '`sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\thunderbird. (DestinationPortName="smtp" OR DestinationPort=25 OR DestinationPort=587) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname SourceHostname SourcePort SourcePortName Protocol DestinationIp - Computer user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mail_protocol_in_non_common_process_path_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your @@ -34,12 +34,12 @@ tags: confidence: 30 impact: 30 message: a process $Image$ is having a SMTP connection to $DestinationHostname$ - in $Computer$ + in $dest$ mitre_attack_id: - T1071.003 - T1071 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -58,7 +58,7 @@ tags: - SourcePortName - Protocol - DestinationIp - - Computer + - dest - user risk_score: 9 security_domain: endpoint diff --git a/detections/endpoint/windows_mark_of_the_web_bypass.yml b/detections/endpoint/windows_mark_of_the_web_bypass.yml index 86734f1975..7cda12494f 100644 --- a/detections/endpoint/windows_mark_of_the_web_bypass.yml +++ b/detections/endpoint/windows_mark_of_the_web_bypass.yml @@ -12,7 +12,7 @@ description: The following analytic identifies a suspicious process that delete security restrictions within the Windows Operating System, particularly pertaining to files downloaded from the internet. An example of this scenario is demonstrated by Ave Maria RAT, which attempts to delete this data stream as a means to evade such restrictions. search: '`sysmon` EventCode=23 TargetFilename = "*:Zone.Identifier" - | stats min(_time) as firstTime max(_time) as lastTime count by user EventCode Image TargetFilename ProcessID Computer | rename Computer as dest + | stats min(_time) as firstTime max(_time) as lastTime count by user EventCode Image TargetFilename ProcessID dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mark_of_the_web_bypass_filter`' @@ -48,7 +48,7 @@ tags: required_fields: - EventCode - TargetFilename - - Computer + - dest - user - Image - ProcessID diff --git a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml new file mode 100644 index 0000000000..360ef3d78d --- /dev/null +++ b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml @@ -0,0 +1,67 @@ +name: Windows Modify Registry With MD5 Reg Key Name +id: 4662c6b1-0754-455e-b9ff-3ee730af3ba8 +version: 1 +date: '2023-09-25' +author: Teoderick Contreras, Splunk +status: production +type: TTP +data_source: +- Sysmon EventID 12 +- Sysmon EventID 13 +- Sysmon EventID 14 +description: This analytic is designed to identify potentially malicious registry modification characterized by MD5-like registry key names. + This technique has been notably observed in NjRAT malware, which employs such registries for fileless storage of keylogs and .DLL plugins. + Detecting this tactic serves as an effective means of identifying possible NjRAT malware instances that create or modify registries as + part of their malicious activities. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry + where Registry.registry_path = "*\\SOFTWARE\\*" Registry.registry_value_data = "Binary Data" + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.registry_key_name + | `drop_dm_object_name(Registry)` + | eval dropped_reg_path = split(registry_path, "\\") + | eval dropped_reg_path_split_count = mvcount(dropped_reg_path) + | eval validation_result= if(match(registry_value_name,"^[0-9a-fA-F]{32}$"),"md5","nonmd5") + | where validation_result = "md5" AND dropped_reg_path_split_count <= 5 + | table dest user registry_path registry_value_name registry_value_data registry_key_name reg_key_name dropped_reg_path_split_count validation_result + | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` + | `windows_modify_registry_with_md5_reg_key_name_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that + include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +known_false_positives: unknown +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +tags: + analytic_story: + - NjRAT + asset_type: Endpoint + confidence: 60 + impact: 60 + message: A md5 registry value name $registry_value_name$ is created on $dest$ + mitre_attack_id: + - T1112 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 36 + required_fields: + - _time + - Registry.registry_key_name + - Registry.registry_path + - Registry.user + - Registry.dest + - Registry.registry_value_name + - Registry.action + - Registry.registry_value_data + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_reg_binary.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml index 98a560e9c4..00177881e9 100644 --- a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml +++ b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 22 search: '`sysmon` EventCode=22 QueryName IN ("*.torproject.org", "www.theonionrouter.com") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName - QueryStatus ProcessId Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + QueryStatus ProcessId Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_multi_hop_proxy_tor_website_query_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your @@ -31,12 +31,12 @@ tags: confidence: 50 impact: 50 message: a process $Image$ is having a dns query in a tor domain $QueryName$ in - $Computer$ + $dest$ mitre_attack_id: - T1071.003 - T1071 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -50,7 +50,7 @@ tags: - QueryName - QueryStatus - ProcessId - - Computer + - dest risk_score: 25 security_domain: endpoint tests: diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml index d46ad6ccd1..888d0fe315 100644 --- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml @@ -59,7 +59,7 @@ tags: - Splunk Cloud required_fields: - _time - - Computer + - dest - TargetImage - GrantedAccess - SourceImage diff --git a/detections/endpoint/windows_possible_credential_dumping.yml b/detections/endpoint/windows_possible_credential_dumping.yml index da811ce2ab..d7d12d341b 100644 --- a/detections/endpoint/windows_possible_credential_dumping.yml +++ b/detections/endpoint/windows_possible_credential_dumping.yml @@ -83,7 +83,7 @@ tags: - Splunk Cloud required_fields: - _time - - Computer + - dest - TargetImage - GrantedAccess - SourceImage diff --git a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml index 50fc3e97e4..81dfcd307a 100644 --- a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml +++ b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml @@ -19,7 +19,7 @@ search: '`sysmon` EventCode=8 SourceImage = "*\\wermgr.exe" TargetImage IN ("*\\ "*\\chrome.exe", "*\\iexplore.exe","*\\microsoftedgecp.exe") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGuid SourceProcessId StartAddress StartFunction TargetProcessGuid TargetProcessId EventCode - Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_of_wermgr_to_known_browser_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints @@ -36,12 +36,12 @@ tags: confidence: 70 impact: 70 message: wermgr.exe process $SourceImage$ create a remote thread to a browser process - $TargetImage$ in host $Computer$ + $TargetImage$ in host $dest$ mitre_attack_id: - T1055.001 - T1055 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -60,7 +60,7 @@ tags: - TargetProcessGuid - TargetProcessId - EventCode - - Computer + - dest risk_score: 49 security_domain: endpoint tests: diff --git a/detections/endpoint/windows_process_injection_remote_thread.yml b/detections/endpoint/windows_process_injection_remote_thread.yml index efa9733bc9..0281d9b417 100644 --- a/detections/endpoint/windows_process_injection_remote_thread.yml +++ b/detections/endpoint/windows_process_injection_remote_thread.yml @@ -18,7 +18,7 @@ search: '`sysmon` EventCode=8 TargetImage IN ("*\\Taskmgr.exe", "*\\calc.exe", " "*\\rdpclip.exe", "*\\explorer.exe", "*\\wermgr.exe", "*\\ping.exe", "*\\OneDriveSetup.exe", "*\\dxdiag.exe", "*\\mobsync.exe", "*\\msra.exe", "*\\xwizard.exe","*\\cmd.exe", "*\\powershell.exe") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode - StartAddress SourceImage Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + StartAddress SourceImage dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_remote_thread_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of @@ -37,12 +37,12 @@ tags: confidence: 80 impact: 80 message: process $SourceImage$ create a remote thread to process $TargetImage$ on - host $Computer$ + host $dest$ mitre_attack_id: - T1055 - T1055.002 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -66,7 +66,7 @@ tags: - SourceProcessId - StartAddress - EventCode - - Computer + - dest - signature - TargetProcessGuid - SourceProcessGuid diff --git a/detections/endpoint/windows_process_injection_with_public_source_path.yml b/detections/endpoint/windows_process_injection_with_public_source_path.yml index 349dbb88d9..3644dffd47 100644 --- a/detections/endpoint/windows_process_injection_with_public_source_path.yml +++ b/detections/endpoint/windows_process_injection_with_public_source_path.yml @@ -14,7 +14,7 @@ data_source: search: '`sysmon` EventCode=8 TargetImage = "*.exe" AND NOT(SourceImage IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid - TargetProcessId SourceProcessId StartAddress EventCode Computer | `security_content_ctime(firstTime)` + TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_with_public_source_path_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model @@ -31,12 +31,12 @@ tags: confidence: 80 impact: 80 message: process $SourceImage$ create a remote thread to process $TargetImage$ on - host $Computer$ + host $dest$ mitre_attack_id: - T1055 - T1055.002 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -60,7 +60,7 @@ tags: - SourceProcessId - StartAddress - EventCode - - Computer + - dest - signature - TargetProcessGuid - SourceProcessGuid diff --git a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml index 5c314b0dde..f6d6de3241 100644 --- a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml +++ b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml @@ -32,6 +32,7 @@ tags: - Hermetic Wiper - Caddy Wiper - BlackByte Ransomware + - NjRAT asset_type: Endpoint confidence: 100 impact: 90 diff --git a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml index 6bef4c0403..0eaf79518a 100644 --- a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml +++ b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 9 search: '`sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as - lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode + lastTime by dest Image Device ProcessGuid ProcessId EventDescription EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and @@ -36,6 +36,7 @@ tags: - Hermetic Wiper - Caddy Wiper - BlackByte Ransomware + - NjRAT asset_type: Endpoint confidence: 100 impact: 90 @@ -44,7 +45,7 @@ tags: - T1561.002 - T1561 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -54,7 +55,7 @@ tags: - Splunk Cloud required_fields: - _time - - Computer + - dest - Image - Device - ProcessGuid diff --git a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml index fb8ba84a69..f28d4ce760 100644 --- a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml +++ b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml @@ -27,7 +27,7 @@ search: '`sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=c "dbghelp.dll"), 1, match(ImageLoaded, "samcli.dll"), 1, match(ImageLoaded, "winhttp.dll"), 1, 1=1, 0) | stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount - by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll Computer EventCode Signed | where ImageLoadedCount + by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll dest EventCode Signed | where ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_brc4_loaded_dll_filter`' how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 @@ -50,12 +50,12 @@ tags: confidence: 30 impact: 30 message: a process $Image$ loaded several modules $ImageLoaded$ that might related - to credential access on $Computer$. + to credential access on $dest$. mitre_attack_id: - T1219 - T1003 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -68,7 +68,7 @@ tags: - Image - ImageLoaded - process_name - - Computer + - dest - EventCode - Signed - ProcessId diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml index 2579c8a2c2..e26f7bd54f 100644 --- a/detections/endpoint/windows_replication_through_removable_media.yml +++ b/detections/endpoint/windows_replication_through_removable_media.yml @@ -1,7 +1,7 @@ name: Windows Replication Through Removable Media id: 60df805d-4605-41c8-bbba-57baa6a4eb97 version: 1 -date: '2023-01-17' +date: '2023-09-07' author: Teoderick Contreras, Splunk status: production type: TTP @@ -41,6 +41,7 @@ references: tags: analytic_story: - Chaos Ransomware + - NjRAT asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml index 59da0c519d..0c7d7ca73b 100644 --- a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml +++ b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml @@ -17,7 +17,7 @@ search: '`sysmon` EventCode=22 Image IN ("*\\winword.exe","*\\excel.exe","*\\pow "*\\onenotem.exe","*\\onenoteviewer.exe","*\\onenoteim.exe", "*\\msaccess.exe") AND NOT(QueryName IN ("*.office.com", "*.office.net")) | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus - Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -36,12 +36,12 @@ tags: confidence: 30 impact: 30 message: a office document process $Image$ connect to an URL link $QueryName$ in - $Computer$ + $dest$ mitre_attack_id: - T1566.001 - T1566 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim @@ -55,7 +55,7 @@ tags: - QueryName - QueryResults - QueryStatus - - Computer + - dest risk_score: 9 security_domain: endpoint tests: diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_auth.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_auth.yml index 9197b58229..1252e1fa58 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_auth.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_auth.yml @@ -57,11 +57,11 @@ tags: role: - Victim - name: src_user - type: User Name + type: User role: - Victim - name: user - type: User Name + type: User role: - Victim - name: ssl_hash diff --git a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml index 8fb98fd699..c63a41940f 100644 --- a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml +++ b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml @@ -55,7 +55,7 @@ tags: role: - Victim - name: user - type: User Name + type: User role: - Victim - name: process_name diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml index ddd86b2edc..635736856a 100644 --- a/detections/endpoint/windows_system_logoff_commandline.yml +++ b/detections/endpoint/windows_system_logoff_commandline.yml @@ -16,7 +16,7 @@ data_source: search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) - Processes.process="*shutdown*" Processes.process="* /l*" Processes.process="* /t*" + Processes.process="*shutdown*" Processes.process IN ("* /l*", "* -l*") Processes.process IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -38,6 +38,7 @@ references: tags: analytic_story: - DarkCrystal RAT + - NjRAT asset_type: Endpoint confidence: 80 impact: 70 diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index ab2bd4d0e8..9a9f7317ef 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -17,7 +17,7 @@ data_source: search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) - Processes.process="*shutdown*" Processes.process="* /r*" Processes.process="* /t*" + Processes.process="*shutdown*" Processes.process IN ("* /r*", "* -r*") Processes.process IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -39,6 +39,7 @@ references: tags: analytic_story: - DarkCrystal RAT + - NjRAT asset_type: Endpoint confidence: 50 impact: 60 diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index 8d0dd1d901..c4a32e0b4a 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -23,11 +23,11 @@ data_source: search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) - Processes.process="*shutdown*" AND Processes.process IN("* /s*", "* -s*", "* /r*", - "* -r*") AND Processes.process="* /t*" by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter`' + Processes.process="*shutdown*" AND Processes.process IN("* /s*", "* -s*") AND Processes.process IN ("* /t*","* -t*","* /f*","* -f*") + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_system_shutdown_commandline_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -46,6 +46,7 @@ tags: analytic_story: - DarkCrystal RAT - Sandworm Tools + - NjRAT asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/windows_terminating_lsass_process.yml b/detections/endpoint/windows_terminating_lsass_process.yml index e99c7b73d0..a9b9ff3555 100644 --- a/detections/endpoint/windows_terminating_lsass_process.yml +++ b/detections/endpoint/windows_terminating_lsass_process.yml @@ -19,7 +19,7 @@ data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess = 0x1 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage, TargetImage, - TargetProcessId, SourceProcessId, GrantedAccess CallTrace, Computer | rename Computer + TargetProcessId, SourceProcessId, GrantedAccess CallTrace, dest | rename dest as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_terminating_lsass_process_filter`' how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which @@ -60,7 +60,7 @@ tags: - EventCode - TargetImage - CallTrace - - Computer + - dest - TargetProcessId - SourceImage - SourceProcessId diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml new file mode 100644 index 0000000000..a9dc9ec64a --- /dev/null +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -0,0 +1,69 @@ +name: Windows Time Based Evasion +id: 34502357-deb1-499a-8261-ffe144abf561 +version: 1 +date: '2023-09-08' +author: Teoderick Contreras, Splunk +status: production +type: TTP +data_source: +- Sysmon Event ID 1 +description: This analytic is designed to detect potentially malicious processes that initiate a ping delay using an invalid IP address. + This evasion technique was observed in NJRAT, where the malware employed ping commands as a means to introduce a time delay before self-deletion on the compromised host. + Identifying this (TTP) behavior can serve as a valuable indicator for detecting NJRAT infections or other malware that employ time delays as + evasion tactics. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name = "ping.exe" Processes.parent_process = "* ping 0 -n *" OR Processes.process = "* ping 0 -n *" + by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest + | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_time_based_evasion_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: unknown +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +tags: + analytic_story: + - NjRAT + asset_type: Endpoint + confidence: 60 + impact: 60 + message: A $process_name$ did a suspicious ping to invalid IP address on $dest$ + mitre_attack_id: + - T1497 + - T1497.003 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 36 + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_id + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/ping_0.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index 25159dabc3..765f9f4d60 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -7,7 +7,7 @@ status: production type: Anomaly data_source: - Sysmon Event ID 7 -description: This analysis focuses on detecting potentially malicious unsigned DLLs created in either the c:\windows\system32 or c:\windows\syswow64 folders. +description: This analytic focuses on detecting potentially malicious unsigned DLLs created in either the c:\windows\system32 or c:\windows\syswow64 folders. This particular technique was observed in the context of the Warzone (Ave Maria) RAT, where it employed a method known as DLL hijacking (dll-side-loading) by dropping the "dismcore.dll" to achieve privilege escalation. DLL hijacking is a stealthy attack technique used by cybercriminals to exploit the way Windows searches and loads DLLs. By placing a malicious DLL with the @@ -17,7 +17,7 @@ description: This analysis focuses on detecting potentially malicious unsigned D Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats. search: '`sysmon` EventCode=7 Signed=false OriginalFileName = "-" SignatureStatus="unavailable" ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*") - | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH | rename Computer as dest + | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name dest EventCode ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_filter`' @@ -30,6 +30,7 @@ references: tags: analytic_story: - Warzone RAT + - NjRAT asset_type: Endpoint confidence: 70 impact: 70 @@ -54,7 +55,7 @@ tags: - SignatureStatus - OriginalFileName - process_name - - Computer + - dest - EventCode - ProcessId - Hashes diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index 9f5626715e..8ed17315dd 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -31,6 +31,7 @@ references: tags: analytic_story: - Chaos Ransomware + - NjRAT asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/windows_vulnerable_3cx_software.yml b/detections/endpoint/windows_vulnerable_3cx_software.yml index 5afcd45676..663118cbcd 100644 --- a/detections/endpoint/windows_vulnerable_3cx_software.yml +++ b/detections/endpoint/windows_vulnerable_3cx_software.yml @@ -8,9 +8,7 @@ status: production data_source: - Sysmon Event Code 1 description: The following analytic leverages Sysmon, a powerful system monitoring and logging tool, to pinpoint instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x.Recently, 3CX has discovered a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. -search: '`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* - | rename Computer as dest - | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine +search: '`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_vulnerable_3cx_software_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -54,7 +52,7 @@ tags: - process_name - EventID - CommandLine - - Computer + - dest - parent_process_name risk_score: 90 security_domain: endpoint @@ -63,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_wmi_impersonate_token.yml b/detections/endpoint/windows_wmi_impersonate_token.yml index 39a79b61e5..04e952eebb 100644 --- a/detections/endpoint/windows_wmi_impersonate_token.yml +++ b/detections/endpoint/windows_wmi_impersonate_token.yml @@ -15,7 +15,7 @@ data_source: search: '`sysmon` EventCode=10 SourceImage = "*\\wmiprvse.exe" GrantedAccess IN ("0x1478", "0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId - GrantedAccess CallTrace Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + GrantedAccess CallTrace dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_impersonate_token_filter`' how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly @@ -39,7 +39,7 @@ tags: mitre_attack_id: - T1047 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -57,7 +57,7 @@ tags: - TargetProcessId - GrantedAccess - CallTrace - - Computer + - dest risk_score: 25 security_domain: endpoint tests: diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index 9932f627e1..0268612199 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -41,6 +41,7 @@ tags: - Unusual Processes - Data Destruction - WhisperGate + - NjRAT asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/xmrig_driver_loaded.yml b/detections/endpoint/xmrig_driver_loaded.yml index 197b348a0b..69ef6095eb 100644 --- a/detections/endpoint/xmrig_driver_loaded.yml +++ b/detections/endpoint/xmrig_driver_loaded.yml @@ -11,7 +11,7 @@ description: This analytic identifies XMRIG coinminer driver installation on the data_source: - Sysmon Event ID 6 search: '`sysmon` EventCode=6 Signature="Noriyuki MIYAZAKI" OR ImageLoaded= "*\\WinRing0x64.sys" - | stats min(_time) as firstTime max(_time) as lastTime count by Computer ImageLoaded + | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xmrig_driver_loaded_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -27,12 +27,12 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: A driver $ImageLoaded$ related to xmrig crytominer loaded in host $Computer$ + message: A driver $ImageLoaded$ related to xmrig crytominer loaded in host $dest$ mitre_attack_id: - T1543.003 - T1543 observable: - - name: Computer + - name: dest type: Hostname role: - Victim @@ -42,7 +42,7 @@ tags: - Splunk Cloud required_fields: - _time - - Computer + - dest - ImageLoaded - Hashes - IMPHASH diff --git a/detections/network/detect_arp_poisoning.yml b/detections/network/detect_arp_poisoning.yml index 1e6f23b772..6db2bfa487 100644 --- a/detections/network/detect_arp_poisoning.yml +++ b/detections/network/detect_arp_poisoning.yml @@ -1,5 +1,5 @@ name: Detect ARP Poisoning -id: b44bebd6-bd39-467b-9321-73971bcd7aac +id: b44bebd6-bd39-467b-9321-73971bcd1aac version: 1 date: '2020-08-11' author: Mikael Bjerkeland, Splunk diff --git a/detections/network/tor_traffic.yml b/detections/network/tor_traffic.yml index 8445c8aa63..ee6a4c7b82 100644 --- a/detections/network/tor_traffic.yml +++ b/detections/network/tor_traffic.yml @@ -1,26 +1,22 @@ name: TOR Traffic id: ea688274-9c06-4473-b951-e4cb7a5d7a45 -version: 2 -date: '2020-07-22' -author: David Dorsey, Splunk -status: experimental +version: 3 +date: '2023-09-20' +author: David Dorsey, Bhavin Patel, Splunk +status: production type: TTP -description: This search looks for network traffic identified as The Onion Router - (TOR), a benign anonymity network which can be abused for a variety of nefarious - purposes. +description: The following analytic looks for allowed network traffic to The Onion Router(TOR), a benign anonymity network which can be abused for a variety of nefarious purposes. Detecting Tor traffic is paramount for upholding network security and mitigating potential threats. Tor's capacity to provide users with anonymity has been exploited by cybercriminals for activities like hacking, data breaches, and illicit content dissemination. Additionally, organizations must monitor Tor usage within their networks to ensure compliance with policies and regulations, as it can bypass conventional monitoring and filtering measures. Lastly, the ability to identify Tor traffic empowers security teams to promptly investigate and address potential security incidents, fortifying the protection of sensitive data and preserving the integrity of the network environment. data_source: [] search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `tor_traffic_filter`' -how_to_implement: In order to properly run this search, Splunk needs to ingest data - from firewalls or other network control devices that mediate the traffic allowed - into an environment. This is necessary so that the search can identify an 'action' - taken on the traffic of interest. The search requires the Network_Traffic data model - be populated. +how_to_implement: In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model to be populated. known_false_positives: None at this time -references: [] +references: + - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK + - https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/#:~:text=For%20enterprises%20concerned%20about%20the,the%20most%20important%20security%20risks. tags: analytic_story: - Prohibited Traffic Allowed or Protocol Mismatch @@ -28,15 +24,15 @@ tags: - NOBELIUM Group - Command And Control asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd + confidence: 80 + impact: 100 + message: Suspicious network traffic allowed using TOR has been detected from $src_ip$ to $dest_ip$ mitre_attack_id: - - T1071 - - T1071.001 + - T1090 + - T1090.003 observable: - - name: dest - type: Hostname + - name: src_ip + type: IP Address role: - Victim product: @@ -50,5 +46,11 @@ tags: - All_Traffic.src_ip - All_Traffic.dest_ip - All_Traffic.dest_port - risk_score: 25 + risk_score: 80 security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed.log + source: pan_tor_allowed + sourcetype: pan:traffic diff --git a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml index 36fded196d..b2d23e1275 100644 --- a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml +++ b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml @@ -21,6 +21,7 @@ references: - https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html - https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844 - https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/ +- https://vulncheck.com/blog/juniper-cve-2023-36845 tags: analytic_story: - Juniper JunOS Remote Code Execution diff --git a/dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml b/dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml index 8c021c3a22..37652341a6 100644 --- a/dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml +++ b/dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml @@ -4,53 +4,45 @@ version: 1 status: production description: The following detection identifies the usage of archive tools from the command line. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="WinRAR.exe" OR like(process_file_name, "7z%") - OR like(process_file_name, "winzip%")) AND (like(actor_process_file_name, "%powershell.exe") - OR like(actor_process_file_name, "%cmd.exe")) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Anomalous usage of Archive Tools has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 42, - "severity_id", 0, - "rule", create_map("name", "Anomalous usage of Archive Tools", "uid", "63614a58-10e2-4c6c-ae81-ea1113681439", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="WinRAR.exe" + OR process_file_name LIKE "7z%" OR process_file_name LIKE "winzip%") AND (actor_process_file_name + LIKE "%powershell.exe" OR actor_process_file_name LIKE "%cmd.exe") + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Anomalous usage of Archive Tools has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Cobalt Strike", "NOBELIUM Group", "Insider Threat"], + class_name = "Detection Report", + confidence = 60, + confidence_id = 2, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 42, + severity_id = 0, + rule = {"name": "Anomalous usage of Archive Tools", "uid": "63614a58-10e2-4c6c-ae81-ea1113681439", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. @@ -115,4 +107,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_tools/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___attempt_to_delete_services.yml b/dist/ssa/srs/ssa___attempt_to_delete_services.yml index ba2212367d..388a646ceb 100644 --- a/dist/ssa/srs/ssa___attempt_to_delete_services.yml +++ b/dist/ssa/srs/ssa___attempt_to_delete_services.yml @@ -7,52 +7,44 @@ description: The following analytic identifies Windows Service Control, `sc.exe` instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique to terminate security services or other related services to continue there objective and evade detections. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="sc.exe" AND like(process_cmd_line, "%delete%") - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Attempt To Delete Services has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 36, - "severity_id", 0, - "rule", create_map("name", "Attempt To Delete Services", "uid", "a0c8c292-d01a-11eb-aa18-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="sc.exe" AND + process_cmd_line LIKE "%delete%" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Attempt To Delete Services has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["XMRig", "Ransomware"], + class_name = "Detection Report", + confidence = 60, + confidence_id = 2, + duration = 0, + impact = 60, + impact_id = 4, + kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}, {"phase": "Installation", "phase_id": 5}, {"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 36, + severity_id = 0, + rule = {"name": "Attempt To Delete Services", "uid": "a0c8c292-d01a-11eb-aa18-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -121,4 +113,5 @@ test: - file_name: sc_del.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/ssa_data1/sc_del.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___attempt_to_disable_services.yml b/dist/ssa/srs/ssa___attempt_to_disable_services.yml index 62e46e434c..12fd772d34 100644 --- a/dist/ssa/srs/ssa___attempt_to_disable_services.yml +++ b/dist/ssa/srs/ssa___attempt_to_disable_services.yml @@ -7,52 +7,44 @@ description: The following analytic identifies Windows Service Control, `sc.exe` instances of service enumeration of attempts to stop a service and then disable it. Adversaries utilize this technique to terminate security services or other related services to continue there objective and evade detections. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%config%") AND like(process_cmd_line, "%disabled%") - AND process_file_name="sc.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Attempt To Disable Services has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 36, - "severity_id", 0, - "rule", create_map("name", "Attempt To Disable Services", "uid", "afb31de4-d023-11eb-98d5-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%config%" + AND process_cmd_line LIKE "%disabled%" AND process_file_name="sc.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Attempt To Disable Services has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["XMRig", "Ransomware"], + class_name = "Detection Report", + confidence = 60, + confidence_id = 2, + duration = 0, + impact = 60, + impact_id = 4, + kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 36, + severity_id = 0, + rule = {"name": "Attempt To Disable Services", "uid": "afb31de4-d023-11eb-98d5-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -118,4 +110,5 @@ test: - file_name: sc_disable.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/ssa_data1/sc_disable.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml b/dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml index 8fa7d09ef1..1e73d2265e 100644 --- a/dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml @@ -5,56 +5,48 @@ status: production description: The following analytic identifies the use of `reg.exe` attempting to export Windows registry keys that contain hashed credentials. Adversaries will utilize this technique to capture and perform offline password cracking. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="reg.exe" OR process_file_name="cmd.exe") AND (match_regex(process_cmd_line, - /(?i)HKEY_LOCAL_MACHINE\\System/)=true OR match_regex(process_cmd_line, /(?i)HKEY_LOCAL_MACHINE\\SAM/)=true - OR match_regex(process_cmd_line, /(?i)HKEY_LOCAL_MACHINE\\Security/)=true OR match_regex(process_cmd_line, - /(?i)HKLM\\System/)=true OR match_regex(process_cmd_line, /(?i)HKLM\\SAM/)=true - OR match_regex(process_cmd_line, /(?i)HKLM\\Security/)=true) AND match_regex(process_cmd_line, - /(?i)save/)=true - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Attempted Credential Dump From Registry via Reg exe has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 3, - "risk_score", 63, - "severity_id", 0, - "rule", create_map("name", "Attempted Credential Dump From Registry via Reg exe", "uid", "14038953-e5f2-4daf-acff-5452062baf03", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="reg.exe" OR + process_file_name="cmd.exe") AND (match(process_cmd_line, /(?i)HKEY_LOCAL_MACHINE\\System/)=true + OR match(process_cmd_line, /(?i)HKEY_LOCAL_MACHINE\\SAM/)=true OR match(process_cmd_line, + /(?i)HKEY_LOCAL_MACHINE\\Security/)=true OR match(process_cmd_line, /(?i)HKLM\\System/)=true + OR match(process_cmd_line, /(?i)HKLM\\SAM/)=true OR match(process_cmd_line, /(?i)HKLM\\Security/)=true) + AND match(process_cmd_line, /(?i)save/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Attempted Credential Dump From Registry via Reg exe has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Credential Dumping"], + class_name = "Detection Report", + confidence = 90, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "High", + category_uid = 2, + class_uid = 102001, + risk_level_id = 3, + risk_score = 63, + severity_id = 0, + rule = {"name": "Attempted Credential Dump From Registry via Reg exe", "uid": "14038953-e5f2-4daf-acff-5452062baf03", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -118,4 +110,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml b/dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml index 2c93c6ed91..3c7cb5ecbb 100644 --- a/dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml +++ b/dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml @@ -5,52 +5,45 @@ status: production description: This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="bcdedit.exe" AND (like(process_cmd_line, "%no%") - AND like(process_cmd_line, "%recoveryenabled%")) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("BCDEdit Failure Recovery Modification has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 80, - "severity_id", 0, - "rule", create_map("name", "BCDEdit Failure Recovery Modification", "uid", "76d79d6e-25bb-40f6-b3b2-e0a6b7e5ea13", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="bcdedit.exe" + AND (process_cmd_line LIKE "%no%" AND process_cmd_line LIKE "%recoveryenabled%") + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "BCDEdit Failure Recovery Modification has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Ryuk Ransomware", "Ransomware", "Information Sabotage"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 100, + impact_id = 5, + kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 80, + severity_id = 0, + rule = {"name": "BCDEdit Failure Recovery Modification", "uid": "76d79d6e-25bb-40f6-b3b2-e0a6b7e5ea13", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. @@ -113,4 +106,5 @@ test: - file_name: windows-security_bcdedit_wbadmin.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-security_bcdedit_wbadmin.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml b/dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml index ddff24b1ee..dcfe8528c7 100644 --- a/dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml +++ b/dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml @@ -5,52 +5,44 @@ status: production description: this search is to detect execution of `cipher.exe` to clear the unallocated sectors of a specific disk. This technique was seen in some ransomware to make it impossible to forensically recover deleted files. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="cipher.exe" AND like(process_cmd_line, "%/W:%") - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Clear Unallocated Sector Using Cipher App has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 90, - "severity_id", 0, - "rule", create_map("name", "Clear Unallocated Sector Using Cipher App", "uid", "8f907d90-6173-11ec-9c23-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="cipher.exe" + AND process_cmd_line LIKE "%/W:%" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Clear Unallocated Sector Using Cipher App has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Ransomware", "Information Sabotage"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 90, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 90, + severity_id = 0, + rule = {"name": "Clear Unallocated Sector Using Cipher App", "uid": "8f907d90-6173-11ec-9c23-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. @@ -114,4 +106,5 @@ test: - file_name: security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/cipher/security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___delete_a_net_user.yml b/dist/ssa/srs/ssa___delete_a_net_user.yml index 5c95710a2a..5113dab31b 100644 --- a/dist/ssa/srs/ssa___delete_a_net_user.yml +++ b/dist/ssa/srs/ssa___delete_a_net_user.yml @@ -8,52 +8,45 @@ description: This analytic will detect a suspicious net.exe/net1.exe command-lin user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%user%") AND like(process_cmd_line, "%/delete%") - AND (process_file_name="net.exe" OR process_file_name="net1.exe") - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Delete A Net User has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 49, - "severity_id", 0, - "rule", create_map("name", "Delete A Net User", "uid", "8776d79c-d26e-11eb-9a56-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%user%" + AND process_cmd_line LIKE "%/delete%" AND (process_file_name="net.exe" OR process_file_name="net1.exe") + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Delete A Net User has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["XMRig", "Ransomware"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 49, + severity_id = 0, + rule = {"name": "Delete A Net User", "uid": "8776d79c-d26e-11eb-9a56-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -120,4 +113,5 @@ test: - file_name: security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/atomic_red_team/security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml b/dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml index 7642237a53..13922191a5 100644 --- a/dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml +++ b/dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml @@ -6,53 +6,45 @@ description: The following analytic identifies the use of `cacls.exe`, `icacls.e or `xcacls.exe` placing the deny permission on a file or directory. Adversaries perform this behavior to prevent responders from reviewing or gaining access to adversary files on disk. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="icacls.exe" OR process_file_name="xcacls.exe" - OR process_file_name="cacls.exe") AND match_regex(process_cmd_line, /(?i)deny/)=true - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Deny Permission using Cacls Utility has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 35, - "severity_id", 0, - "rule", create_map("name", "Deny Permission using Cacls Utility", "uid", "b76eae28-cd25-11eb-9c92-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="icacls.exe" + OR process_file_name="xcacls.exe" OR process_file_name="cacls.exe") AND match(process_cmd_line, + /(?i)deny/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Deny Permission using Cacls Utility has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["XMRig", "Information Sabotage"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 50, + impact_id = 3, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 35, + severity_id = 0, + rule = {"name": "Deny Permission using Cacls Utility", "uid": "b76eae28-cd25-11eb-9c92-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -116,4 +108,5 @@ test: - file_name: all_icalc.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/ssa_cacls/all_icalc.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe.yml b/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe.yml index 0113142ea2..f244b5b7b5 100644 --- a/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe.yml +++ b/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe.yml @@ -6,58 +6,50 @@ description: The following analytic identifies parent processes, browsers, Windo terminal applications, Office Products and Java spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or built into macros. Much of this will need to be tuned to further enhance the risk. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where ((actor_process_file_name="winword.exe" OR actor_process_file_name="excel.exe" - OR actor_process_file_name="outlook.exe" OR actor_process_file_name="acrobat.exe" - OR actor_process_file_name="acrord32.exe" OR actor_process_file_name="iexplore.exe" - OR actor_process_file_name="opera.exe" OR actor_process_file_name="firefox.exe" - OR actor_process_file_name="powershell.exe") OR (actor_process_file_name="java.exe" - AND (NOT match_regex(actor_process_file_name, /(?i)patch1-Hotfix1a/)=true)) OR (actor_process_file_name="chrome.exe" - AND (NOT process_cmd_line="chrome-extension"))) AND process_file_name="cmd.exe" - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Detect Prohibited Applications Spawning cmd exe has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 35, - "severity_id", 0, - "rule", create_map("name", "Detect Prohibited Applications Spawning cmd exe", "uid", "c10a18cb-fd80-4ffa-a844-25026e0a0c94", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where ((actor_process_file_name="winword.exe" + OR actor_process_file_name="excel.exe" OR actor_process_file_name="outlook.exe" + OR actor_process_file_name="acrobat.exe" OR actor_process_file_name="acrord32.exe" + OR actor_process_file_name="iexplore.exe" OR actor_process_file_name="opera.exe" + OR actor_process_file_name="firefox.exe" OR actor_process_file_name="powershell.exe") + OR (actor_process_file_name="java.exe" AND (NOT match(actor_process_file_name, /(?i)patch1-Hotfix1a/)=true)) + OR (actor_process_file_name="chrome.exe" AND (NOT process_cmd_line="chrome-extension"))) + AND process_file_name="cmd.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Detect Prohibited Applications Spawning cmd exe has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Suspicious Command-Line Executions", "Insider Threat"], + class_name = "Detection Report", + confidence = 50, + confidence_id = 2, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Installation", "phase_id": 5}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 35, + severity_id = 0, + rule = {"name": "Detect Prohibited Applications Spawning cmd exe", "uid": "c10a18cb-fd80-4ffa-a844-25026e0a0c94", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: In order to successfully implement this analytic, you will need endpoint process data from a EDR product or Sysmon. This search has been modified to process raw sysmon data from attack_range's nxlogs on DSP. @@ -120,4 +112,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml b/dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml index bc42a3ba67..5d46860b96 100644 --- a/dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml +++ b/dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml @@ -9,57 +9,49 @@ description: This analytic identifies commonly used command-line arguments used is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%--multi-thread-streams%") OR like(process_cmd_line, - "%--transfers%") OR like(process_cmd_line, "%--auto-confirm%") OR like(process_cmd_line, - "%--ignore-existing%") OR like(process_cmd_line, "%--no-check-certificate%") OR - like(process_cmd_line, "%--progress%") OR like(process_cmd_line, "%--config%") OR - like(process_cmd_line, "%ftp%") OR like(process_cmd_line, "%pcloud%") OR like(process_cmd_line, - "%mega%") OR like(process_cmd_line, "%copy%")) AND process_file_name="rclone.exe" +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%--multi-thread-streams%" + OR process_cmd_line LIKE "%--transfers%" OR process_cmd_line LIKE "%--auto-confirm%" + OR process_cmd_line LIKE "%--ignore-existing%" OR process_cmd_line LIKE "%--no-check-certificate%" + OR process_cmd_line LIKE "%--progress%" OR process_cmd_line LIKE "%--config%" OR + process_cmd_line LIKE "%ftp%" OR process_cmd_line LIKE "%pcloud%" OR process_cmd_line + LIKE "%mega%" OR process_cmd_line LIKE "%copy%") AND process_file_name="rclone.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Detect RClone Command-Line Usage has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 35, - "severity_id", 0, - "rule", create_map("name", "Detect RClone Command-Line Usage", "uid", "e8b74268-5454-11ec-a799-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Detect RClone Command-Line Usage has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["DarkSide Ransomware", "Ransomware", "Insider Threat"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 50, + impact_id = 3, + kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 35, + severity_id = 0, + rule = {"name": "Detect RClone Command-Line Usage", "uid": "e8b74268-5454-11ec-a799-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. @@ -126,4 +118,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___disable_net_user_account.yml b/dist/ssa/srs/ssa___disable_net_user_account.yml index b225bbe959..e843a0f87f 100644 --- a/dist/ssa/srs/ssa___disable_net_user_account.yml +++ b/dist/ssa/srs/ssa___disable_net_user_account.yml @@ -6,52 +6,45 @@ description: This analytic will identify a suspicious command-line that disables user account using the native `net.exe` or `net1.exe` utility to Windows. This technique may used by the adversaries to interrupt availability of accounts and continue the impact against the organization. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%user%") AND like(process_cmd_line, "%/active:no%") - AND (process_file_name="net.exe" OR process_file_name="net1.exe") - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Disable Net User Account has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 49, - "severity_id", 0, - "rule", create_map("name", "Disable Net User Account", "uid", "ba858b08-d26c-11eb-af9b-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%user%" + AND process_cmd_line LIKE "%/active:no%" AND (process_file_name="net.exe" OR process_file_name="net1.exe") + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Disable Net User Account has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["XMRig", "Ransomware"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}, {"phase": "Exploitation", "phase_id": 4}, {"phase": "Delivery", "phase_id": 3}, {"phase": "Installation", "phase_id": 5}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 49, + severity_id = 0, + rule = {"name": "Disable Net User Account", "uid": "ba858b08-d26c-11eb-af9b-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -120,4 +113,5 @@ test: - file_name: net_user_dis.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/ssa_data1/net_user_dis.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml b/dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml index 2a9ac3901a..fed78586ba 100644 --- a/dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml +++ b/dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml @@ -8,53 +8,46 @@ description: This search is to detect potential DNS exfiltration using nslookup use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%-retry=%") OR like(process_cmd_line, "%-type=%") - OR like(process_cmd_line, "%-q=%") OR like(process_cmd_line, "%-qt=%") OR like(process_cmd_line, - "%-querytype=%")) AND process_file_name="nslookup.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("DNS Exfiltration Using Nslookup App has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 3, - "risk_score", 72, - "severity_id", 0, - "rule", create_map("name", "DNS Exfiltration Using Nslookup App", "uid", "2452e632-9e0d-11eb-34ba-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%-retry=%" + OR process_cmd_line LIKE "%-type=%" OR process_cmd_line LIKE "%-q=%" OR process_cmd_line + LIKE "%-qt=%" OR process_cmd_line LIKE "%-querytype=%") AND process_file_name="nslookup.exe" + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "DNS Exfiltration Using Nslookup App has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 90, + impact_id = 5, + kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], + nist = ["DE.AE"], + risk_level = "High", + category_uid = 2, + class_uid = 102001, + risk_level_id = 3, + risk_score = 72, + severity_id = 0, + rule = {"name": "DNS Exfiltration Using Nslookup App", "uid": "2452e632-9e0d-11eb-34ba-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. @@ -121,4 +114,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___fsutil_zeroing_file.yml b/dist/ssa/srs/ssa___fsutil_zeroing_file.yml index 3f9d9c4b86..341393d92d 100644 --- a/dist/ssa/srs/ssa___fsutil_zeroing_file.yml +++ b/dist/ssa/srs/ssa___fsutil_zeroing_file.yml @@ -5,52 +5,44 @@ status: production description: This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%setzerodata%") AND process_file_name="fsutil.exe" - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Fsutil Zeroing File has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 54, - "severity_id", 0, - "rule", create_map("name", "Fsutil Zeroing File", "uid", "f792cdc9-43ee-4429-a3c0-ffce4fed1a85", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%setzerodata%" + AND process_file_name="fsutil.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Fsutil Zeroing File has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Ransomware", "Insider Threat", "Information Sabotage"], + class_name = "Detection Report", + confidence = 90, + confidence_id = 3, + duration = 0, + impact = 60, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 54, + severity_id = 0, + rule = {"name": "Fsutil Zeroing File", "uid": "f792cdc9-43ee-4429-a3c0-ffce4fed1a85", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -116,4 +108,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/fsutil_file_zero/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml b/dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml index 5198a10318..ff4b83eb3b 100644 --- a/dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml +++ b/dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml @@ -6,53 +6,45 @@ description: The following analytic identifies the use of `cacls.exe`, `icacls.e or `xcacls.exe` placing the grant permission on a file or directory. Adversaries perform this behavior to allow components of their files to run, however it allows responders to review or gaining access to adversary files on disk. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="icacls.exe" OR process_file_name="xcacls.exe" - OR process_file_name="cacls.exe") AND match_regex(process_cmd_line, /(?i)grant/)=true - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Grant Permission Using Cacls Utility has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 35, - "severity_id", 0, - "rule", create_map("name", "Grant Permission Using Cacls Utility", "uid", "c6da561a-cd29-11eb-ae65-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="icacls.exe" + OR process_file_name="xcacls.exe" OR process_file_name="cacls.exe") AND match(process_cmd_line, + /(?i)grant/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Grant Permission Using Cacls Utility has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["XMRig", "Insider Threat"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 50, + impact_id = 3, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 35, + severity_id = 0, + rule = {"name": "Grant Permission Using Cacls Utility", "uid": "c6da561a-cd29-11eb-ae65-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -116,4 +108,5 @@ test: - file_name: all_icalc.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/ssa_cacls/all_icalc.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml b/dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml index d6497113cb..aabdb63dd2 100644 --- a/dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml +++ b/dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml @@ -6,52 +6,44 @@ description: Attackers leverage an existing Windows binary, attrib.exe, to mark as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="attrib.exe" AND match_regex(process_cmd_line, /(?i)/)=true - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Hiding Files And Directories With Attrib exe has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 3, - "risk_score", 72, - "severity_id", 0, - "rule", create_map("name", "Hiding Files And Directories With Attrib exe", "uid", "028e4406-6176-11ec-aec2-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="attrib.exe" + AND match(process_cmd_line, /(?i)/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Hiding Files And Directories With Attrib exe has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Windows Defense Evasion Tactics", "Windows Persistence Techniques", "Information Sabotage", "Insider Threat"], + class_name = "Detection Report", + confidence = 90, + confidence_id = 3, + duration = 0, + impact = 80, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "High", + category_uid = 2, + class_uid = 102001, + risk_level_id = 3, + risk_score = 72, + severity_id = 0, + rule = {"name": "Hiding Files And Directories With Attrib exe", "uid": "028e4406-6176-11ec-aec2-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. @@ -119,4 +111,5 @@ test: - file_name: security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/attrib_hidden/security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml b/dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml index 987681feaa..7dc8f19201 100644 --- a/dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml +++ b/dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml @@ -8,54 +8,46 @@ description: This analytic identifies suspicious modification of ACL permission is commonly configured by the file or directory owner with appropriate permission. This behavior raises suspicion if this command is seen on an endpoint utilized by an account with no permission to do so. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (match_regex(process_cmd_line, /(?i)S-1-1-0:/)=true OR match_regex(process_cmd_line, - /(?i)SYSTEM:/)=true OR match_regex(process_cmd_line, /(?i)everyone:/)=true) AND - (process_file_name="icacls.exe" OR process_file_name="xcacls.exe" OR process_file_name="cacls.exe") +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (match(process_cmd_line, /(?i)S-1-1-0:/)=true + OR match(process_cmd_line, /(?i)SYSTEM:/)=true OR match(process_cmd_line, /(?i)everyone:/)=true) + AND (process_file_name="icacls.exe" OR process_file_name="xcacls.exe" OR process_file_name="cacls.exe") - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Modify ACLs Permission Of Files Or Folders has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 35, - "severity_id", 0, - "rule", create_map("name", "Modify ACLs Permission Of Files Or Folders", "uid", "9ae9a48a-cdbe-11eb-875a-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Modify ACLs Permission Of Files Or Folders has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["XMRig"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 50, + impact_id = 3, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 35, + severity_id = 0, + rule = {"name": "Modify ACLs Permission Of Files Or Folders", "uid": "9ae9a48a-cdbe-11eb-875a-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -118,4 +110,5 @@ test: - file_name: all_icalc.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/ssa_cacls/all_icalc.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml b/dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml index 8cff41b051..8e59fee863 100644 --- a/dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml +++ b/dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml @@ -5,55 +5,47 @@ status: production description: The following analytic will identify a Windows Office Product spawning WScript.exe or CScript.exe. Tuning may be required based on legitimate application usage that may spawn scripts from an Office product. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="cscript.exe" OR process_file_name="wscript.exe") - AND (match_regex(actor_process_file_name, /(?i)visio.exe/)=true OR match_regex(actor_process_file_name, - /(?i)mspub.exe/)=true OR match_regex(actor_process_file_name, /(?i)powerpnt.exe/)=true - OR match_regex(actor_process_file_name, /(?i)excel.exe/)=true OR match_regex(actor_process_file_name, - /(?i)winword.exe/)=true) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Office Product Spawning Windows Script Host has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 3, - "risk_score", 63, - "severity_id", 0, - "rule", create_map("name", "Office Product Spawning Windows Script Host", "uid", "3ea3851a-8736-41a0-bc09-7e4485b48fa6", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="cscript.exe" + OR process_file_name="wscript.exe") AND (match(actor_process_file_name, /(?i)visio.exe/)=true + OR match(actor_process_file_name, /(?i)mspub.exe/)=true OR match(actor_process_file_name, + /(?i)powerpnt.exe/)=true OR match(actor_process_file_name, /(?i)excel.exe/)=true + OR match(actor_process_file_name, /(?i)winword.exe/)=true) + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Office Product Spawning Windows Script Host has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Spearphishing Attachments"], + class_name = "Detection Report", + confidence = 90, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Delivery", "phase_id": 3}], + nist = ["DE.AE"], + risk_level = "High", + category_uid = 2, + class_uid = 102001, + risk_level_id = 3, + risk_score = 63, + severity_id = 0, + rule = {"name": "Office Product Spawning Windows Script Host", "uid": "3ea3851a-8736-41a0-bc09-7e4485b48fa6", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -117,4 +109,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-security.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___resize_shadowstorage_volume.yml b/dist/ssa/srs/ssa___resize_shadowstorage_volume.yml index 33be0c34be..dafb58a64d 100644 --- a/dist/ssa/srs/ssa___resize_shadowstorage_volume.yml +++ b/dist/ssa/srs/ssa___resize_shadowstorage_volume.yml @@ -6,53 +6,45 @@ description: The following analytic identifies the resizing of shadowstorage usi vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware event and a precursor to deleting the shadowstorage. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%shadowstorage%") AND like(process_cmd_line, - "%resize%") AND like(process_cmd_line, "%maxsize%") AND process_file_name="vssadmin.exe" +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%shadowstorage%" + AND process_cmd_line LIKE "%resize%" AND process_cmd_line LIKE "%maxsize%" AND process_file_name="vssadmin.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Resize Shadowstorage Volume has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 3, - "risk_score", 64, - "severity_id", 0, - "rule", create_map("name", "Resize Shadowstorage Volume", "uid", "dbc30554-d27e-11eb-9e5e-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Resize Shadowstorage Volume has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Clop Ransomware", "Ransomware"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 80, + impact_id = 5, + kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], + nist = ["DE.AE"], + risk_level = "High", + category_uid = 2, + class_uid = 102001, + risk_level_id = 3, + risk_score = 64, + severity_id = 0, + rule = {"name": "Resize Shadowstorage Volume", "uid": "dbc30554-d27e-11eb-9e5e-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -117,4 +109,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/ssa_data1/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___sdelete_application_execution.yml b/dist/ssa/srs/ssa___sdelete_application_execution.yml index a87a86e741..1e3399496e 100644 --- a/dist/ssa/srs/ssa___sdelete_application_execution.yml +++ b/dist/ssa/srs/ssa___sdelete_application_execution.yml @@ -7,62 +7,55 @@ description: This analytic will detect the execution of sdelete.exe attempting t to destroy evidence or information sabotage. Sdelete is a SysInternals utility meant to securely delete files on disk. This tool is commonly used to clear tracks and artifact on the targeted host. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%.xls%") OR like(process_cmd_line, "%.gz%") - OR like(process_cmd_line, "%.tar%") OR like(process_cmd_line, "%.rar%") OR like(process_cmd_line, - "%.zip%") OR like(process_cmd_line, "%.7z%") OR like(process_cmd_line, "%.bmp%") - OR like(process_cmd_line, "%.gif%") OR like(process_cmd_line, "%.png%") OR like(process_cmd_line, - "%.jpg%") OR like(process_cmd_line, "%.txt%") OR like(process_cmd_line, "%.log%") - OR like(process_cmd_line, "%.key%") OR like(process_cmd_line, "%.pdf%") OR like(process_cmd_line, - "%.rtf%") OR like(process_cmd_line, "%.ppt%") OR like(process_cmd_line, "%.xls%") - OR like(process_cmd_line, "%.doc%") OR like(process_cmd_line, "%-nobanner%") OR - like(process_cmd_line, "%/accepteula%") OR like(process_cmd_line, "%-z %") OR like(process_cmd_line, - "%-s %") OR like(process_cmd_line, "%-q %") OR like(process_cmd_line, "%-r %") OR - like(process_cmd_line, "%-p %") OR like(process_cmd_line, "%-f %") OR like(process_cmd_line, - "%-c %")) AND like(process_file_name, "%sdelete%") - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Sdelete Application Execution has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 42, - "severity_id", 0, - "rule", create_map("name", "Sdelete Application Execution", "uid", "fcc52b9a-4616-11ec-8454-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%.xls%" + OR process_cmd_line LIKE "%.gz%" OR process_cmd_line LIKE "%.tar%" OR process_cmd_line + LIKE "%.rar%" OR process_cmd_line LIKE "%.zip%" OR process_cmd_line LIKE "%.7z%" + OR process_cmd_line LIKE "%.bmp%" OR process_cmd_line LIKE "%.gif%" OR process_cmd_line + LIKE "%.png%" OR process_cmd_line LIKE "%.jpg%" OR process_cmd_line LIKE "%.txt%" + OR process_cmd_line LIKE "%.log%" OR process_cmd_line LIKE "%.key%" OR process_cmd_line + LIKE "%.pdf%" OR process_cmd_line LIKE "%.rtf%" OR process_cmd_line LIKE "%.ppt%" + OR process_cmd_line LIKE "%.xls%" OR process_cmd_line LIKE "%.doc%" OR process_cmd_line + LIKE "%-nobanner%" OR process_cmd_line LIKE "%/accepteula%" OR process_cmd_line + LIKE "%-z %" OR process_cmd_line LIKE "%-s %" OR process_cmd_line LIKE "%-q %" OR + process_cmd_line LIKE "%-r %" OR process_cmd_line LIKE "%-p %" OR process_cmd_line + LIKE "%-f %" OR process_cmd_line LIKE "%-c %") AND process_file_name LIKE "%sdelete%" + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Sdelete Application Execution has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Information Sabotage", "Insider Threat"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 60, + impact_id = 4, + kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}, {"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 42, + severity_id = 0, + rule = {"name": "Sdelete Application Execution", "uid": "fcc52b9a-4616-11ec-8454-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -130,4 +123,5 @@ test: - file_name: security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml b/dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml index 3a94ec65e6..40a33d85ed 100644 --- a/dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml +++ b/dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml @@ -8,262 +8,154 @@ description: An attacker tries might try to use different version of a system co run inside C:\\Windows\System32 or C:\\Windows\SysWOW64 The list of system processes has been extracted from https://github.com/splunk/security_content/blob/develop/lookups/is_windows_system_file.csv and the original detection https://github.com/splunk/security_content/blob/develop/detections/system_processes_run_from_unexpected_locations.yml -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="xwizard.exe" OR process_file_name="xpsrchvw.exe" - OR process_file_name="xcopy.exe" OR process_file_name="wusa.exe" OR process_file_name="wuauclt.exe" - OR process_file_name="wuapp.exe" OR process_file_name="wuapihost.exe" OR process_file_name="wsqmcons.exe" - OR process_file_name="wsmprovhost.exe" OR process_file_name="wscript.exe" OR process_file_name="write.exe" - OR process_file_name="wpr.exe" OR process_file_name="wpnpinst.exe" OR process_file_name="wowreg32.exe" - OR process_file_name="wlrmdr.exe" OR process_file_name="wlanext.exe" OR process_file_name="wksprt.exe" - OR process_file_name="wkspbroker.exe" OR process_file_name="wisptis.exe" OR process_file_name="winver.exe" - OR process_file_name="winrshost.exe" OR process_file_name="winrs.exe" OR process_file_name="winresume.exe" - OR process_file_name="winlogon.exe" OR process_file_name="winload.exe" OR process_file_name="wininit.exe" - OR process_file_name="wimserv.exe" OR process_file_name="wifitask.exe" OR process_file_name="wiawow64.exe" - OR process_file_name="wiaacmgr.exe" OR process_file_name="whoami.exe" OR process_file_name="where.exe" - OR process_file_name="wextract.exe" OR process_file_name="wevtutil.exe" OR process_file_name="wermgr.exe" - OR process_file_name="wecutil.exe" OR process_file_name="wbengine.exe" OR process_file_name="wbadmin.exe" - OR process_file_name="waitfor.exe" OR process_file_name="w32tm.exe" OR process_file_name="vssadmin.exe" - OR process_file_name="vmicsvc.exe" OR process_file_name="verifiergui.exe" OR process_file_name="verifier.exe" - OR process_file_name="verclsid.exe" OR process_file_name="vdsldr.exe" OR process_file_name="vds.exe" - OR process_file_name="userinit.exe" OR process_file_name="upnpcont.exe" OR process_file_name="unregmp2.exe" - OR process_file_name="unlodctr.exe" OR process_file_name="ucsvc.exe" OR process_file_name="tzutil.exe" - OR process_file_name="tzsync.exe" OR process_file_name="typeperf.exe" OR process_file_name="tskill.exe" - OR process_file_name="tsdiscon.exe" OR process_file_name="tscon.exe" OR process_file_name="tracerpt.exe" - OR process_file_name="tpmvscmgrsvr.exe" OR process_file_name="tpmvscmgr.exe" OR - process_file_name="timeout.exe" OR process_file_name="tcmsetup.exe" OR process_file_name="taskmgr.exe" - OR process_file_name="tasklist.exe" OR process_file_name="taskkill.exe" OR process_file_name="taskhostw.exe" - OR process_file_name="taskhost.exe" OR process_file_name="taskeng.exe" OR process_file_name="takeown.exe" - OR process_file_name="tabcal.exe" OR process_file_name="systray.exe" OR process_file_name="systemreset.exe" - OR process_file_name="systeminfo.exe" OR process_file_name="syskey.exe" OR process_file_name="sxstrace.exe" - OR process_file_name="svchost.exe" OR process_file_name="subst.exe" OR process_file_name="srdelayed.exe" - OR process_file_name="spreview.exe" OR process_file_name="sppsvc.exe" OR process_file_name="spoolsv.exe" - OR process_file_name="spinstall.exe" OR process_file_name="sort.exe" OR process_file_name="snmptrap.exe" - OR process_file_name="smss.exe" OR process_file_name="slui.exe" OR process_file_name="sihost.exe" - OR process_file_name="sigverif.exe" OR process_file_name="shutdown.exe" OR process_file_name="shrpubw.exe" - OR process_file_name="shadow.exe" OR process_file_name="setx.exe" OR process_file_name="setupugc.exe" - OR process_file_name="setupcl.exe" OR process_file_name="setspn.exe" OR process_file_name="sethc.exe" - OR process_file_name="sessionmsg.exe" OR process_file_name="services.exe" OR process_file_name="secinit.exe" - OR process_file_name="sdiagnhost.exe" OR process_file_name="sdclt.exe" OR process_file_name="sdchange.exe" - OR process_file_name="sdbinst.exe" OR process_file_name="schtasks.exe" OR process_file_name="sc.exe" - OR process_file_name="sbunattend.exe" OR process_file_name="rwinsta.exe" OR process_file_name="runonce.exe" - OR process_file_name="rundll32.exe" OR process_file_name="runas.exe" OR process_file_name="rstrui.exe" - OR process_file_name="rrinstaller.exe" OR process_file_name="rmttpmvscmgrsvr.exe" - OR process_file_name="resmon.exe" OR process_file_name="reset.exe" OR process_file_name="replace.exe" - OR process_file_name="repair-bde.exe" OR process_file_name="relog.exe" OR process_file_name="rekeywiz.exe" - OR process_file_name="regsvr32.exe" OR process_file_name="regini.exe" OR process_file_name="regedt32.exe" - OR process_file_name="reg.exe" OR process_file_name="recover.exe" OR process_file_name="recdisc.exe" - OR process_file_name="rdrleakdiag.exe" OR process_file_name="rdpinput.exe" OR process_file_name="rdpclip.exe" - OR process_file_name="rasphone.exe" OR process_file_name="raserver.exe" OR process_file_name="rasdial.exe" - OR process_file_name="rasautou.exe" OR process_file_name="qwinsta.exe" OR process_file_name="quser.exe" - OR process_file_name="query.exe" OR process_file_name="qprocess.exe" OR process_file_name="qappsrv.exe" - OR process_file_name="pwlauncher.exe" OR process_file_name="psr.exe" OR process_file_name="provtool.exe" - OR process_file_name="proquota.exe" OR process_file_name="printui.exe" OR process_file_name="printfilterpipelinesvc.exe" - OR process_file_name="print.exe" OR process_file_name="prevhost.exe" OR process_file_name="powercfg.exe" - OR process_file_name="poqexec.exe" OR process_file_name="plasrv.exe" OR process_file_name="phoneactivate.exe" - OR process_file_name="perfmon.exe" OR process_file_name="pcwrun.exe" OR process_file_name="pcawrk.exe" - OR process_file_name="pcaui.exe" OR process_file_name="pcalua.exe" OR process_file_name="p2phost.exe" - OR process_file_name="osk.exe" OR process_file_name="openfiles.exe" OR process_file_name="omadmprc.exe" - OR process_file_name="omadmclient.exe" OR process_file_name="odbcconf.exe" OR process_file_name="odbcad32.exe" - OR process_file_name="ocsetup.exe" OR process_file_name="ntprint.exe" OR process_file_name="ntoskrnl.exe" - OR process_file_name="nslookup.exe" OR process_file_name="notepad.exe" OR process_file_name="nltest.exe" - OR process_file_name="newdev.exe" OR process_file_name="netsh.exe" OR process_file_name="netiougc.exe" - OR process_file_name="netcfg.exe" OR process_file_name="netbtugc.exe" OR process_file_name="net1.exe" - OR process_file_name="net.exe" OR process_file_name="ndadmin.exe" OR process_file_name="nbtstat.exe" - OR process_file_name="mtstocom.exe" OR process_file_name="mstsc.exe" OR process_file_name="msra.exe" - OR process_file_name="mspaint.exe" OR process_file_name="msinfo32.exe" OR process_file_name="msiexec.exe" - OR process_file_name="mshta.exe" OR process_file_name="msg.exe" OR process_file_name="msfeedssync.exe" - OR process_file_name="msdtc.exe" OR process_file_name="msdt.exe" OR process_file_name="msconfig.exe" - OR process_file_name="mpnotify.exe" OR process_file_name="mountvol.exe" OR process_file_name="mobsync.exe" - OR process_file_name="mmc.exe" OR process_file_name="mfpmp.exe" OR process_file_name="mctadmin.exe" - OR process_file_name="mcbuilder.exe" OR process_file_name="mblctr.exe" OR process_file_name="manage-bde.exe" - OR process_file_name="makecab.exe" OR process_file_name="lsm.exe" OR process_file_name="lsass.exe" - OR process_file_name="lpremove.exe" OR process_file_name="lpksetup.exe" OR process_file_name="lpkinstall.exe" - OR process_file_name="logoff.exe" OR process_file_name="logman.exe" OR process_file_name="logagent.exe" - OR process_file_name="lodctr.exe" OR process_file_name="licensingdiag.exe" OR process_file_name="label.exe" - OR process_file_name="ktmutil.exe" OR process_file_name="ksetup.exe" OR process_file_name="klist.exe" - OR process_file_name="isoburn.exe" OR process_file_name="iscsicpl.exe" OR process_file_name="iscsicli.exe" - OR process_file_name="irftp.exe" OR process_file_name="ipconfig.exe" OR process_file_name="immersivetpmvscmgrsvr.exe" - OR process_file_name="iexpress.exe" OR process_file_name="ieetwcollector.exe" OR - process_file_name="ieunatt.exe" OR process_file_name="ie4uinit.exe" OR process_file_name="icsunattend.exe" - OR process_file_name="icardagt.exe" OR process_file_name="icacls.exe" OR process_file_name="hwrreg.exe" - OR process_file_name="hwrcomp.exe" OR process_file_name="help.exe" OR process_file_name="hdwwiz.exe" - OR process_file_name="grpconv.exe" OR process_file_name="gpupdate.exe" OR process_file_name="gpscript.exe" - OR process_file_name="gpresult.exe" OR process_file_name="getmac.exe" OR process_file_name="fveprompt.exe" - OR process_file_name="fvenotify.exe" OR process_file_name="ftp.exe" OR process_file_name="fsutil.exe" - OR process_file_name="fsquirt.exe" OR process_file_name="fsavailux.exe" OR process_file_name="forfiles.exe" - OR process_file_name="fontview.exe" OR process_file_name="fontdrvhost.exe" OR process_file_name="fodhelper.exe" - OR process_file_name="fltmc.exe" OR process_file_name="fixmapi.exe" OR process_file_name="finger.exe" - OR process_file_name="findstr.exe" OR process_file_name="find.exe" OR process_file_name="fhmanagew.exe" - OR process_file_name="fc.exe" OR process_file_name="extrac32.exe" OR process_file_name="expand.exe" - OR process_file_name="eventvwr.exe" OR process_file_name="eventcreate.exe" OR process_file_name="eudcedit.exe" - OR process_file_name="esentutl.exe" OR process_file_name="embeddedapplauncher.exe" - OR process_file_name="efsui.exe" OR process_file_name="easinvoker.exe" OR process_file_name="dxdiag.exe" - OR process_file_name="dwm.exe" OR process_file_name="dvdupgrd.exe" OR process_file_name="dvdplay.exe" - OR process_file_name="dstokenclean.exe" OR process_file_name="dsregcmd.exe" OR process_file_name="drvinst.exe" - OR process_file_name="drvcfg.exe" OR process_file_name="driverquery.exe" OR process_file_name="dpnsvr.exe" - OR process_file_name="dpapimig.exe" OR process_file_name="doskey.exe" OR process_file_name="dnscacheugc.exe" - OR process_file_name="dmclient.exe" OR process_file_name="dmcfghost.exe" OR process_file_name="dmcertinst.exe" - OR process_file_name="dllhst3g.exe" OR process_file_name="dllhost.exe" OR process_file_name="djoin.exe" - OR process_file_name="dispdiag.exe" OR process_file_name="diskraid.exe" OR process_file_name="diskperf.exe" - OR process_file_name="diskpart.exe" OR process_file_name="dinotify.exe" OR process_file_name="diantz.exe" - OR process_file_name="dialer.exe" OR process_file_name="dfrgui.exe" OR process_file_name="ddodiag.exe" - OR process_file_name="dcomcnfg.exe" OR process_file_name="dccw.exe" OR process_file_name="dashost.exe" - OR process_file_name="cttunesvr.exe" OR process_file_name="cttune.exe" OR process_file_name="ctfmon.exe" - OR process_file_name="csrss.exe" OR process_file_name="cscript.exe" OR process_file_name="credwiz.exe" - OR process_file_name="convert.exe" OR process_file_name="control.exe" OR process_file_name="consent.exe" - OR process_file_name="conhost.exe" OR process_file_name="compact.exe" OR process_file_name="comp.exe" - OR process_file_name="colorcpl.exe" OR process_file_name="cofire.exe" OR process_file_name="cmstp.exe" - OR process_file_name="cmmon32.exe" OR process_file_name="cmdl32.exe" OR process_file_name="cmdkey.exe" - OR process_file_name="cmd.exe" OR process_file_name="clip.exe" OR process_file_name="cliconfg.exe" - OR process_file_name="cleanmgr.exe" OR process_file_name="cipher.exe" OR process_file_name="choice.exe" - OR process_file_name="chkntfs.exe" OR process_file_name="chkdsk.exe" OR process_file_name="chgusr.exe" - OR process_file_name="chgport.exe" OR process_file_name="chglogon.exe" OR process_file_name="charmap.exe" - OR process_file_name="changepk.exe" OR process_file_name="change.exe" OR process_file_name="certutil.exe" - OR process_file_name="certreq.exe" OR process_file_name="cdpreference.exe" OR process_file_name="calc.exe" - OR process_file_name="cacls.exe" OR process_file_name="bthudtask.exe" OR process_file_name="browser_broker.exe" - OR process_file_name="bridgeunattend.exe" OR process_file_name="bootsect.exe" OR - process_file_name="bootim.exe" OR process_file_name="bootcfg.exe" OR process_file_name="bitsadmin.exe" - OR process_file_name="bdeunlock.exe" OR process_file_name="bdechangepin.exe" OR - process_file_name="bcdedit.exe" OR process_file_name="bcdboot.exe" OR process_file_name="bcastdvr.exe" - OR process_file_name="backgroundtaskhost.exe" OR process_file_name="baaupdate.exe" - OR process_file_name="autofmt.exe" OR process_file_name="autoconv.exe" OR process_file_name="autochk.exe" - OR process_file_name="auditpol.exe" OR process_file_name="audiodg.exe" OR process_file_name="attrib.exe" - OR process_file_name="at.exe" OR process_file_name="appidpolicyconverter.exe" OR - process_file_name="appidcertstorecheck.exe" OR process_file_name="alg.exe" OR process_file_name="aitstatic.exe" - OR process_file_name="aitagent.exe" OR process_file_name="acu.exe" OR process_file_name="wpcmon.exe" - OR process_file_name="workfolders.exe" OR process_file_name="windowsupdateelevatedinstaller.exe" - OR process_file_name="windowsanytimeupgradeui.exe" OR process_file_name="windowsanytimeupgraderesults.exe" - OR process_file_name="windowsanytimeupgrade.exe" OR process_file_name="windowsactiondialog.exe" - OR process_file_name="windows.media.backgroundplayback.exe" OR process_file_name="winsat.exe" - OR process_file_name="werfaultsecure.exe" OR process_file_name="werfault.exe" OR - process_file_name="webcache.exe" OR process_file_name="wallpaperhost.exe" OR process_file_name="wwahost.exe" - OR process_file_name="wudfhost.exe" OR process_file_name="wsreset.exe" OR process_file_name="wsmanhttpconfig.exe" - OR process_file_name="wscollect.exe" OR process_file_name="wpdshextautoplay.exe" - OR process_file_name="wmpdmc.exe" OR process_file_name="wfs.exe" OR process_file_name="vaultsysui.exe" - OR process_file_name="vaultcmd.exe" OR process_file_name="vssvc.exe" OR process_file_name="utilman.exe" - OR process_file_name="usoclient.exe" OR process_file_name="useraccountcontrolsettings.exe" - OR process_file_name="useraccountbroker.exe" OR process_file_name="upgraderesultsui.exe" - OR process_file_name="ui0detect.exe" OR process_file_name="tswpfwrp.exe" OR process_file_name="tpminit.exe" - OR process_file_name="tokenbrokercookies.exe" OR process_file_name="thumbnailextractionhost.exe" - OR process_file_name="taskmgr.exe" OR process_file_name="tapiunattend.exe" OR process_file_name="tswbprxy.exe" - OR process_file_name="tstheme.exe" OR process_file_name="tracert.exe" OR process_file_name="tcpsvcs.exe" - OR process_file_name="systemsettingsremovedevice.exe" OR process_file_name="systemsettingsbroker.exe" - OR process_file_name="systemsettingsadminflows.exe" OR process_file_name="systempropertiesremote.exe" - OR process_file_name="systempropertiesprotection.exe" OR process_file_name="systempropertiesperformance.exe" - OR process_file_name="systempropertieshardware.exe" OR process_file_name="systempropertiesdataexecutionprevention.exe" - OR process_file_name="systempropertiescomputername.exe" OR process_file_name="systempropertiesadvanced.exe" - OR process_file_name="sysreseterr.exe" OR process_file_name="synchost.exe" OR process_file_name="stikynot.exe" - OR process_file_name="srtasks.exe" OR process_file_name="sppextcomobj.exe" OR process_file_name="spaceagent.exe" - OR process_file_name="soundrecorder.exe" OR process_file_name="snippingtool.exe" - OR process_file_name="sndvol.exe" OR process_file_name="smartscreensettings.exe" - OR process_file_name="slidetoshutdown.exe" OR process_file_name="settingsynchost.exe" - OR process_file_name="setieinstalleddate.exe" OR process_file_name="sensordataservice.exe" - OR process_file_name="secedit.exe" OR process_file_name="searchprotocolhost.exe" - OR process_file_name="searchindexer.exe" OR process_file_name="searchfilterhost.exe" - OR process_file_name="sihclient.exe" OR process_file_name="runtimebroker.exe" OR - process_file_name="runlegacycplelevated.exe" OR process_file_name="rpcping.exe" - OR process_file_name="rmclient.exe" OR process_file_name="remoteposworker.exe" OR - process_file_name="relpost.exe" OR process_file_name="registeriepkeys.exe" OR process_file_name="register-cimprovider.exe" - OR process_file_name="recoverydrive.exe" OR process_file_name="reagentc.exe" OR - process_file_name="rdpsauachelper.exe" OR process_file_name="rdpsaproxy.exe" OR - process_file_name="rdpsa.exe" OR process_file_name="route.exe" OR process_file_name="rmactivate_ssp_isv.exe" - OR process_file_name="rmactivate_ssp.exe" OR process_file_name="rmactivate_isv.exe" - OR process_file_name="rmactivate.exe" OR process_file_name="rdspnf.exe" OR process_file_name="proximityuxhost.exe" - OR process_file_name="printisolationhost.exe" OR process_file_name="printdialoghost3d.exe" - OR process_file_name="printdialoghost.exe" OR process_file_name="printbrmui.exe" - OR process_file_name="presentationsettings.exe" OR process_file_name="presentationhost.exe" - OR process_file_name="pnputil.exe" OR process_file_name="pnpunattend.exe" OR process_file_name="pkgmgr.exe" - OR process_file_name="pickerhost.exe" OR process_file_name="passwordonwakesettingflyout.exe" - OR process_file_name="ping.exe" OR process_file_name="pathping.exe" OR process_file_name="optionalfeatures.exe" - OR process_file_name="openwith.exe" OR process_file_name="networkuxbroker.exe" OR - process_file_name="netplwiz.exe" OR process_file_name="netproj.exe" OR process_file_name="netevtfwdr.exe" - OR process_file_name="netcfgnotifyobjecthost.exe" OR process_file_name="narrator.exe" - OR process_file_name="netstat.exe" OR process_file_name="napstat.exe" OR process_file_name="musnotificationux.exe" - OR process_file_name="musnotification.exe" OR process_file_name="multidigimon.exe" - OR process_file_name="muiunattend.exe" OR process_file_name="msspellcheckinghost.exe" - OR process_file_name="mpsigstub.exe" OR process_file_name="migautoplay.exe" OR process_file_name="mdsched.exe" - OR process_file_name="mdres.exe" OR process_file_name="mbaeparsertask.exe" OR process_file_name="magnify.exe" - OR process_file_name="mschedexe.exe" OR process_file_name="mrt.exe" OR process_file_name="mrinfo.exe" - OR process_file_name="mdmappinstaller.exe" OR process_file_name="mdmagent.exe" OR - process_file_name="mdeserver.exe" OR process_file_name="lsaiso.exe" OR process_file_name="logonui.exe" - OR process_file_name="lockscreencontentserver.exe" OR process_file_name="lockapphost.exe" - OR process_file_name="locator.exe" OR process_file_name="locationnotifications.exe" - OR process_file_name="locationnotificationwindows.exe" OR process_file_name="licensingui.exe" - OR process_file_name="licensemanagershellext.exe" OR process_file_name="legacynetuxhost.exe" - OR process_file_name="launchwinapp.exe" OR process_file_name="launchtm.exe" OR process_file_name="languagecomponentsinstallercomhandler.exe" - OR process_file_name="installagent.exe" OR process_file_name="infdefaultinstall.exe" - OR process_file_name="icsentitlementhost.exe" OR process_file_name="hostname.exe" - OR process_file_name="gettingstarted.exe" OR process_file_name="genvalobj.exe" OR - process_file_name="gamepanel.exe" OR process_file_name="fondue.exe" OR process_file_name="filehistory.exe" - OR process_file_name="fxsunatd.exe" OR process_file_name="fxssvc.exe" OR process_file_name="fxscover.exe" - OR process_file_name="ehstorauthn.exe" OR process_file_name="easeofaccessdialog.exe" - OR process_file_name="easpoliciesbrokerhost.exe" OR process_file_name="eap3host.exe" - OR process_file_name="eosnotify.exe" OR process_file_name="edpcleanup.exe" OR process_file_name="dxpserver.exe" - OR process_file_name="dsmusertask.exe" OR process_file_name="dpiscaling.exe" OR - process_file_name="dmomacpmo.exe" OR process_file_name="dmnotificationbroker.exe" - OR process_file_name="displayswitch.exe" OR process_file_name="dism.exe" OR process_file_name="disksnapshot.exe" - OR process_file_name="deviceproperties.exe" OR process_file_name="devicepairingwizard.exe" - OR process_file_name="deviceenroller.exe" OR process_file_name="deviceeject.exe" - OR process_file_name="devicedisplayobjectprovider.exe" OR process_file_name="defrag.exe" - OR process_file_name="dataexchangehost.exe" OR process_file_name="dwwin.exe" OR - process_file_name="dfdwiz.exe" OR process_file_name="credentialuibroker.exe" OR - process_file_name="computerdefaults.exe" OR process_file_name="compattelrunner.exe" - OR process_file_name="compmgmtlauncher.exe" OR process_file_name="cloudstoragewizard.exe" - OR process_file_name="cloudnotifications.exe" OR process_file_name="cloudexperiencehostbroker.exe" - OR process_file_name="clipup.exe" OR process_file_name="checknetisolation.exe" OR - process_file_name="certenrollctrl.exe" OR process_file_name="castsrv.exe" OR process_file_name="camerasettingsuihost.exe" - OR process_file_name="bytecodegenerator.exe" OR process_file_name="bitlockerwizardelev.exe" - OR process_file_name="bitlockerwizard.exe" OR process_file_name="bitlockerdeviceencryption.exe" - OR process_file_name="bdeunlockwizard.exe" OR process_file_name="bdeuisrv.exe" OR - process_file_name="bdehdcfg.exe" OR process_file_name="backgroundtransferhost.exe" - OR process_file_name="axinstui.exe" OR process_file_name="autoworkplace.exe" OR - process_file_name="authhost.exe" OR process_file_name="atbroker.exe" OR process_file_name="applicationframehost.exe" - OR process_file_name="adaptertroubleshooter.exe" OR process_file_name="arp.exe") - AND (NOT match_regex(process_file_path, /(?i)\\windows\\syswow64/)=true) AND (NOT - match_regex(process_file_path, /(?i)\\windows\\system32/)=true) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("System Process Running from Unexpected Location has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 56, - "severity_id", 0, - "rule", create_map("name", "System Process Running from Unexpected Location", "uid", "28179107-099a-464a-94d3-08301e6c055f", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name IN ("xwizard.exe", + "xpsrchvw.exe", "xcopy.exe", "wusa.exe", "wuauclt.exe", "wuapp.exe", "wuapihost.exe", + "wsqmcons.exe", "wsmprovhost.exe", "wscript.exe", "write.exe", "wpr.exe", "wpnpinst.exe", + "wowreg32.exe", "wlrmdr.exe", "wlanext.exe", "wksprt.exe", "wkspbroker.exe", "wisptis.exe", + "winver.exe", "winrshost.exe", "winrs.exe", "winresume.exe", "winlogon.exe", "winload.exe", + "wininit.exe", "wimserv.exe", "wifitask.exe", "wiawow64.exe", "wiaacmgr.exe", "whoami.exe", + "where.exe", "wextract.exe", "wevtutil.exe", "wermgr.exe", "wecutil.exe", "wbengine.exe", + "wbadmin.exe", "waitfor.exe", "w32tm.exe", "vssadmin.exe", "vmicsvc.exe", "verifiergui.exe", + "verifier.exe", "verclsid.exe", "vdsldr.exe", "vds.exe", "userinit.exe", "upnpcont.exe", + "unregmp2.exe", "unlodctr.exe", "ucsvc.exe", "tzutil.exe", "tzsync.exe", "typeperf.exe", + "tskill.exe", "tsdiscon.exe", "tscon.exe", "tracerpt.exe", "tpmvscmgrsvr.exe", "tpmvscmgr.exe", + "timeout.exe", "tcmsetup.exe", "taskmgr.exe", "tasklist.exe", "taskkill.exe", "taskhostw.exe", + "taskhost.exe", "taskeng.exe", "takeown.exe", "tabcal.exe", "systray.exe", "systemreset.exe", + "systeminfo.exe", "syskey.exe", "sxstrace.exe", "svchost.exe", "subst.exe", "srdelayed.exe", + "spreview.exe", "sppsvc.exe", "spoolsv.exe", "spinstall.exe", "sort.exe", "snmptrap.exe", + "smss.exe", "slui.exe", "sihost.exe", "sigverif.exe", "shutdown.exe", "shrpubw.exe", + "shadow.exe", "setx.exe", "setupugc.exe", "setupcl.exe", "setspn.exe", "sethc.exe", + "sessionmsg.exe", "services.exe", "secinit.exe", "sdiagnhost.exe", "sdclt.exe", + "sdchange.exe", "sdbinst.exe", "schtasks.exe", "sc.exe", "sbunattend.exe", "rwinsta.exe", + "runonce.exe", "rundll32.exe", "runas.exe", "rstrui.exe", "rrinstaller.exe", "rmttpmvscmgrsvr.exe", + "resmon.exe", "reset.exe", "replace.exe", "repair-bde.exe", "relog.exe", "rekeywiz.exe", + "regsvr32.exe", "regini.exe", "regedt32.exe", "reg.exe", "recover.exe", "recdisc.exe", + "rdrleakdiag.exe", "rdpinput.exe", "rdpclip.exe", "rasphone.exe", "raserver.exe", + "rasdial.exe", "rasautou.exe", "qwinsta.exe", "quser.exe", "query.exe", "qprocess.exe", + "qappsrv.exe", "pwlauncher.exe", "psr.exe", "provtool.exe", "proquota.exe", "printui.exe", + "printfilterpipelinesvc.exe", "print.exe", "prevhost.exe", "powercfg.exe", "poqexec.exe", + "plasrv.exe", "phoneactivate.exe", "perfmon.exe", "pcwrun.exe", "pcawrk.exe", "pcaui.exe", + "pcalua.exe", "p2phost.exe", "osk.exe", "openfiles.exe", "omadmprc.exe", "omadmclient.exe", + "odbcconf.exe", "odbcad32.exe", "ocsetup.exe", "ntprint.exe", "ntoskrnl.exe", "nslookup.exe", + "notepad.exe", "nltest.exe", "newdev.exe", "netsh.exe", "netiougc.exe", "netcfg.exe", + "netbtugc.exe", "net1.exe", "net.exe", "ndadmin.exe", "nbtstat.exe", "mtstocom.exe", + "mstsc.exe", "msra.exe", "mspaint.exe", "msinfo32.exe", "msiexec.exe", "mshta.exe", + "msg.exe", "msfeedssync.exe", "msdtc.exe", "msdt.exe", "msconfig.exe", "mpnotify.exe", + "mountvol.exe", "mobsync.exe", "mmc.exe", "mfpmp.exe", "mctadmin.exe", "mcbuilder.exe", + "mblctr.exe", "manage-bde.exe", "makecab.exe", "lsm.exe", "lsass.exe", "lpremove.exe", + "lpksetup.exe", "lpkinstall.exe", "logoff.exe", "logman.exe", "logagent.exe", "lodctr.exe", + "licensingdiag.exe", "label.exe", "ktmutil.exe", "ksetup.exe", "klist.exe", "isoburn.exe", + "iscsicpl.exe", "iscsicli.exe", "irftp.exe", "ipconfig.exe", "immersivetpmvscmgrsvr.exe", + "iexpress.exe", "ieetwcollector.exe", "ieunatt.exe", "ie4uinit.exe", "icsunattend.exe", + "icardagt.exe", "icacls.exe", "hwrreg.exe", "hwrcomp.exe", "help.exe", "hdwwiz.exe", + "grpconv.exe", "gpupdate.exe", "gpscript.exe", "gpresult.exe", "getmac.exe", "fveprompt.exe", + "fvenotify.exe", "ftp.exe", "fsutil.exe", "fsquirt.exe", "fsavailux.exe", "forfiles.exe", + "fontview.exe", "fontdrvhost.exe", "fodhelper.exe", "fltmc.exe", "fixmapi.exe", + "finger.exe", "findstr.exe", "find.exe", "fhmanagew.exe", "fc.exe", "extrac32.exe", + "expand.exe", "eventvwr.exe", "eventcreate.exe", "eudcedit.exe", "esentutl.exe", + "embeddedapplauncher.exe", "efsui.exe", "easinvoker.exe", "dxdiag.exe", "dwm.exe", + "dvdupgrd.exe", "dvdplay.exe", "dstokenclean.exe", "dsregcmd.exe", "drvinst.exe", + "drvcfg.exe", "driverquery.exe", "dpnsvr.exe", "dpapimig.exe", "doskey.exe", "dnscacheugc.exe", + "dmclient.exe", "dmcfghost.exe", "dmcertinst.exe", "dllhst3g.exe", "dllhost.exe", + "djoin.exe", "dispdiag.exe", "diskraid.exe", "diskperf.exe", "diskpart.exe", "dinotify.exe", + "diantz.exe", "dialer.exe", "dfrgui.exe", "ddodiag.exe", "dcomcnfg.exe", "dccw.exe", + "dashost.exe", "cttunesvr.exe", "cttune.exe", "ctfmon.exe", "csrss.exe", "cscript.exe", + "credwiz.exe", "convert.exe", "control.exe", "consent.exe", "conhost.exe", "compact.exe", + "comp.exe", "colorcpl.exe", "cofire.exe", "cmstp.exe", "cmmon32.exe", "cmdl32.exe", + "cmdkey.exe", "cmd.exe", "clip.exe", "cliconfg.exe", "cleanmgr.exe", "cipher.exe", + "choice.exe", "chkntfs.exe", "chkdsk.exe", "chgusr.exe", "chgport.exe", "chglogon.exe", + "charmap.exe", "changepk.exe", "change.exe", "certutil.exe", "certreq.exe", "cdpreference.exe", + "calc.exe", "cacls.exe", "bthudtask.exe", "browser_broker.exe", "bridgeunattend.exe", + "bootsect.exe", "bootim.exe", "bootcfg.exe", "bitsadmin.exe", "bdeunlock.exe", "bdechangepin.exe", + "bcdedit.exe", "bcdboot.exe", "bcastdvr.exe", "backgroundtaskhost.exe", "baaupdate.exe", + "autofmt.exe", "autoconv.exe", "autochk.exe", "auditpol.exe", "audiodg.exe", "attrib.exe", + "at.exe", "appidpolicyconverter.exe", "appidcertstorecheck.exe", "alg.exe", "aitstatic.exe", + "aitagent.exe", "acu.exe", "wpcmon.exe", "workfolders.exe", "windowsupdateelevatedinstaller.exe", + "windowsanytimeupgradeui.exe", "windowsanytimeupgraderesults.exe", "windowsanytimeupgrade.exe", + "windowsactiondialog.exe", "windows.media.backgroundplayback.exe", "winsat.exe", + "werfaultsecure.exe", "werfault.exe", "webcache.exe", "wallpaperhost.exe", "wwahost.exe", + "wudfhost.exe", "wsreset.exe", "wsmanhttpconfig.exe", "wscollect.exe", "wpdshextautoplay.exe", + "wmpdmc.exe", "wfs.exe", "vaultsysui.exe", "vaultcmd.exe", "vssvc.exe", "utilman.exe", + "usoclient.exe", "useraccountcontrolsettings.exe", "useraccountbroker.exe", "upgraderesultsui.exe", + "ui0detect.exe", "tswpfwrp.exe", "tpminit.exe", "tokenbrokercookies.exe", "thumbnailextractionhost.exe", + "taskmgr.exe", "tapiunattend.exe", "tswbprxy.exe", "tstheme.exe", "tracert.exe", + "tcpsvcs.exe", "systemsettingsremovedevice.exe", "systemsettingsbroker.exe", "systemsettingsadminflows.exe", + "systempropertiesremote.exe", "systempropertiesprotection.exe", "systempropertiesperformance.exe", + "systempropertieshardware.exe", "systempropertiesdataexecutionprevention.exe", "systempropertiescomputername.exe", + "systempropertiesadvanced.exe", "sysreseterr.exe", "synchost.exe", "stikynot.exe", + "srtasks.exe", "sppextcomobj.exe", "spaceagent.exe", "soundrecorder.exe", "snippingtool.exe", + "sndvol.exe", "smartscreensettings.exe", "slidetoshutdown.exe", "settingsynchost.exe", + "setieinstalleddate.exe", "sensordataservice.exe", "secedit.exe", "searchprotocolhost.exe", + "searchindexer.exe", "searchfilterhost.exe", "sihclient.exe", "runtimebroker.exe", + "runlegacycplelevated.exe", "rpcping.exe", "rmclient.exe", "remoteposworker.exe", + "relpost.exe", "registeriepkeys.exe", "register-cimprovider.exe", "recoverydrive.exe", + "reagentc.exe", "rdpsauachelper.exe", "rdpsaproxy.exe", "rdpsa.exe", "route.exe", + "rmactivate_ssp_isv.exe", "rmactivate_ssp.exe", "rmactivate_isv.exe", "rmactivate.exe", + "rdspnf.exe", "proximityuxhost.exe", "printisolationhost.exe", "printdialoghost3d.exe", + "printdialoghost.exe", "printbrmui.exe", "presentationsettings.exe", "presentationhost.exe", + "pnputil.exe", "pnpunattend.exe", "pkgmgr.exe", "pickerhost.exe", "passwordonwakesettingflyout.exe", + "ping.exe", "pathping.exe", "optionalfeatures.exe", "openwith.exe", "networkuxbroker.exe", + "netplwiz.exe", "netproj.exe", "netevtfwdr.exe", "netcfgnotifyobjecthost.exe", "narrator.exe", + "netstat.exe", "napstat.exe", "musnotificationux.exe", "musnotification.exe", "multidigimon.exe", + "muiunattend.exe", "msspellcheckinghost.exe", "mpsigstub.exe", "migautoplay.exe", + "mdsched.exe", "mdres.exe", "mbaeparsertask.exe", "magnify.exe", "mschedexe.exe", + "mrt.exe", "mrinfo.exe", "mdmappinstaller.exe", "mdmagent.exe", "mdeserver.exe", + "lsaiso.exe", "logonui.exe", "lockscreencontentserver.exe", "lockapphost.exe", "locator.exe", + "locationnotifications.exe", "locationnotificationwindows.exe", "licensingui.exe", + "licensemanagershellext.exe", "legacynetuxhost.exe", "launchwinapp.exe", "launchtm.exe", + "languagecomponentsinstallercomhandler.exe", "installagent.exe", "infdefaultinstall.exe", + "icsentitlementhost.exe", "hostname.exe", "gettingstarted.exe", "genvalobj.exe", + "gamepanel.exe", "fondue.exe", "filehistory.exe", "fxsunatd.exe", "fxssvc.exe", + "fxscover.exe", "ehstorauthn.exe", "easeofaccessdialog.exe", "easpoliciesbrokerhost.exe", + "eap3host.exe", "eosnotify.exe", "edpcleanup.exe", "dxpserver.exe", "dsmusertask.exe", + "dpiscaling.exe", "dmomacpmo.exe", "dmnotificationbroker.exe", "displayswitch.exe", + "dism.exe", "disksnapshot.exe", "deviceproperties.exe", "devicepairingwizard.exe", + "deviceenroller.exe", "deviceeject.exe", "devicedisplayobjectprovider.exe", "defrag.exe", + "dataexchangehost.exe", "dwwin.exe", "dfdwiz.exe", "credentialuibroker.exe", "computerdefaults.exe", + "compattelrunner.exe", "compmgmtlauncher.exe", "cloudstoragewizard.exe", "cloudnotifications.exe", + "cloudexperiencehostbroker.exe", "clipup.exe", "checknetisolation.exe", "certenrollctrl.exe", + "castsrv.exe", "camerasettingsuihost.exe", "bytecodegenerator.exe", "bitlockerwizardelev.exe", + "bitlockerwizard.exe", "bitlockerdeviceencryption.exe", "bdeunlockwizard.exe", "bdeuisrv.exe", + "bdehdcfg.exe", "backgroundtransferhost.exe", "axinstui.exe", "autoworkplace.exe", + "authhost.exe", "atbroker.exe", "applicationframehost.exe", "adaptertroubleshooter.exe", + "arp.exe")) AND (NOT match(process_file_path, /(?i)\\windows\\syswow64/)=true) AND + (NOT match(process_file_path, /(?i)\\windows\\system32/)=true) + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "System Process Running from Unexpected Location has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Windows Defense Evasion Tactics", "Masquerading - Rename System Utilities"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 56, + severity_id = 0, + rule = {"name": "System Process Running from Unexpected Location", "uid": "28179107-099a-464a-94d3-08301e6c055f", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: Collect endpoint data such as sysmon or 4688 events. known_false_positives: None references: [] @@ -322,4 +214,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml b/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml index 2b8e02d1a0..17dedba278 100644 --- a/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml +++ b/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml @@ -5,52 +5,45 @@ status: production description: This search looks for flags passed to wbadmin.exe (Windows Backup Administrator Tool) that delete backup files. This is typically used by ransomware to prevent recovery. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="wbadmin.exe" AND (like(process_cmd_line, "%systemstatebackup%") - OR like(process_cmd_line, "%catalog%") OR like(process_cmd_line, "%delete%")) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("WBAdmin Delete System Backups has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 0, - "risk_score", 15, - "severity_id", 0, - "rule", create_map("name", "WBAdmin Delete System Backups", "uid", "71efbf52-4dbb-4c00-a520-306aa546cbb7", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="wbadmin.exe" + AND (process_cmd_line LIKE "%systemstatebackup%" OR process_cmd_line LIKE "%catalog%" + OR process_cmd_line LIKE "%delete%") + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "WBAdmin Delete System Backups has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Ryuk Ransomware", "Ransomware"], + class_name = "Detection Report", + confidence = 50, + confidence_id = 2, + duration = 0, + impact = 30, + impact_id = 2, + kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], + nist = ["DE.AE"], + risk_level = "Info", + category_uid = 2, + class_uid = 102001, + risk_level_id = 0, + risk_score = 15, + severity_id = 0, + rule = {"name": "WBAdmin Delete System Backups", "uid": "71efbf52-4dbb-4c00-a520-306aa546cbb7", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. @@ -115,4 +108,5 @@ test: - file_name: windows-security_bcdedit_wbadmin.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-security_bcdedit_wbadmin.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml b/dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml index d435af7fac..d7a49ca99f 100644 --- a/dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml +++ b/dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml @@ -5,55 +5,47 @@ status: production description: The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, powershell, sysmon, or system event logs. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (match_regex(process_cmd_line, /(?i)powershell/)=true OR match_regex(process_cmd_line, - /(?i)setup/)=true OR match_regex(process_cmd_line, /(?i)application/)=true OR match_regex(process_cmd_line, - /(?i)sysmon/)=true OR match_regex(process_cmd_line, /(?i)system/)=true OR match_regex(process_cmd_line, - /(?i)security/)=true) AND like(process_cmd_line, "% cl %") AND process_file_name="wevtutil.exe" - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("WevtUtil Usage To Clear Logs has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 3, - "risk_score", 63, - "severity_id", 0, - "rule", create_map("name", "WevtUtil Usage To Clear Logs", "uid", "5438113c-cdd9-11eb-93b8-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (match(process_cmd_line, /(?i)powershell/)=true + OR match(process_cmd_line, /(?i)setup/)=true OR match(process_cmd_line, /(?i)application/)=true + OR match(process_cmd_line, /(?i)sysmon/)=true OR match(process_cmd_line, /(?i)system/)=true + OR match(process_cmd_line, /(?i)security/)=true) AND process_cmd_line LIKE "% cl + %" AND process_file_name="wevtutil.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "WevtUtil Usage To Clear Logs has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Windows Log Manipulation", "Ransomware", "Clop Ransomware", "Insider Threat", "CISA AA22-264A"], + class_name = "Detection Report", + confidence = 90, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "High", + category_uid = 2, + class_uid = 102001, + risk_level_id = 3, + risk_score = 63, + severity_id = 0, + rule = {"name": "WevtUtil Usage To Clear Logs", "uid": "5438113c-cdd9-11eb-93b8-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. @@ -122,4 +114,5 @@ test: - file_name: clear_evt.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/ssa_wevtutil/clear_evt.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml b/dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml index f2b9f9c122..6fe1551702 100644 --- a/dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml +++ b/dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml @@ -5,52 +5,44 @@ status: production description: This search is to detect execution of wevtutil.exe to disable logs. This technique was seen in several ransomware to disable the event logs to evade alerts and detections in compromised host. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%/e:false%") AND like(process_cmd_line, "% - sl %") AND process_file_name="wevtutil.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Wevtutil Usage To Disable Logs has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 3, - "risk_score", 63, - "severity_id", 0, - "rule", create_map("name", "Wevtutil Usage To Disable Logs", "uid", "a4bdc944-cdd9-11eb-ac97-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%/e:false%" + AND process_cmd_line LIKE "% sl %" AND process_file_name="wevtutil.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Wevtutil Usage To Disable Logs has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Windows Log Manipulation", "Ransomware", "Insider Threat", "Information Sabotage"], + class_name = "Detection Report", + confidence = 90, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "High", + category_uid = 2, + class_uid = 102001, + risk_level_id = 3, + risk_score = 63, + severity_id = 0, + rule = {"name": "Wevtutil Usage To Disable Logs", "uid": "a4bdc944-cdd9-11eb-ac97-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. @@ -118,4 +110,5 @@ test: - file_name: disable_evt.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/ssa_wevtutil/disable_evt.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_bits_job_persistence.yml b/dist/ssa/srs/ssa___windows_bits_job_persistence.yml index 4b17f03e50..10077732ae 100644 --- a/dist/ssa/srs/ssa___windows_bits_job_persistence.yml +++ b/dist/ssa/srs/ssa___windows_bits_job_persistence.yml @@ -9,54 +9,47 @@ description: The following query identifies Microsoft Background Intelligent Tra the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%resume%") OR like(process_cmd_line, "%setcustomheaders%") - OR like(process_cmd_line, "%setminretrydelay%") OR like(process_cmd_line, "%setnotifycmdline%") - OR like(process_cmd_line, "%setnotifyflags%") OR like(process_cmd_line, "%addfile%") - OR like(process_cmd_line, "%create%")) AND process_file_name="bitsadmin.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Bits Job Persistence has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 56, - "severity_id", 0, - "rule", create_map("name", "Windows Bits Job Persistence", "uid", "1e25e97a-8ea4-11ec-9767-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%resume%" + OR process_cmd_line LIKE "%setcustomheaders%" OR process_cmd_line LIKE "%setminretrydelay%" + OR process_cmd_line LIKE "%setnotifycmdline%" OR process_cmd_line LIKE "%setnotifyflags%" + OR process_cmd_line LIKE "%addfile%" OR process_cmd_line LIKE "%create%") AND process_file_name="bitsadmin.exe" + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Bits Job Persistence has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["BITS Jobs", "Living Off The Land"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}, {"phase": "Installation", "phase_id": 5}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 56, + severity_id = 0, + rule = {"name": "Windows Bits Job Persistence", "uid": "1e25e97a-8ea4-11ec-9767-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -126,4 +119,5 @@ test: - file_name: bits-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/bits-windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml b/dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml index 64c796db92..5bb61d0aaf 100644 --- a/dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml +++ b/dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml @@ -14,52 +14,44 @@ description: The following query identifies Microsoft Background Intelligent Tra and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%transfer%") AND process_file_name="bitsadmin.exe" - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Bitsadmin Download File has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 49, - "severity_id", 0, - "rule", create_map("name", "Windows Bitsadmin Download File", "uid", "d76e8188-8f5a-11ec-ace4-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%transfer%" + AND process_file_name="bitsadmin.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Bitsadmin Download File has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Ingress Tool Transfer", "BITS Jobs", "DarkSide Ransomware", "Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}, {"phase": "Installation", "phase_id": 5}, {"phase": "Command And Control", "phase_id": 6}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 49, + severity_id = 0, + rule = {"name": "Windows Bitsadmin Download File", "uid": "d76e8188-8f5a-11ec-ace4-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -132,4 +124,5 @@ test: - file_name: bits-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/bits-windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_certutil_decode_file.yml b/dist/ssa/srs/ssa___windows_certutil_decode_file.yml index 75394aa5d8..f855dba094 100644 --- a/dist/ssa/srs/ssa___windows_certutil_decode_file.yml +++ b/dist/ssa/srs/ssa___windows_certutil_decode_file.yml @@ -10,52 +10,44 @@ description: CertUtil.exe may be used to `encode` and `decode` a file, including and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%decode%") AND process_file_name="certutil.exe" - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows CertUtil Decode File has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 40, - "severity_id", 0, - "rule", create_map("name", "Windows CertUtil Decode File", "uid", "b06983f4-8f72-11ec-ab50-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%decode%" + AND process_file_name="certutil.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows CertUtil Decode File has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Deobfuscate-Decode Files or Information", "Living Off The Land"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 50, + impact_id = 3, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 40, + severity_id = 0, + rule = {"name": "Windows CertUtil Decode File", "uid": "b06983f4-8f72-11ec-ab50-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -124,4 +116,5 @@ test: - file_name: encode-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/encode-windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml b/dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml index 243affcbb9..b2956ee618 100644 --- a/dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml +++ b/dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml @@ -9,53 +9,45 @@ description: Certutil.exe may download a file from a remote destination using `- However, it is uncommon for `certutil.exe` to write files to world writeable paths.\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="certutil.exe" AND like(process_cmd_line, "%split%") - AND like(process_cmd_line, "%urlcache%")) OR like(process_cmd_line, "%urlcache%") - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows CertUtil URLCache Download has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 90, - "severity_id", 0, - "rule", create_map("name", "Windows CertUtil URLCache Download", "uid", "8cb1ad38-8f6d-11ec-87a3-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="certutil.exe" + AND process_cmd_line LIKE "%split%" AND process_cmd_line LIKE "%urlcache%") OR process_cmd_line + LIKE "%urlcache%" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows CertUtil URLCache Download has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 90, + impact_id = 5, + kill_chain = [{"phase": "Command And Control", "phase_id": 6}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 90, + severity_id = 0, + rule = {"name": "Windows CertUtil URLCache Download", "uid": "8cb1ad38-8f6d-11ec-87a3-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. @@ -121,4 +113,5 @@ test: - file_name: T1105-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/T1105-windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml b/dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml index bd361b49a6..6492e99c3e 100644 --- a/dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml +++ b/dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml @@ -9,53 +9,45 @@ description: 'Certutil.exe may download a file from a remote destination using ` \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. ' -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="certutil.exe" AND like(process_cmd_line, "%split%") - AND like(process_cmd_line, "%verifyctl%")) OR like(process_cmd_line, "%verifyctl%") - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows CertUtil VerifyCtl Download has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 90, - "severity_id", 0, - "rule", create_map("name", "Windows CertUtil VerifyCtl Download", "uid", "9ac29c40-8f6b-11ec-b19a-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="certutil.exe" + AND process_cmd_line LIKE "%split%" AND process_cmd_line LIKE "%verifyctl%") OR + process_cmd_line LIKE "%verifyctl%" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows CertUtil VerifyCtl Download has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 90, + impact_id = 5, + kill_chain = [{"phase": "Command And Control", "phase_id": 6}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 90, + severity_id = 0, + rule = {"name": "Windows CertUtil VerifyCtl Download", "uid": "9ac29c40-8f6b-11ec-b19a-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. @@ -122,4 +114,5 @@ test: - file_name: T1105-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/T1105-windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml b/dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml index 1299d09929..5ba8a6b7ad 100644 --- a/dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml +++ b/dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml @@ -10,52 +10,44 @@ description: The following analytic identifies the use of reg.exe performing an to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where match_regex(process_cmd_line, /(?i)inprocserver32/)=true AND process_file_name="reg.exe" - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows COM Hijacking InprocServer32 Modification has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 3, - "risk_score", 64, - "severity_id", 0, - "rule", create_map("name", "Windows COM Hijacking InprocServer32 Modification", "uid", "0ae05a0f-bc84-456b-822a-a5b9c081c7ca", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where match(process_cmd_line, /(?i)inprocserver32/)=true + AND process_file_name="reg.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows COM Hijacking InprocServer32 Modification has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Living Off The Land"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 80, + impact_id = 5, + kill_chain = [{"phase": "Installation", "phase_id": 5}, {"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "High", + category_uid = 2, + class_uid = 102001, + risk_level_id = 3, + risk_score = 64, + severity_id = 0, + rule = {"name": "Windows COM Hijacking InprocServer32 Modification", "uid": "0ae05a0f-bc84-456b-822a-a5b9c081c7ca", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -121,4 +113,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-security.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml b/dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml index 8c50496f5e..0213e4ec09 100644 --- a/dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml +++ b/dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml @@ -20,54 +20,46 @@ description: 'The following analytic identifies the use of Windows Curl.exe uplo what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review.' -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%-F %") OR like(process_cmd_line, "%--data - %") OR like(process_cmd_line, "%-d %") OR like(process_cmd_line, "%--upload-file - %") OR like(process_cmd_line, "%-T %")) AND match_regex(process_file_name, /(?i)curl.exe/)=true - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Curl Upload to Remote Destination has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 80, - "severity_id", 0, - "rule", create_map("name", "Windows Curl Upload to Remote Destination", "uid", "cc8d046a-543b-11ec-b864-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%-F %" + OR process_cmd_line LIKE "%--data %" OR process_cmd_line LIKE "%-d %" OR process_cmd_line + LIKE "%--upload-file %" OR process_cmd_line LIKE "%-T %") AND match(process_file_name, + /(?i)curl.exe/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Curl Upload to Remote Destination has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Ingress Tool Transfer", "Insider Threat"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 80, + impact_id = 5, + kill_chain = [{"phase": "Command And Control", "phase_id": 6}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 80, + severity_id = 0, + rule = {"name": "Windows Curl Upload to Remote Destination", "uid": "cc8d046a-543b-11ec-b864-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. @@ -132,4 +124,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml b/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml index 2fd9eaa49e..ef3dff4ecc 100644 --- a/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml +++ b/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml @@ -12,53 +12,45 @@ description: The following analytic identifies the potential edition of a defaul default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="mmc.exe" AND like(process_cmd_line, "%gpme.msc%")) - OR like(process_cmd_line, "%31B2F340-016D-11D2-945F-00C04FB984F9%") OR like(process_cmd_line, - "%6AC1786C-016F-11D2-945F-00C04fB984F9%") - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Default Group Policy Object Modified with GPME has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 50, - "severity_id", 0, - "rule", create_map("name", "Windows Default Group Policy Object Modified with GPME", "uid", "bcb55c13-067b-4648-98f3-627010f72520", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="mmc.exe" AND + process_cmd_line LIKE "%gpme.msc%") OR process_cmd_line LIKE "%31B2F340-016D-11D2-945F-00C04FB984F9%" + OR process_cmd_line LIKE "%6AC1786C-016F-11D2-945F-00C04fB984F9%" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Default Group Policy Object Modified with GPME has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Active Directory Privilege Escalation"], + class_name = "Detection Report", + confidence = 50, + confidence_id = 2, + duration = 0, + impact = 100, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 50, + severity_id = 0, + rule = {"name": "Windows Default Group Policy Object Modified with GPME", "uid": "bcb55c13-067b-4648-98f3-627010f72520", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -126,4 +118,5 @@ test: - file_name: security-4688.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/security-4688.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml index 549d3af6e7..b8b6d5feed 100644 --- a/dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml @@ -4,53 +4,45 @@ version: 1 status: production description: The following analytic identifies usage of the MPCmdRun utility that can be abused by adversaries by moving it to a new directory. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where match_regex(process_file_name, /(?i)mpcmdrun.exe/)=true AND (NOT match_regex(process_file_path, - /(?i)\\windows defender/)=true) AND (NOT match_regex(process_file_path, /(?i)\\microsoft\\windows - defender\\platform/)=true) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Defender Tools in Non Standard Path has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 56, - "severity_id", 0, - "rule", create_map("name", "Windows Defender Tools in Non Standard Path", "uid", "c205bd2e-cd5b-4224-8510-578a2a1f83d7", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where match(process_file_name, /(?i)mpcmdrun.exe/)=true + AND (NOT match(process_file_path, /(?i)\\windows defender/)=true) AND (NOT match(process_file_path, + /(?i)\\microsoft\\windows defender\\platform/)=true) + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Defender Tools in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Living Off The Land"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 56, + severity_id = 0, + rule = {"name": "Windows Defender Tools in Non Standard Path", "uid": "c205bd2e-cd5b-4224-8510-578a2a1f83d7", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: Collect endpoint data such as sysmon or 4688 events. known_false_positives: False positives may be present and filtering may be required. references: @@ -111,4 +103,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/mpcmdrun/windows-security.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml b/dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml index 1e0c1c4294..84396a274a 100644 --- a/dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml +++ b/dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml @@ -8,52 +8,44 @@ description: DiskShadow.exe is a Microsoft Signed binary present on Windows Serv usage of the scripting mode flags in executions of DiskShadow. During triage, compare to known backup behavior in your environment and then review the scripts called by diskshadow. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%/s%") OR like(process_cmd_line, "%-S%")) - AND process_file_name="diskshadow.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Diskshadow Proxy Execution has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 49, - "severity_id", 0, - "rule", create_map("name", "Windows Diskshadow Proxy Execution", "uid", "aa502688-9037-11ec-842d-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%/s%" OR + process_cmd_line LIKE "%-S%") AND process_file_name="diskshadow.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Diskshadow Proxy Execution has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 49, + severity_id = 0, + rule = {"name": "Windows Diskshadow Proxy Execution", "uid": "aa502688-9037-11ec-842d-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. @@ -115,4 +107,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/diskshadow/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml index 1e7c664493..d7a4cee9ab 100644 --- a/dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml @@ -8,84 +8,74 @@ description: The following analytic identifies native .net binaries within the W an alert will be generated. Adversaries abuse these binaries as they are native to Windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the list. Lookup - https://github.com/splunk/security_content/blob/develop/lookups/is_net_windows_file.csv. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (match_regex(process_file_name, /(?i)MSBuild.exe/)=true OR match_regex(process_file_name, - /(?i)comsvcconfig.exe/)=true OR match_regex(process_file_name, /(?i)dfsradmin.exe/)=true - OR match_regex(process_file_name, /(?i)dfsvc.exe/)=true OR match_regex(process_file_name, - /(?i)microsoft.workflow.compiler.exe/)=true OR match_regex(process_file_name, /(?i)smsvchost.exe/)=true - OR match_regex(process_file_name, /(?i)wsatconfig.exe/)=true OR match_regex(process_file_name, - /(?i)addinprocess.exe/)=true OR match_regex(process_file_name, /(?i)addinprocess32.exe/)=true - OR match_regex(process_file_name, /(?i)addinutil.exe/)=true OR match_regex(process_file_name, - /(?i)aspnet_compiler.exe/)=true OR match_regex(process_file_name, /(?i)aspnet_regbrowsers.exe/)=true - OR match_regex(process_file_name, /(?i)aspnet_regsql.exe/)=true OR match_regex(process_file_name, - /(?i)caspol.exe/)=true OR match_regex(process_file_name, /(?i)datasvcutil.exe/)=true - OR match_regex(process_file_name, /(?i)edmgen.exe/)=true OR match_regex(process_file_name, - /(?i)installutil.exe/)=true OR match_regex(process_file_name, /(?i)jsc.exe/)=true - OR match_regex(process_file_name, /(?i)ngentask.exe/)=true OR match_regex(process_file_name, - /(?i)regasm.exe/)=true OR match_regex(process_file_name, /(?i)regsvcs.exe/)=true - OR match_regex(process_file_name, /(?i)sdnbr.exe/)=true OR match_regex(process_file_name, - /(?i)acu.exe/)=true OR match_regex(process_file_name, /(?i)appvstreamingux.exe/)=true - OR match_regex(process_file_name, /(?i)dsac.exe/)=true OR match_regex(process_file_name, - /(?i)lbfoadmin.exe/)=true OR match_regex(process_file_name, /(?i)microsoft.uev.synccontroller.exe/)=true - OR match_regex(process_file_name, /(?i)mtedit.exe/)=true OR match_regex(process_file_name, - /(?i)scriptrunner.exe/)=true OR match_regex(process_file_name, /(?i)servermanager.exe/)=true - OR match_regex(process_file_name, /(?i)stordiag.exe/)=true OR match_regex(process_file_name, - /(?i)tzsync.exe/)=true OR match_regex(process_file_name, /(?i)uevagentpolicygenerator.exe/)=true - OR match_regex(process_file_name, /(?i)uevappmonitor.exe/)=true OR match_regex(process_file_name, - /(?i)uevtemplatebaselinegenerator.exe/)=true OR match_regex(process_file_name, /(?i)uevtemplateconfigitemgenerator.exe/)=true - OR match_regex(process_file_name, /(?i)powershell_ise.exe/)=true OR match_regex(process_file_name, - /(?i)iediagcmd.exe/)=true OR match_regex(process_file_name, /(?i)xbox.tcui.exe/)=true - OR match_regex(process_file_name, /(?i)microsoft.activedirectory.webservices.exe/)=true - OR match_regex(process_file_name, /(?i)iisual.exe/)=true OR match_regex(process_file_name, - /(?i)filehistory.exe/)=true OR match_regex(process_file_name, /(?i)secureassessmentbrowser.exe/)=true) - AND (NOT (match_regex(process_file_path, /(?i)\\windows\\system32/)=true OR match_regex(process_file_path, - /(?i)\\windows\\syswow64/)=true OR match_regex(process_file_path, /(?i)\\windows\\adws/)=true - OR match_regex(process_file_path, /(?i)\\windows\\networkcontroller/)=true OR match_regex(process_file_path, - /(?i)\\windows\\systemapps/)=true OR match_regex(process_file_path, /(?i)\\winsxs/)=true - OR match_regex(process_file_path, /(?i)\\microsoft.net/)=true)) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows DotNet Binary in Non Standard Path has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 49, - "severity_id", 0, - "rule", create_map("name", "Windows DotNet Binary in Non Standard Path", "uid", "21179107-099a-324a-94d3-08301e6c065f", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (match(process_file_name, /(?i)MSBuild.exe/)=true + OR match(process_file_name, /(?i)comsvcconfig.exe/)=true OR match(process_file_name, + /(?i)dfsradmin.exe/)=true OR match(process_file_name, /(?i)dfsvc.exe/)=true OR match(process_file_name, + /(?i)microsoft.workflow.compiler.exe/)=true OR match(process_file_name, /(?i)smsvchost.exe/)=true + OR match(process_file_name, /(?i)wsatconfig.exe/)=true OR match(process_file_name, + /(?i)addinprocess.exe/)=true OR match(process_file_name, /(?i)addinprocess32.exe/)=true + OR match(process_file_name, /(?i)addinutil.exe/)=true OR match(process_file_name, + /(?i)aspnet_compiler.exe/)=true OR match(process_file_name, /(?i)aspnet_regbrowsers.exe/)=true + OR match(process_file_name, /(?i)aspnet_regsql.exe/)=true OR match(process_file_name, + /(?i)caspol.exe/)=true OR match(process_file_name, /(?i)datasvcutil.exe/)=true OR + match(process_file_name, /(?i)edmgen.exe/)=true OR match(process_file_name, /(?i)installutil.exe/)=true + OR match(process_file_name, /(?i)jsc.exe/)=true OR match(process_file_name, /(?i)ngentask.exe/)=true + OR match(process_file_name, /(?i)regasm.exe/)=true OR match(process_file_name, /(?i)regsvcs.exe/)=true + OR match(process_file_name, /(?i)sdnbr.exe/)=true OR match(process_file_name, /(?i)acu.exe/)=true + OR match(process_file_name, /(?i)appvstreamingux.exe/)=true OR match(process_file_name, + /(?i)dsac.exe/)=true OR match(process_file_name, /(?i)lbfoadmin.exe/)=true OR match(process_file_name, + /(?i)microsoft.uev.synccontroller.exe/)=true OR match(process_file_name, /(?i)mtedit.exe/)=true + OR match(process_file_name, /(?i)scriptrunner.exe/)=true OR match(process_file_name, + /(?i)servermanager.exe/)=true OR match(process_file_name, /(?i)stordiag.exe/)=true + OR match(process_file_name, /(?i)tzsync.exe/)=true OR match(process_file_name, /(?i)uevagentpolicygenerator.exe/)=true + OR match(process_file_name, /(?i)uevappmonitor.exe/)=true OR match(process_file_name, + /(?i)uevtemplatebaselinegenerator.exe/)=true OR match(process_file_name, /(?i)uevtemplateconfigitemgenerator.exe/)=true + OR match(process_file_name, /(?i)powershell_ise.exe/)=true OR match(process_file_name, + /(?i)iediagcmd.exe/)=true OR match(process_file_name, /(?i)xbox.tcui.exe/)=true + OR match(process_file_name, /(?i)microsoft.activedirectory.webservices.exe/)=true + OR match(process_file_name, /(?i)iisual.exe/)=true OR match(process_file_name, /(?i)filehistory.exe/)=true + OR match(process_file_name, /(?i)secureassessmentbrowser.exe/)=true) AND (NOT (match(process_file_path, + /(?i)\\windows\\system32/)=true OR match(process_file_path, /(?i)\\windows\\syswow64/)=true + OR match(process_file_path, /(?i)\\windows\\adws/)=true OR match(process_file_path, + /(?i)\\windows\\networkcontroller/)=true OR match(process_file_path, /(?i)\\windows\\systemapps/)=true + OR match(process_file_path, /(?i)\\winsxs/)=true OR match(process_file_path, /(?i)\\microsoft.net/)=true)) + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows DotNet Binary in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Masquerading - Rename System Utilities", "Unusual Processes", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "WhisperGate"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 49, + severity_id = 0, + rule = {"name": "Windows DotNet Binary in Non Standard Path", "uid": "21179107-099a-324a-94d3-08301e6c065f", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: Collect endpoint data such as sysmon or 4688 events. known_false_positives: False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application @@ -156,4 +146,5 @@ test: - file_name: dotnet_lolbin-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/dotnet_lolbin-windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml b/dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml index ec9f8c933c..0f9d9ef5dd 100644 --- a/dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml +++ b/dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml @@ -24,47 +24,42 @@ description: 'The following analytic identifies the usage of Exchange PowerShell - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups).' -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), - "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", - null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) - | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), - "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", - null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | - eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, - /(?i)get-recipient/)=true OR match_regex(process_cmd_line, /(?i)new-mailboxsearch/)=true - OR match_regex(process_cmd_line, /(?i)new-managementroleassignment/)=true OR match_regex(process_cmd_line, - /(?i)new-mailboxexportrequest/)=true - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("device.hostname", device_hostname, "process.file.path", process_file_path, "process.uid", process_uid, "process.cmd_line", process_cmd_line, "actor.user.uid", actor_user_uid), - "message", concat("Windows Exchange PowerShell Module Usage has been triggered on ", device_hostname, " by ", "Unknown", "."), - "users", [ - create_map( - "name", "Unknown", "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 32, - "severity_id", 0, - "rule", create_map("name", "Windows Exchange PowerShell Module Usage", "uid", "1118bc65-b0c7-4589-bc2f-ad6802fd0909", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval device_hostname = device.hostname | eval process_file = process.file | eval + process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid + | where match(process_cmd_line, /(?i)get-recipient/)=true OR match(process_cmd_line, + /(?i)new-mailboxsearch/)=true OR match(process_cmd_line, /(?i)new-managementroleassignment/)=true + OR match(process_cmd_line, /(?i)new-mailboxexportrequest/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"device.hostname": device_hostname, "process.file.path": process_file_path, "process.uid": process_uid, "process.cmd_line": process_cmd_line, "actor.user.uid": actor_user_uid}, + message = "Windows Exchange PowerShell Module Usage has been triggered on " + device_hostname + " by " + "Unknown" + ".", + users = [{"name": "Unknown", "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["ProxyShell", "CISA AA22-264A"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 40, + impact_id = 3, + kill_chain = [{"phase": "Installation", "phase_id": 5}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 32, + severity_id = 0, + rule = {"name": "Windows Exchange PowerShell Module Usage", "uid": "1118bc65-b0c7-4589-bc2f-ad6802fd0909", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -124,4 +119,5 @@ test: - file_name: windows-powershell.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/windows-powershell.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml b/dist/ssa/srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml index 9455283c54..a49081cec7 100644 --- a/dist/ssa/srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml +++ b/dist/ssa/srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml @@ -7,56 +7,48 @@ description: The following analytic identifies a recently disclosed arbitraty co identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve a remote payload. During triage, review file modifications for html. Identify parallel process execution that may be related, including an Office Product. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where ((like(process_cmd_line, "%ms-msdt:/id%") OR like(process_cmd_line, - "%ms-msdt:-id%") OR like(process_cmd_line, "%ms-msdt:/id%") OR like(process_cmd_line, - "%ms-msdt:%") OR like(process_cmd_line, "%msdt%")) AND process_file_name="msdt.exe") - AND (match_regex(process_cmd_line, /(?i).xml/)=true OR match_regex(process_cmd_line, - /(?i)it_rebrowseforfile=/)=true OR match_regex(process_cmd_line, /(?i)it_browseforfile=/)=true) - AND match_regex(process_cmd_line, /(?i)pcwdiagnostic/)=true - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Execute Arbitrary Commands with MSDT has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 100, - "severity_id", 0, - "rule", create_map("name", "Windows Execute Arbitrary Commands with MSDT", "uid", "f253f9c2-10f0-4cc8-b469-f505ba8c2038", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where ((process_cmd_line LIKE "%ms-msdt:/id%" + OR process_cmd_line LIKE "%ms-msdt:-id%" OR process_cmd_line LIKE "%ms-msdt:/id%" + OR process_cmd_line LIKE "%ms-msdt:%" OR process_cmd_line LIKE "%msdt%") AND process_file_name="msdt.exe") + AND (match(process_cmd_line, /(?i).xml/)=true OR match(process_cmd_line, /(?i)it_rebrowseforfile=/)=true + OR match(process_cmd_line, /(?i)it_browseforfile=/)=true) AND match(process_cmd_line, + /(?i)pcwdiagnostic/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Execute Arbitrary Commands with MSDT has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 100, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 100, + severity_id = 0, + rule = {"name": "Windows Execute Arbitrary Commands with MSDT", "uid": "f253f9c2-10f0-4cc8-b469-f505ba8c2038", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -124,4 +116,5 @@ test: - file_name: msdt-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt-windows-security.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml b/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml index aebf4270d9..6a512ff924 100644 --- a/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml +++ b/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml @@ -9,45 +9,40 @@ description: The following analytic identifies the use of the Invoke-ShareFinder credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them for Privilege Escalation or Lateral Movement. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), - "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", - null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) - | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), - "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", - null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | - eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, - /(?i)invoke-sharefinder/)=true - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("device.hostname", device_hostname, "process.file.path", process_file_path, "process.uid", process_uid, "process.cmd_line", process_cmd_line, "actor.user.uid", actor_user_uid), - "message", concat("Windows File Share Discovery With Powerview has been triggered on ", device_hostname, " by ", "Unknown", "."), - "users", [ - create_map( - "name", "Unknown", "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 48, - "severity_id", 0, - "rule", create_map("name", "Windows File Share Discovery With Powerview", "uid", "ec4f671e-c736-4f78-a4c0-8fe809e952e5", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval device_hostname = device.hostname | eval process_file = process.file | eval + process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid + | where match(process_cmd_line, /(?i)invoke-sharefinder/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"device.hostname": device_hostname, "process.file.path": process_file_path, "process.uid": process_uid, "process.cmd_line": process_cmd_line, "actor.user.uid": actor_user_uid}, + message = "Windows File Share Discovery With Powerview has been triggered on " + device_hostname + " by " + "Unknown" + ".", + users = [{"name": "Unknown", "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Active Directory Privilege Escalation"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 60, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 48, + severity_id = 0, + rule = {"name": "Windows File Share Discovery With Powerview", "uid": "ec4f671e-c736-4f78-a4c0-8fe809e952e5", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -99,4 +94,5 @@ test: - file_name: windows-powershell.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml b/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml index a0f1d1456a..a5a738a893 100644 --- a/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml +++ b/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml @@ -10,52 +10,44 @@ description: The following analytic identifies the use of the findstr command em share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="findstr.exe" AND like(process_cmd_line, "%cpassword%") - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Findstr GPP Discovery has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 56, - "severity_id", 0, - "rule", create_map("name", "Windows Findstr GPP Discovery", "uid", "73ed0f19-080e-4917-b7c6-56e1760a50d4", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="findstr.exe" + AND process_cmd_line LIKE "%cpassword%" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Findstr GPP Discovery has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Active Directory Privilege Escalation"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 56, + severity_id = 0, + rule = {"name": "Windows Findstr GPP Discovery", "uid": "73ed0f19-080e-4917-b7c6-56e1760a50d4", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -123,4 +115,5 @@ test: - file_name: windows-4688.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_ingress_tool_transfer_using_explorer.yml b/dist/ssa/srs/ssa___windows_ingress_tool_transfer_using_explorer.yml index 2e243acffe..21dc476cbc 100644 --- a/dist/ssa/srs/ssa___windows_ingress_tool_transfer_using_explorer.yml +++ b/dist/ssa/srs/ssa___windows_ingress_tool_transfer_using_explorer.yml @@ -10,52 +10,44 @@ description: The following analytic identifies the Windows Explorer process with anomaly detection might be a good pivot to check which user and how this process was executed, what is the parent process and what is the URL link. This technique is not commonly used to open an URL. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%https://%") OR like(process_cmd_line, "%http://%")) - AND process_file_name="explorer.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Ingress Tool Transfer Using Explorer has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 25, - "severity_id", 0, - "rule", create_map("name", "Windows Ingress Tool Transfer Using Explorer", "uid", "695bfad6-9662-4f9e-a576-bf02a951aa60", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%https://%" + OR process_cmd_line LIKE "%http://%") AND process_file_name="explorer.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Ingress Tool Transfer Using Explorer has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["DarkCrystal RAT"], + class_name = "Detection Report", + confidence = 50, + confidence_id = 2, + duration = 0, + impact = 50, + impact_id = 3, + kill_chain = [{"phase": "Command And Control", "phase_id": 6}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 25, + severity_id = 0, + rule = {"name": "Windows Ingress Tool Transfer Using Explorer", "uid": "695bfad6-9662-4f9e-a576-bf02a951aa60", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints. @@ -117,4 +109,5 @@ test: - file_name: T1105_explorer-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/T1105_explorer-windows-security.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml index 551be3b0fc..c11fba1b59 100644 --- a/dist/ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml @@ -7,36 +7,27 @@ description: The following analytic identifies native living off the land binari it to a new directory. The list of binaries was derived from the https://lolbas-project.github.io site, and excluded common process names (cmd.exe, explorer.exe, csc.exe, hh.exe, regedit.exe) and DotNet binaries. It also does not include the category of OtherMSBinaries. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="bitsadmin.exe" OR process_file_name="certoc.exe" - OR process_file_name="certreq.exe" OR process_file_name="certutil.exe" OR process_file_name="cmdkey.exe" - OR process_file_name="cmdl32.exe" OR process_file_name="cmstp.exe" OR process_file_name="configsecuritypolicy.exe" - OR process_file_name="control.exe" OR process_file_name="cscript.exe" OR process_file_name="datasvcutil.exe" - OR process_file_name="desktopimgdownldr.exe" OR process_file_name="dfsvc.exe" OR - process_file_name="diantz.exe" OR process_file_name="diskshadow.exe" OR process_file_name="dllhost.exe" - OR process_file_name="dnscmd.exe" OR process_file_name="esentutl.exe" OR process_file_name="eventvwr.exe" - OR process_file_name="expand.exe" OR process_file_name="extexport.exe" OR process_file_name="extrac32.exe" - OR process_file_name="findstr.exe" OR process_file_name="finger.exe" OR process_file_name="fltmc.exe" - OR process_file_name="forfiles.exe" OR process_file_name="ftp.exe" OR process_file_name="gfxdownloadwrapper.exe" - OR process_file_name="gpscript.exe" OR process_file_name="imewdbld.exe" OR process_file_name="ie4uinit.exe" - OR process_file_name="ieexec.exe" OR process_file_name="ilasm.exe" OR process_file_name="infdefaultinstall.exe" - OR process_file_name="makecab.exe" OR process_file_name="mavinject.exe" OR process_file_name="microsoft.workflow.compiler.exe" +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="bitsadmin.exe" + OR process_file_name="certoc.exe" OR process_file_name="certreq.exe" OR process_file_name="certutil.exe" + OR process_file_name="cmdkey.exe" OR process_file_name="cmdl32.exe" OR process_file_name="cmstp.exe" + OR process_file_name="configsecuritypolicy.exe" OR process_file_name="control.exe" + OR process_file_name="cscript.exe" OR process_file_name="datasvcutil.exe" OR process_file_name="desktopimgdownldr.exe" + OR process_file_name="dfsvc.exe" OR process_file_name="diantz.exe" OR process_file_name="diskshadow.exe" + OR process_file_name="dllhost.exe" OR process_file_name="dnscmd.exe" OR process_file_name="esentutl.exe" + OR process_file_name="eventvwr.exe" OR process_file_name="expand.exe" OR process_file_name="extexport.exe" + OR process_file_name="extrac32.exe" OR process_file_name="findstr.exe" OR process_file_name="finger.exe" + OR process_file_name="fltmc.exe" OR process_file_name="forfiles.exe" OR process_file_name="ftp.exe" + OR process_file_name="gfxdownloadwrapper.exe" OR process_file_name="gpscript.exe" + OR process_file_name="imewdbld.exe" OR process_file_name="ie4uinit.exe" OR process_file_name="ieexec.exe" + OR process_file_name="ilasm.exe" OR process_file_name="infdefaultinstall.exe" OR + process_file_name="makecab.exe" OR process_file_name="mavinject.exe" OR process_file_name="microsoft.workflow.compiler.exe" OR process_file_name="mmc.exe" OR process_file_name="msconfig.exe" OR process_file_name="msdt.exe" OR process_file_name="mshta.exe" OR process_file_name="msiexec.exe" OR process_file_name="netsh.exe" OR process_file_name="odbcconf.exe" OR process_file_name="offlinescannershell.exe" @@ -53,38 +44,40 @@ search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(inpu OR process_file_name="verclsid.exe" OR process_file_name="wab.exe" OR process_file_name="wlrmdr.exe" OR process_file_name="wmic.exe" OR process_file_name="workfolders.exe" OR process_file_name="wscript.exe" OR process_file_name="wsreset.exe" OR process_file_name="wuauclt.exe" OR process_file_name="xwizard.exe") - AND (NOT (match_regex(process_file_path, /(?i)(?i)\\windows\\system32/)=true OR - match_regex(process_file_path, /(?i)(?i)\\windows\\syswow64/)=true OR match_regex(process_file_path, - /(?i)(?i)\\windows\\networkcontrolle/)=true OR match_regex(process_file_path, /(?i)(?i)\\windows\\systemapps/)=true - OR match_regex(process_file_path, /(?i)(?i)\\winsxs/)=true OR match_regex(process_file_path, - /(?i)(?i)\\microsoft.net/)=true)) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows LOLBin Binary in Non Standard Path has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 49, - "severity_id", 0, - "rule", create_map("name", "Windows LOLBin Binary in Non Standard Path", "uid", "25689101-012a-324a-94d3-08301e6c065a", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' + AND (NOT (match(process_file_path, /(?i)(?i)\\windows\\system32/)=true OR match(process_file_path, + /(?i)(?i)\\windows\\syswow64/)=true OR match(process_file_path, /(?i)(?i)\\windows\\networkcontrolle/)=true + OR match(process_file_path, /(?i)(?i)\\windows\\systemapps/)=true OR match(process_file_path, + /(?i)(?i)\\winsxs/)=true OR match(process_file_path, /(?i)(?i)\\microsoft.net/)=true)) + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows LOLBin Binary in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Unusual Processes", "Ransomware", "WhisperGate"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 49, + severity_id = 0, + rule = {"name": "Windows LOLBin Binary in Non Standard Path", "uid": "25689101-012a-324a-94d3-08301e6c065a", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: Collect endpoint data such as sysmon or 4688 events. known_false_positives: False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application @@ -153,4 +146,5 @@ test: - file_name: dotnet_lolbin-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/dotnet_lolbin-windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_mshta_child_process.yml b/dist/ssa/srs/ssa___windows_mshta_child_process.yml index e07cbafb81..e3a890ce7c 100644 --- a/dist/ssa/srs/ssa___windows_mshta_child_process.yml +++ b/dist/ssa/srs/ssa___windows_mshta_child_process.yml @@ -6,55 +6,48 @@ description: The following analytic identifies child processes spawning from "m The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process "mshta.exe" and its child process. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="wscript.exe" OR process_file_name="cscript.exe" - OR process_file_name="searchprotocolhost.exe" OR process_file_name="microsoft.workflow.compiler.exe" - OR process_file_name="msbuild.exe" OR process_file_name="colorcpl.exe" OR process_file_name="scrcons.exe" - OR process_file_name="cmd.exe" OR process_file_name="powershell.exe") AND like(actor_process_file_name, - "%mshta.exe") - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows MSHTA Child Process has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 80, - "severity_id", 0, - "rule", create_map("name", "Windows MSHTA Child Process", "uid", "f63f7e9c-9526-11ec-9fc7-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="wscript.exe" + OR process_file_name="cscript.exe" OR process_file_name="searchprotocolhost.exe" + OR process_file_name="microsoft.workflow.compiler.exe" OR process_file_name="msbuild.exe" + OR process_file_name="colorcpl.exe" OR process_file_name="scrcons.exe" OR process_file_name="cmd.exe" + OR process_file_name="powershell.exe") AND actor_process_file_name LIKE "%mshta.exe" + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows MSHTA Child Process has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Suspicious MSHTA Activity", "Living Off The Land"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 80, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 80, + severity_id = 0, + rule = {"name": "Windows MSHTA Child Process", "uid": "f63f7e9c-9526-11ec-9fc7-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -120,4 +113,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_mshta_command_line_url.yml b/dist/ssa/srs/ssa___windows_mshta_command_line_url.yml index 9e15d39f5a..fefaffbf98 100644 --- a/dist/ssa/srs/ssa___windows_mshta_command_line_url.yml +++ b/dist/ssa/srs/ssa___windows_mshta_command_line_url.yml @@ -9,52 +9,44 @@ description: This analytic identifies when Microsoft HTML Application Host (msht malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%https://%") OR like(process_cmd_line, "%http://%")) - AND process_file_name="mshta.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows MSHTA Command-Line URL has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 80, - "severity_id", 0, - "rule", create_map("name", "Windows MSHTA Command-Line URL", "uid", "9b35c538-94ef-11ec-9439-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%https://%" + OR process_cmd_line LIKE "%http://%") AND process_file_name="mshta.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows MSHTA Command-Line URL has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Suspicious MSHTA Activity", "Living Off The Land"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 80, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 80, + severity_id = 0, + rule = {"name": "Windows MSHTA Command-Line URL", "uid": "9b35c538-94ef-11ec-9439-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -122,4 +114,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml b/dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml index d6d3fed7b3..40500b3609 100644 --- a/dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml +++ b/dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml @@ -7,52 +7,45 @@ description: The following analytic identifies "mshta.exe" execution with inline invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%about%") OR like(process_cmd_line, "%javascript%") - OR like(process_cmd_line, "%vbscript%")) AND process_file_name="mshta.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows MSHTA Inline HTA Execution has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 80, - "severity_id", 0, - "rule", create_map("name", "Windows MSHTA Inline HTA Execution", "uid", "24962154-9524-11ec-9333-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%about%" + OR process_cmd_line LIKE "%javascript%" OR process_cmd_line LIKE "%vbscript%") AND + process_file_name="mshta.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows MSHTA Inline HTA Execution has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Suspicious MSHTA Activity", "Living Off The Land"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 80, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 80, + severity_id = 0, + rule = {"name": "Windows MSHTA Inline HTA Execution", "uid": "24962154-9524-11ec-9333-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -120,4 +113,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml b/dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml index c9330e644b..e7fc7adfdc 100644 --- a/dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml +++ b/dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml @@ -7,52 +7,45 @@ description: The following analytic identifies the odbcconf.exe, Windows Open Da and may be named anything. The resource file itself may have different commands supported by Odbcconf to load up a DLL (REGSVR) on disk or additional commands. During triage, review file modifications and parallel processes. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where ((like(process_cmd_line, "%/f %") OR like(process_cmd_line, "%-f %")) - AND process_file_name="odbcconf.exe") AND like(process_cmd_line, "%.rsp%") - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Odbcconf Load Response File has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 42, - "severity_id", 0, - "rule", create_map("name", "Windows Odbcconf Load Response File", "uid", "7b6c3fac-0c37-4efc-a85e-de88f42b6763", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where ((process_cmd_line LIKE "%/f %" + OR process_cmd_line LIKE "%-f %") AND process_file_name="odbcconf.exe") AND process_cmd_line + LIKE "%.rsp%" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Odbcconf Load Response File has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 60, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 42, + severity_id = 0, + rule = {"name": "Windows Odbcconf Load Response File", "uid": "7b6c3fac-0c37-4efc-a85e-de88f42b6763", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -117,4 +110,5 @@ test: - file_name: odbcconf-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/odbcconf-windows-security.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml b/dist/ssa/srs/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml index 7fa8c2b113..24680e336c 100644 --- a/dist/ssa/srs/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml +++ b/dist/ssa/srs/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml @@ -13,52 +13,44 @@ description: 'Monitor for signs that Ntdsutil is being used to Extract Active Di This technique uses "Install from Media" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination.' -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="ntdsutil.exe" AND (like(process_cmd_line, "%create%") - AND like(process_cmd_line, "%ntds%")) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows OS Credential Dumping with Ntdsutil Export NTDS has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 50, - "severity_id", 0, - "rule", create_map("name", "Windows OS Credential Dumping with Ntdsutil Export NTDS", "uid", "dad9ddec-a72a-47be-87b6-a0f7ba98ed6e", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="ntdsutil.exe" + AND (process_cmd_line LIKE "%create%" AND process_cmd_line LIKE "%ntds%") + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows OS Credential Dumping with Ntdsutil Export NTDS has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Volt Typhoon"], + class_name = "Detection Report", + confidence = 50, + confidence_id = 2, + duration = 0, + impact = 100, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 50, + severity_id = 0, + rule = {"name": "Windows OS Credential Dumping with Ntdsutil Export NTDS", "uid": "dad9ddec-a72a-47be-87b6-a0f7ba98ed6e", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -129,4 +121,5 @@ test: - file_name: 4688_windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/4688_windows-security.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_os_credential_dumping_with_procdump.yml b/dist/ssa/srs/ssa___windows_os_credential_dumping_with_procdump.yml index 033cf3eda4..8a8fe5e45a 100644 --- a/dist/ssa/srs/ssa___windows_os_credential_dumping_with_procdump.yml +++ b/dist/ssa/srs/ssa___windows_os_credential_dumping_with_procdump.yml @@ -12,53 +12,45 @@ description: 'Detect procdump.exe dumping the lsass process. This query looks fo Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.' -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where ((like(process_cmd_line, "%-ma %") OR like(process_cmd_line, "%-mm - %")) AND (process_file_name="procdump64.exe" OR process_file_name="procdump.exe")) - AND like(process_cmd_line, "%lsass%") - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows OS Credential Dumping with Procdump has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 80, - "severity_id", 0, - "rule", create_map("name", "Windows OS Credential Dumping with Procdump", "uid", "e102e297-dbe6-4a19-b319-5c08f4c19a06", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where ((process_cmd_line LIKE "%-ma %" + OR process_cmd_line LIKE "%-mm %") AND (process_file_name="procdump64.exe" OR process_file_name="procdump.exe")) + AND process_cmd_line LIKE "%lsass%" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows OS Credential Dumping with Procdump has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Credential Dumping", "HAFNIUM Group"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 80, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 80, + severity_id = 0, + rule = {"name": "Windows OS Credential Dumping with Procdump", "uid": "e102e297-dbe6-4a19-b319-5c08f4c19a06", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -125,4 +117,5 @@ test: - file_name: procdump_windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/procdump_windows-security.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml b/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml index fe708d246e..06a50aad72 100644 --- a/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml +++ b/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml @@ -11,54 +11,46 @@ description: The following hunting analytic identifies PowerShell commands utili For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="powershell_ise.exe" OR process_file_name="powershell.exe" - OR process_file_name="sqltoolsps.exe" OR process_file_name="sqlps.exe" OR process_file_name="pwsh.exe") - AND match_regex(process_cmd_line, /(?i)[\-|\/]w(in*d*o*w*s*t*y*l*e*)*\s+h(i*d*d*e*n*)\s+/)=true - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Powershell Connect to Internet With Hidden Window has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 35, - "severity_id", 0, - "rule", create_map("name", "Windows Powershell Connect to Internet With Hidden Window", "uid", "477e068e-8b6d-11ec-b6c1-81af21670352", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="powershell_ise.exe" + OR process_file_name="powershell.exe" OR process_file_name="sqltoolsps.exe" OR process_file_name="sqlps.exe" + OR process_file_name="pwsh.exe" OR process_file_name="pwsh.exe") AND match(process_cmd_line, + /(?i)[\-|\/]w(in*d*o*w*s*t*y*l*e*)*\s+h(i*d*d*e*n*)\s+/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Powershell Connect to Internet With Hidden Window has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Malicious PowerShell", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "HAFNIUM Group", "Log4Shell CVE-2021-44228"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 50, + impact_id = 3, + kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 35, + severity_id = 0, + rule = {"name": "Windows Powershell Connect to Internet With Hidden Window", "uid": "477e068e-8b6d-11ec-b6c1-81af21670352", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. @@ -129,4 +121,5 @@ test: - file_name: hidden_windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml b/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml index 8dda385dd2..5757bfbe53 100644 --- a/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml +++ b/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml @@ -10,45 +10,41 @@ description: The following analytic utilizes PowerShell Script Block Logging (Ev domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), - "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", - null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) - | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), - "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", - null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | - eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where like(process_cmd_line, - "%4194304%") AND match_regex(process_cmd_line, /(?i)get-aduser/)=true - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("device.hostname", device_hostname, "process.file.path", process_file_path, "process.uid", process_uid, "process.cmd_line", process_cmd_line, "actor.user.uid", actor_user_uid), - "message", concat("Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser has been triggered on ", device_hostname, " by ", "Unknown", "."), - "users", [ - create_map( - "name", "Unknown", "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 54, - "severity_id", 0, - "rule", create_map("name", "Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser", "uid", "d57b4d91-fc91-4482-a325-47693cced1eb", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval device_hostname = device.hostname | eval process_file = process.file | eval + process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid + | where process_cmd_line LIKE "%4194304%" AND match(process_cmd_line, /(?i)get-aduser/)=true + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"device.hostname": device_hostname, "process.file.path": process_file_path, "process.uid": process_uid, "process.cmd_line": process_cmd_line, "actor.user.uid": actor_user_uid}, + message = "Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser has been triggered on " + device_hostname + " by " + "Unknown" + ".", + users = [{"name": "Unknown", "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Active Directory Kerberos Attacks"], + class_name = "Detection Report", + confidence = 90, + confidence_id = 3, + duration = 0, + impact = 60, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 54, + severity_id = 0, + rule = {"name": "Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser", "uid": "d57b4d91-fc91-4482-a325-47693cced1eb", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -102,4 +98,5 @@ test: - file_name: windows-powershell.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/getaduser/windows-powershell.log source: WinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml index f67512566a..e973d4069b 100644 --- a/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml +++ b/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml @@ -10,46 +10,41 @@ description: The following analytic utilizes PowerShell Script Block Logging (Ev adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), - "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", - null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) - | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), - "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", - null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | - eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, - /(?i)preauthnotrequired/)=true AND match_regex(process_cmd_line, /(?i)get-domainuser/)=true - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("device.hostname", device_hostname, "process.file.path", process_file_path, "process.uid", process_uid, "process.cmd_line", process_cmd_line, "actor.user.uid", actor_user_uid), - "message", concat("Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView has been triggered on ", device_hostname, " by ", "Unknown", "."), - "users", [ - create_map( - "name", "Unknown", "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 54, - "severity_id", 0, - "rule", create_map("name", "Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView", "uid", "dc3f2af7-ca69-47ce-a122-9f9787e19417", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval device_hostname = device.hostname | eval process_file = process.file | eval + process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid + | where match(process_cmd_line, /(?i)preauthnotrequired/)=true AND match(process_cmd_line, + /(?i)get-domainuser/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"device.hostname": device_hostname, "process.file.path": process_file_path, "process.uid": process_uid, "process.cmd_line": process_cmd_line, "actor.user.uid": actor_user_uid}, + message = "Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView has been triggered on " + device_hostname + " by " + "Unknown" + ".", + users = [{"name": "Unknown", "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Active Directory Kerberos Attacks"], + class_name = "Detection Report", + confidence = 90, + confidence_id = 3, + duration = 0, + impact = 60, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 54, + severity_id = 0, + rule = {"name": "Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView", "uid": "dc3f2af7-ca69-47ce-a122-9f9787e19417", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -102,4 +97,5 @@ test: - file_name: getdomainuser.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdomainuser.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml b/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml index 0db2062d2f..c594298f3e 100644 --- a/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml +++ b/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml @@ -7,54 +7,46 @@ description: The following analytic identifies the use of PowerShell downloading PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="powershell_ise.exe" OR process_file_name="powershell.exe" - OR process_file_name="sqltoolsps.exe" OR process_file_name="sqlps.exe" OR process_file_name="pwsh.exe" - OR process_file_name="pwsh.exe") AND match_regex(process_cmd_line, /(?i)downloadfile/)=true - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Powershell DownloadFile has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 35, - "severity_id", 0, - "rule", create_map("name", "Windows Powershell DownloadFile", "uid", "46440222-81d5-44b1-a376-19dcd70d1b08", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="powershell_ise.exe" + OR process_file_name="powershell.exe" OR process_file_name="sqltoolsps.exe" OR process_file_name="sqlps.exe" + OR process_file_name="pwsh.exe" OR process_file_name="pwsh.exe") AND match(process_cmd_line, + /(?i)downloadfile/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Powershell DownloadFile has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Malicious PowerShell", "Ingress Tool Transfer", "Log4Shell CVE-2021-44228"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 50, + impact_id = 3, + kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 35, + severity_id = 0, + rule = {"name": "Windows Powershell DownloadFile", "uid": "46440222-81d5-44b1-a376-19dcd70d1b08", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -123,4 +115,5 @@ test: - file_name: downloadfile_windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/downloadfile_windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml b/dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml index 576dad4224..803770aef4 100644 --- a/dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml +++ b/dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml @@ -9,54 +9,46 @@ description: Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Si is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation? -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="powershell_ise.exe" OR process_file_name="powershell.exe" - OR process_file_name="sqltoolsps.exe" OR process_file_name="sqlps.exe" OR process_file_name="pwsh.exe" - OR process_file_name="pwsh.exe") AND match_regex(process_cmd_line, /(?i)start-bitstransfer/)=true - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows PowerShell Start-BitsTransfer has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 49, - "severity_id", 0, - "rule", create_map("name", "Windows PowerShell Start-BitsTransfer", "uid", "0bafd086-8f61-11ec-996e-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="powershell_ise.exe" + OR process_file_name="powershell.exe" OR process_file_name="sqltoolsps.exe" OR process_file_name="sqlps.exe" + OR process_file_name="pwsh.exe" OR process_file_name="pwsh.exe") AND match(process_cmd_line, + /(?i)start-bitstransfer/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows PowerShell Start-BitsTransfer has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["BITS Jobs", "Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}, {"phase": "Installation", "phase_id": 5}, {"phase": "Command And Control", "phase_id": 6}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 49, + severity_id = 0, + rule = {"name": "Windows PowerShell Start-BitsTransfer", "uid": "0bafd086-8f61-11ec-996e-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. @@ -124,4 +116,5 @@ test: - file_name: T1197_windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/T1197_windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml b/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml index 7103c01e00..1896d9cede 100644 --- a/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml +++ b/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml @@ -11,45 +11,40 @@ description: The following analytic identifies the use of the Get-GPPPassword Po has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), - "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", - null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) - | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), - "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", - null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | - eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, - /(?i)get-gpppassword/)=true - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("device.hostname", device_hostname, "process.file.path", process_file_path, "process.uid", process_uid, "process.cmd_line", process_cmd_line, "actor.user.uid", actor_user_uid), - "message", concat("Windows PowerSploit GPP Discovery has been triggered on ", device_hostname, " by ", "Unknown", "."), - "users", [ - create_map( - "name", "Unknown", "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 56, - "severity_id", 0, - "rule", create_map("name", "Windows PowerSploit GPP Discovery", "uid", "fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval device_hostname = device.hostname | eval process_file = process.file | eval + process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid + | where match(process_cmd_line, /(?i)get-gpppassword/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"device.hostname": device_hostname, "process.file.path": process_file_path, "process.uid": process_uid, "process.cmd_line": process_cmd_line, "actor.user.uid": actor_user_uid}, + message = "Windows PowerSploit GPP Discovery has been triggered on " + device_hostname + " by " + "Unknown" + ".", + users = [{"name": "Unknown", "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Active Directory Privilege Escalation"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 56, + severity_id = 0, + rule = {"name": "Windows PowerSploit GPP Discovery", "uid": "fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -104,4 +99,5 @@ test: - file_name: win-powershell.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml b/dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml index 80d6671fe0..db77863426 100644 --- a/dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml +++ b/dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml @@ -6,52 +6,45 @@ description: The following analytic identifies the Windows Windows Remote Auto D rasautou.exe executing an arbitrary DLL. This technique is used to execute arbitrary shellcode or DLLs via the rasautou.exe LOLBin capability. During triage, review parent and child process behavior including file and image loads. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="rasautou.exe" AND match_regex(process_cmd_line, - /(?i)-p /)=true AND match_regex(process_cmd_line, /(?i)-d /)=true - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Rasautou DLL Execution has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 80, - "severity_id", 0, - "rule", create_map("name", "Windows Rasautou DLL Execution", "uid", "6f42b8ce-1e15-11ec-ad5a-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="rasautou.exe" + AND match(process_cmd_line, /(?i)-p /)=true AND match(process_cmd_line, /(?i)-d + /)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Rasautou DLL Execution has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Windows Defense Evasion Tactics", "Living Off The Land"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 80, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 80, + severity_id = 0, + rule = {"name": "Windows Rasautou DLL Execution", "uid": "6f42b8ce-1e15-11ec-ad5a-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -121,4 +114,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml index 54f8ce030b..3ebcf509f6 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml @@ -6,53 +6,45 @@ description: The following analytic identifies AccCheckConsole.exe which is a na living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries was derived from the https://lolbas-project.github.io site. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="acccheckconsole.exe" AND (NOT match_regex(process_file_path, - /(?i)\\program files (x86)\\windows kits\\10\\bin\\10.0.22000.0\\arm64\\accchecker/)=true) +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="acccheckconsole.exe" + AND (NOT match(process_file_path, /(?i)\\program files (x86)\\windows kits\\10\\bin\\10.0.22000.0\\arm64\\accchecker/)=true) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 0, - "risk_score", 14, - "severity_id", 0, - "rule", create_map("name", "Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path", "uid", "c842931e-661f-42bc-a4df-0460d93cfb69", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Unusual Processes", "Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 20, + impact_id = 2, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Info", + category_uid = 2, + class_uid = 102001, + risk_level_id = 0, + risk_score = 14, + severity_id = 0, + rule = {"name": "Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path", "uid": "c842931e-661f-42bc-a4df-0460d93cfb69", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. @@ -121,4 +113,5 @@ test: - file_name: lolbas_dataset.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml index 498de88b35..5b41069aed 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml @@ -6,52 +6,45 @@ description: The following analytic identifies adplus.exe which is a native livi off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries was derived from the https://lolbas-project.github.io site. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="adplus.exe" AND (NOT match_regex(process_file_path, - /(?i)\\program files (x86)\\windows kits\\10\\debuggers\\x86/)=true) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 0, - "risk_score", 14, - "severity_id", 0, - "rule", create_map("name", "Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path", "uid", "ecaaf956-c516-4980-b08e-8c01c19614ca", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="adplus.exe" + AND (NOT match(process_file_path, /(?i)\\program files (x86)\\windows kits\\10\\debuggers\\x86/)=true) + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Unusual Processes", "Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 20, + impact_id = 2, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Info", + category_uid = 2, + class_uid = 102001, + risk_level_id = 0, + risk_score = 14, + severity_id = 0, + rule = {"name": "Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path", "uid": "ecaaf956-c516-4980-b08e-8c01c19614ca", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. @@ -119,4 +112,5 @@ test: - file_name: lolbas_dataset.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml index 0139db7906..3e02a2d334 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml @@ -6,52 +6,44 @@ description: The following analytic identifies Advpack.dll which is a native liv off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries was derived from the https://lolbas-project.github.io site. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="advpack.dll" AND (NOT match_regex(process_file_path, - /(?i)\\windows\\syswow64/)=true) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 0, - "risk_score", 14, - "severity_id", 0, - "rule", create_map("name", "Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path", "uid", "3284e4f4-67f7-49b6-ad5e-a8fcead2eef8", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="advpack.dll" + AND (NOT match(process_file_path, /(?i)\\windows\\syswow64/)=true) + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Unusual Processes", "Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 20, + impact_id = 2, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Info", + category_uid = 2, + class_uid = 102001, + risk_level_id = 0, + risk_score = 14, + severity_id = 0, + rule = {"name": "Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path", "uid": "3284e4f4-67f7-49b6-ad5e-a8fcead2eef8", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. @@ -119,4 +111,5 @@ test: - file_name: lolbas_dataset.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml index df63439249..f67ddfd4e3 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml @@ -6,52 +6,44 @@ description: The following analytic identifies AgentExecutor.exe which is a nati living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries was derived from the https://lolbas-project.github.io site. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="agentexecutor.exe" AND (NOT match_regex(process_file_path, - /(?i)\\program files (x86)/)=true) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 0, - "risk_score", 14, - "severity_id", 0, - "rule", create_map("name", "Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path", "uid", "e124f71f-11bc-47e4-9931-6046d256005d", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="agentexecutor.exe" + AND (NOT match(process_file_path, /(?i)\\program files (x86)/)=true) + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Unusual Processes", "Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 20, + impact_id = 2, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Info", + category_uid = 2, + class_uid = 102001, + risk_level_id = 0, + risk_score = 14, + severity_id = 0, + rule = {"name": "Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path", "uid": "e124f71f-11bc-47e4-9931-6046d256005d", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. @@ -120,4 +112,5 @@ test: - file_name: lolbas_dataset.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml index 734eb27e09..28fb71b678 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml @@ -6,53 +6,45 @@ description: The following analytic identifies AppInstaller.exe which is a nativ living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries was derived from the https://lolbas-project.github.io site. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="appinstaller.exe" AND (NOT match_regex(process_file_path, - /(?i)\\program files\\windowsapps\\microsoft.desktopappinstaller_1.11.2521.0_x64__8wekyb3d8bbwe/)=true) +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="appinstaller.exe" + AND (NOT match(process_file_path, /(?i)\\program files\\windowsapps\\microsoft.desktopappinstaller_1.11.2521.0_x64__8wekyb3d8bbwe/)=true) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 0, - "risk_score", 14, - "severity_id", 0, - "rule", create_map("name", "Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path", "uid", "057c06c7-ef31-4749-b5c9-199152e53a06", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Unusual Processes", "Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 20, + impact_id = 2, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Info", + category_uid = 2, + class_uid = 102001, + risk_level_id = 0, + risk_score = 14, + severity_id = 0, + rule = {"name": "Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path", "uid": "057c06c7-ef31-4749-b5c9-199152e53a06", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. @@ -121,4 +113,5 @@ test: - file_name: lolbas_dataset.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml index 86bc9edd0f..56d08b3143 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml @@ -6,52 +6,45 @@ description: The following analytic identifies Appvlp.exe which is a native livi off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries was derived from the https://lolbas-project.github.io site. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="appvlp.exe" AND (NOT match_regex(process_file_path, - /(?i)\\program files (x86)\\microsoft office\\root\\client/)=true) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 0, - "risk_score", 14, - "severity_id", 0, - "rule", create_map("name", "Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path", "uid", "93862a89-abe0-4094-909a-08ec390aa5e3", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="appvlp.exe" + AND (NOT match(process_file_path, /(?i)\\program files (x86)\\microsoft office\\root\\client/)=true) + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Unusual Processes", "Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 20, + impact_id = 2, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Info", + category_uid = 2, + class_uid = 102001, + risk_level_id = 0, + risk_score = 14, + severity_id = 0, + rule = {"name": "Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path", "uid": "93862a89-abe0-4094-909a-08ec390aa5e3", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. @@ -119,4 +112,5 @@ test: - file_name: lolbas_dataset.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml index a9398650e2..75f0a5187d 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml @@ -6,52 +6,45 @@ description: The following analytic identifies Aspnet_Compiler.exe which is a na living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries was derived from the https://lolbas-project.github.io site. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="aspnet_compiler.exe" AND (NOT match_regex(process_file_path, - /(?i)\\windows\\microsoft.net\\framework64\\v4.0.30319/)=true) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 0, - "risk_score", 14, - "severity_id", 0, - "rule", create_map("name", "Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path", "uid", "d75cc561-3828-4d0a-92c4-0eb93bfe0929", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="aspnet_compiler.exe" + AND (NOT match(process_file_path, /(?i)\\windows\\microsoft.net\\framework64\\v4.0.30319/)=true) + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Unusual Processes", "Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 20, + impact_id = 2, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Info", + category_uid = 2, + class_uid = 102001, + risk_level_id = 0, + risk_score = 14, + severity_id = 0, + rule = {"name": "Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path", "uid": "d75cc561-3828-4d0a-92c4-0eb93bfe0929", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. @@ -120,4 +113,5 @@ test: - file_name: lolbas_dataset.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml index 2adc237c32..10b5e1c08b 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml @@ -6,52 +6,44 @@ description: The following analytic identifies At.exe which is a native living o the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries was derived from the https://lolbas-project.github.io site. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="at.exe" AND (NOT match_regex(process_file_path, - /(?i)\\windows\\syswow64/)=true) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Rename System Utilities At exe LOLBAS in Non Standard Path has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 0, - "risk_score", 14, - "severity_id", 0, - "rule", create_map("name", "Windows Rename System Utilities At exe LOLBAS in Non Standard Path", "uid", "6401d583-0052-4dc5-a713-68b510826d2b", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="at.exe" AND + (NOT match(process_file_path, /(?i)\\windows\\syswow64/)=true) + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Rename System Utilities At exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Unusual Processes", "Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 20, + impact_id = 2, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Info", + category_uid = 2, + class_uid = 102001, + risk_level_id = 0, + risk_score = 14, + severity_id = 0, + rule = {"name": "Windows Rename System Utilities At exe LOLBAS in Non Standard Path", "uid": "6401d583-0052-4dc5-a713-68b510826d2b", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. @@ -118,4 +110,5 @@ test: - file_name: lolbas_dataset.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml index 7dd712416c..a631dff0d8 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml @@ -6,52 +6,44 @@ description: The following analytic identifies Atbroker.exe which is a native li off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries was derived from the https://lolbas-project.github.io site. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="atbroker.exe" AND (NOT match_regex(process_file_path, - /(?i)\\windows\\syswow64/)=true) - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 0, - "risk_score", 14, - "severity_id", 0, - "rule", create_map("name", "Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path", "uid", "b8da7ea5-8c16-4eff-9787-54ec271159e0", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="atbroker.exe" + AND (NOT match(process_file_path, /(?i)\\windows\\syswow64/)=true) + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Unusual Processes", "Living Off The Land"], + class_name = "Detection Report", + confidence = 70, + confidence_id = 3, + duration = 0, + impact = 20, + impact_id = 2, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Info", + category_uid = 2, + class_uid = 102001, + risk_level_id = 0, + risk_score = 14, + severity_id = 0, + rule = {"name": "Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path", "uid": "b8da7ea5-8c16-4eff-9787-54ec271159e0", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. @@ -119,4 +111,5 @@ test: - file_name: lolbas_dataset.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml b/dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml index 2b71388551..950d9242b6 100644 --- a/dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml +++ b/dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml @@ -5,52 +5,45 @@ status: production description: The following analytic identifies memory dumping using comsvcs.dll with the minidump function with `rundll32.exe`. This technique is common with adversaries who would like to dump the memory of lsass.exe. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (match_regex(process_cmd_line, /(?i)minidump/)=true AND process_file_name="rundll32.exe") - AND match_regex(process_cmd_line, /(?i)comsvcs.dll/)=true - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Rundll32 Comsvcs Memory Dump has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 40, - "severity_id", 0, - "rule", create_map("name", "Windows Rundll32 Comsvcs Memory Dump", "uid", "76bb9e35-f314-4c3d-a385-83c72a13ce4e", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (match(process_cmd_line, /(?i)minidump/)=true + AND process_file_name="rundll32.exe") AND match(process_cmd_line, /(?i)comsvcs.dll/)=true + + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Rundll32 Comsvcs Memory Dump has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Credential Dumping", "Suspicious Rundll32 Activity"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 40, + impact_id = 3, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 40, + severity_id = 0, + rule = {"name": "Windows Rundll32 Comsvcs Memory Dump", "uid": "76bb9e35-f314-4c3d-a385-83c72a13ce4e", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: You must be ingesting endpoint data that tracks process activity, including Windows command line logging. You can see how we test this with [Event Code 4688](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688a) @@ -115,4 +108,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml b/dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml index 0babec76b2..7bf724eab3 100644 --- a/dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml +++ b/dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml @@ -9,52 +9,45 @@ description: The following analytic identifies "rundll32.exe" execution with inl The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%about%") OR like(process_cmd_line, "%javascript%") - OR like(process_cmd_line, "%vbscript%")) AND process_file_name="rundll32.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Rundll32 Inline HTA Execution has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 2, - "risk_score", 56, - "severity_id", 0, - "rule", create_map("name", "Windows Rundll32 Inline HTA Execution", "uid", "0caa1dd6-94f5-11ec-9786-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%about%" + OR process_cmd_line LIKE "%javascript%" OR process_cmd_line LIKE "%vbscript%") AND + process_file_name="rundll32.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Rundll32 Inline HTA Execution has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Suspicious MSHTA Activity", "NOBELIUM Group", "Living Off The Land"], + class_name = "Detection Report", + confidence = 80, + confidence_id = 3, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Medium", + category_uid = 2, + class_uid = 102001, + risk_level_id = 2, + risk_score = 56, + severity_id = 0, + rule = {"name": "Windows Rundll32 Inline HTA Execution", "uid": "0caa1dd6-94f5-11ec-9786-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -123,4 +116,5 @@ test: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml b/dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml index b6c2cad420..22d1a7a1c0 100644 --- a/dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml +++ b/dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml @@ -8,53 +8,45 @@ description: This analytic is to detect a suspicious child process of MSBuild sp malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="MSBuild.exe" AND (match_regex(actor_process_file_name, - /(?i)cscript.exe/)=true OR match_regex(actor_process_file_name, /(?i)wscript.exe/)=true) - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows Script Host Spawn MSBuild has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 80, - "severity_id", 0, - "rule", create_map("name", "Windows Script Host Spawn MSBuild", "uid", "92886f1c-9b11-11ec-848a-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="MSBuild.exe" + AND (match(actor_process_file_name, /(?i)cscript.exe/)=true OR match(actor_process_file_name, + /(?i)wscript.exe/)=true) + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows Script Host Spawn MSBuild has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Trusted Developer Utilities Proxy Execution MSBuild", "Living Off The Land"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 80, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 80, + severity_id = 0, + rule = {"name": "Windows Script Host Spawn MSBuild", "uid": "92886f1c-9b11-11ec-848a-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -121,4 +113,5 @@ test: - file_name: msbuild-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/msbuild-windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml index 73198d66e9..009be0e0e4 100644 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml @@ -8,52 +8,44 @@ description: The following analytic identifies the decompile parameter with the script inside used a technique for running an arbitrary command in a CHM file via an ActiveX object. This unpacks an HTML help file to a specified path for launching the next stage. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%-decompile%") AND process_file_name="hh.exe" - - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows System Binary Proxy Execution Compiled HTML File Decompile has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 90, - "severity_id", 0, - "rule", create_map("name", "Windows System Binary Proxy Execution Compiled HTML File Decompile", "uid", "11c32b19-05a6-48a8-ab28-18dbd9ec5d50", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%-decompile%" + AND process_file_name="hh.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows System Binary Proxy Execution Compiled HTML File Decompile has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Suspicious Compiled HTML Activity", "Living Off The Land"], + class_name = "Detection Report", + confidence = 90, + confidence_id = 3, + duration = 0, + impact = 100, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 90, + severity_id = 0, + rule = {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "uid": "11c32b19-05a6-48a8-ab28-18dbd9ec5d50", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -120,4 +112,5 @@ test: - file_name: 4688_windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/4688_windows-security.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml index 74de18d616..5ffe6b88f2 100644 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml +++ b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml @@ -13,52 +13,44 @@ description: The following analytic identifies hh.exe (HTML Help) execution of a investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%https://%") OR like(process_cmd_line, "%http://%")) - AND process_file_name="hh.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows System Binary Proxy Execution Compiled HTML File URL In Command Line has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 90, - "severity_id", 0, - "rule", create_map("name", "Windows System Binary Proxy Execution Compiled HTML File URL In Command Line", "uid", "0fec631a-7c9b-4e4c-b28b-93260953e25f", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%https://%" + OR process_cmd_line LIKE "%http://%") AND process_file_name="hh.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows System Binary Proxy Execution Compiled HTML File URL In Command Line has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Suspicious Compiled HTML Activity", "Living Off The Land"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 90, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 90, + severity_id = 0, + rule = {"name": "Windows System Binary Proxy Execution Compiled HTML File URL In Command Line", "uid": "0fec631a-7c9b-4e4c-b28b-93260953e25f", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -130,4 +122,5 @@ test: - file_name: chm-wineventlog-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/chm-wineventlog-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml index 4a97363a89..2ef212dd8f 100644 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml +++ b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml @@ -16,52 +16,44 @@ description: The following analytic identifies hh.exe (HTML Help) execution of a the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%mk:@MSITStore:%") OR like(process_cmd_line, - "%its:%")) AND process_file_name="hh.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 3, - "risk_score", 72, - "severity_id", 0, - "rule", create_map("name", "Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers", "uid", "ba0c2450-caea-4086-ac3a-a71e2659754b", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%mk:@MSITStore:%" + OR process_cmd_line LIKE "%its:%") AND process_file_name="hh.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Suspicious Compiled HTML Activity", "Living Off The Land"], + class_name = "Detection Report", + confidence = 90, + confidence_id = 3, + duration = 0, + impact = 80, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "High", + category_uid = 2, + class_uid = 102001, + risk_level_id = 3, + risk_score = 72, + severity_id = 0, + rule = {"name": "Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers", "uid": "ba0c2450-caea-4086-ac3a-a71e2659754b", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -133,4 +125,5 @@ test: - file_name: chm-wineventlog-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/chm-wineventlog-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml index 69c6755af5..b89434057f 100644 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml +++ b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml @@ -5,52 +5,44 @@ status: production description: The following analytic identifies the usage of msiexec.exe using the /y switch parameter, which grants the ability for msiexec to load DLLRegisterServer. Upon triage, review parent process and capture any artifacts for further review. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%-y %") OR like(process_cmd_line, "%/y %")) - AND process_file_name="msiexec.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows System Binary Proxy Execution MSIExec DLLRegisterServer has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 35, - "severity_id", 0, - "rule", create_map("name", "Windows System Binary Proxy Execution MSIExec DLLRegisterServer", "uid", "8d1d5570-722c-49a3-996c-2e2cceef5163", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%-y %" + OR process_cmd_line LIKE "%/y %") AND process_file_name="msiexec.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows System Binary Proxy Execution MSIExec DLLRegisterServer has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Windows System Binary Proxy Execution MSIExec"], + class_name = "Detection Report", + confidence = 50, + confidence_id = 2, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 35, + severity_id = 0, + rule = {"name": "Windows System Binary Proxy Execution MSIExec DLLRegisterServer", "uid": "8d1d5570-722c-49a3-996c-2e2cceef5163", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -114,4 +106,5 @@ test: - file_name: 4688_msiexec-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/4688_msiexec-windows-security.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml index 08c8d1d77d..f27b483784 100644 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml +++ b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml @@ -5,52 +5,44 @@ status: production description: The following analytic identifies msiexec.exe with http in the command-line. This procedure will utilize msiexec.exe to download a remote file and load it. During triage, review parallel processes and capture any artifacts on disk for review. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%https://%") OR like(process_cmd_line, "%http://%")) - AND process_file_name="msiexec.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows System Binary Proxy Execution MSIExec Remote Download has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 35, - "severity_id", 0, - "rule", create_map("name", "Windows System Binary Proxy Execution MSIExec Remote Download", "uid", "92cbbf0f-9a6b-4e9d-8c35-cc9244a4e3d5", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%https://%" + OR process_cmd_line LIKE "%http://%") AND process_file_name="msiexec.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows System Binary Proxy Execution MSIExec Remote Download has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Windows System Binary Proxy Execution MSIExec"], + class_name = "Detection Report", + confidence = 50, + confidence_id = 2, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 35, + severity_id = 0, + rule = {"name": "Windows System Binary Proxy Execution MSIExec Remote Download", "uid": "92cbbf0f-9a6b-4e9d-8c35-cc9244a4e3d5", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -114,4 +106,5 @@ test: - file_name: 4688_msiexec-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/4688_msiexec-windows-security.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml index b0b97606f3..fc8fa67292 100644 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml +++ b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml @@ -5,52 +5,44 @@ status: production description: The following analytic identifies the usage of msiexec.exe using the /z switch parameter, which grants the ability for msiexec to unload DLLRegisterServer. Upon triage, review parent process and capture any artifacts for further review. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%-z %") OR like(process_cmd_line, "%/z %")) - AND process_file_name="msiexec.exe" - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows System Binary Proxy Execution MSIExec Unregister DLL has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 1, - "risk_score", 35, - "severity_id", 0, - "rule", create_map("name", "Windows System Binary Proxy Execution MSIExec Unregister DLL", "uid", "df76a8d1-92e1-4ec9-b8f7-695b5838703e", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%-z %" + OR process_cmd_line LIKE "%/z %") AND process_file_name="msiexec.exe" + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows System Binary Proxy Execution MSIExec Unregister DLL has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Windows System Binary Proxy Execution MSIExec"], + class_name = "Detection Report", + confidence = 50, + confidence_id = 2, + duration = 0, + impact = 70, + impact_id = 4, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Low", + category_uid = 2, + class_uid = 102001, + risk_level_id = 1, + risk_score = 35, + severity_id = 0, + rule = {"name": "Windows System Binary Proxy Execution MSIExec Unregister DLL", "uid": "df76a8d1-92e1-4ec9-b8f7-695b5838703e", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -114,4 +106,5 @@ test: - file_name: 4688_msiexec-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/4688_msiexec-windows-security.log source: XmlWinEventLog -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml b/dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml index eda773ffec..84b00c2d72 100644 --- a/dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml +++ b/dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml @@ -9,52 +9,44 @@ description: The following analytic identifies wmiprvse.exe spawning msbuild.exe In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated. -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="MSBuild.exe" AND match_regex(actor_process_file_name, - /(?i)wmiprvse.exe/)=true - | eval body=create_map( - "devices", [ - create_map( - "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) - ) - ], - "time", timestamp, - "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), - "message", concat("Windows WMIPrvse Spawn MSBuild has been triggered on ", device_hostname, " by ", actor_user_name, "."), - "users", [ - create_map( - "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) - ) - ], - "activity_id", 1, - "category_uid", 2, - "class_uid", 102001, - "risk_level_id", 4, - "risk_score", 80, - "severity_id", 0, - "rule", create_map("name", "Windows WMIPrvse Spawn MSBuild", "uid", "76b3b290-9b31-11ec-a934-acde48001122", "type", "Streaming"), - "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), - "type_uid", 10200101, - "start_time", timestamp, - "end_time", timestamp - ) - | into write_ba_finding_events();' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="MSBuild.exe" + AND match(actor_process_file_name, /(?i)wmiprvse.exe/)=true + | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], + time = timestamp, + evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname}, + message = "Windows WMIPrvse Spawn MSBuild has been triggered on " + device_hostname + " by " + actor_user_name + ".", + users = [{"name": actor_user_name, "uid": actor_user.uid}], + activity_id = 1, + cis_csc = [{"control": "CIS 10", "version": 8}], + analytic_stories = ["Trusted Developer Utilities Proxy Execution MSBuild", "Living Off The Land"], + class_name = "Detection Report", + confidence = 100, + confidence_id = 3, + duration = 0, + impact = 80, + impact_id = 5, + kill_chain = [{"phase": "Exploitation", "phase_id": 4}], + nist = ["DE.AE"], + risk_level = "Critical", + category_uid = 2, + class_uid = 102001, + risk_level_id = 4, + risk_score = 80, + severity_id = 0, + rule = {"name": "Windows WMIPrvse Spawn MSBuild", "uid": "76b3b290-9b31-11ec-a934-acde48001122", "type": "Streaming"}, + metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, + type_uid = 10200101, + start_time = timestamp, + end_time = timestamp + | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time + | into sink; ' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -121,4 +113,5 @@ test: - file_name: msbuild-windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/msbuild-windows-security.log source: WinEventLog:Security -runtime: SPL-DSP +runtime: SPL2 +internalVersion: 2 diff --git a/notebooks/pretrained_dga_model_dsdl.ipynb b/notebooks/pretrained_dga_model_dsdl.ipynb index 1d80c0c695..fad7ff971b 100644 --- a/notebooks/pretrained_dga_model_dsdl.ipynb +++ b/notebooks/pretrained_dga_model_dsdl.ipynb @@ -25,7 +25,7 @@ "cell_type": "markdown", "metadata": {}, "source": [ - "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for Command And Control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the Command And Control channel, as there potentially could be thousands of domains that malware can check for instructions.\n", + "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.\n", "\n", "DGAs can take the form of apparently random or \"gibberish\" strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders https://attack.mitre.org/techniques/T1568/002/" ] @@ -40,7 +40,7 @@ }, { "cell_type": "code", - "execution_count": null, + "execution_count": 32, "metadata": { "deletable": false, "name": "mltkc_import" @@ -228,8 +228,7 @@ "\n", " \n", "def is_in_alexa1m(domain,domains):\n", - " test_in_alexa_domains = set(alexa_domains) & domains\n", - " return ((domain in test_in_alexa_domains))\n", + " return ((domain in domains))\n", "\n", " \n", " \n", @@ -241,13 +240,13 @@ " print (\"2. Done adding entropy\")\n", " X_4 = df['domain'].map(lambda x: len(x))\n", " print (\"3. Done adding length of domain\")\n", - " domains = set(df['domain'])\n", - " X_5 = df['domain'].map(lambda x: is_in_alexa1m(x,domains))\n", + " in_alexa = set(alexa_domains) & set(df['domain'])\n", + " X_5 = df['domain'].map(lambda x: is_in_alexa1m(x, in_alexa))\n", " print (\"4. Done adding domain present in alexa domains\")\n", " X_5 = X_5.astype(int)\n", " input2 = np.c_[X_1,X_2,X_3,X_4,X_5] #\n", " print (\"appending done\")\n", - " return input2 \n", + " return input2\n", "\n", "def prep_text(texts):\n", " text_sequences = tokenizer.texts_to_sequences(texts)\n", @@ -309,7 +308,7 @@ }, { "cell_type": "code", - "execution_count": null, + "execution_count": 3, "metadata": { "deletable": false, "name": "mltkc_load" @@ -369,7 +368,7 @@ ], "metadata": { "kernelspec": { - "display_name": "Python 3", + "display_name": "Python 3 (ipykernel)", "language": "python", "name": "python3" }, @@ -383,7 +382,7 @@ "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", - "version": "3.8.5" + "version": "3.9.13" } }, "nbformat": 4, diff --git a/ssa_detections/endpoint/ssa___anomalous_usage_of_archive_tools.yml b/ssa_detections/endpoint/ssa___anomalous_usage_of_archive_tools.yml index 7bda2abc32..f33f51c751 100644 --- a/ssa_detections/endpoint/ssa___anomalous_usage_of_archive_tools.yml +++ b/ssa_detections/endpoint/ssa___anomalous_usage_of_archive_tools.yml @@ -9,26 +9,16 @@ description: The following detection identifies the usage of archive tools from command line. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="WinRAR.exe" OR like(process_file_name, "7z%") - OR like(process_file_name, "winzip%")) AND (like(actor_process_file_name, "%powershell.exe") - OR like(actor_process_file_name, "%cmd.exe")) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="WinRAR.exe" + OR process_file_name LIKE "7z%" OR process_file_name LIKE "winzip%") AND (actor_process_file_name + LIKE "%powershell.exe" OR actor_process_file_name LIKE "%cmd.exe") --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. diff --git a/ssa_detections/endpoint/ssa___attempt_to_delete_services.yml b/ssa_detections/endpoint/ssa___attempt_to_delete_services.yml index cb2b668a3f..c3c7cd2217 100644 --- a/ssa_detections/endpoint/ssa___attempt_to_delete_services.yml +++ b/ssa_detections/endpoint/ssa___attempt_to_delete_services.yml @@ -12,25 +12,15 @@ description: The following analytic identifies Windows Service Control, `sc.exe` services to continue there objective and evade detections. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="sc.exe" AND like(process_cmd_line, "%delete%") - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="sc.exe" AND + process_cmd_line LIKE "%delete%" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___attempt_to_disable_services.yml b/ssa_detections/endpoint/ssa___attempt_to_disable_services.yml index 358274fd08..60d0bb5063 100644 --- a/ssa_detections/endpoint/ssa___attempt_to_disable_services.yml +++ b/ssa_detections/endpoint/ssa___attempt_to_disable_services.yml @@ -12,25 +12,15 @@ description: The following analytic identifies Windows Service Control, `sc.exe` services to continue there objective and evade detections. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%config%") AND like(process_cmd_line, "%disabled%") - AND process_file_name="sc.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%config%" + AND process_cmd_line LIKE "%disabled%" AND process_file_name="sc.exe" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml b/ssa_detections/endpoint/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml index 4fb45b76b4..fde8461bd6 100644 --- a/ssa_detections/endpoint/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/ssa_detections/endpoint/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml @@ -10,29 +10,19 @@ description: The following analytic identifies the use of `reg.exe` attempting t this technique to capture and perform offline password cracking. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="reg.exe" OR process_file_name="cmd.exe") AND (match_regex(process_cmd_line, - /(?i)HKEY_LOCAL_MACHINE\\System/)=true OR match_regex(process_cmd_line, /(?i)HKEY_LOCAL_MACHINE\\SAM/)=true - OR match_regex(process_cmd_line, /(?i)HKEY_LOCAL_MACHINE\\Security/)=true OR match_regex(process_cmd_line, - /(?i)HKLM\\System/)=true OR match_regex(process_cmd_line, /(?i)HKLM\\SAM/)=true - OR match_regex(process_cmd_line, /(?i)HKLM\\Security/)=true) AND match_regex(process_cmd_line, - /(?i)save/)=true --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="reg.exe" OR + process_file_name="cmd.exe") AND (match(process_cmd_line, /(?i)HKEY_LOCAL_MACHINE\\System/)=true + OR match(process_cmd_line, /(?i)HKEY_LOCAL_MACHINE\\SAM/)=true OR match(process_cmd_line, + /(?i)HKEY_LOCAL_MACHINE\\Security/)=true OR match(process_cmd_line, /(?i)HKLM\\System/)=true + OR match(process_cmd_line, /(?i)HKLM\\SAM/)=true OR match(process_cmd_line, /(?i)HKLM\\Security/)=true) + AND match(process_cmd_line, /(?i)save/)=true --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___bcdedit_failure_recovery_modification.yml b/ssa_detections/endpoint/ssa___bcdedit_failure_recovery_modification.yml index 10067381ed..648dc87fc4 100644 --- a/ssa_detections/endpoint/ssa___bcdedit_failure_recovery_modification.yml +++ b/ssa_detections/endpoint/ssa___bcdedit_failure_recovery_modification.yml @@ -10,25 +10,16 @@ description: This search looks for flags passed to bcdedit.exe modifications to to prevent recovery. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="bcdedit.exe" AND (like(process_cmd_line, "%no%") - AND like(process_cmd_line, "%recoveryenabled%")) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="bcdedit.exe" + AND (process_cmd_line LIKE "%no%" AND process_cmd_line LIKE "%recoveryenabled%") + --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. diff --git a/ssa_detections/endpoint/ssa___clear_unallocated_sector_using_cipher_app.yml b/ssa_detections/endpoint/ssa___clear_unallocated_sector_using_cipher_app.yml index 4d6abb2fb4..082417f901 100644 --- a/ssa_detections/endpoint/ssa___clear_unallocated_sector_using_cipher_app.yml +++ b/ssa_detections/endpoint/ssa___clear_unallocated_sector_using_cipher_app.yml @@ -10,25 +10,15 @@ description: this search is to detect execution of `cipher.exe` to clear the una impossible to forensically recover deleted files. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="cipher.exe" AND like(process_cmd_line, "%/W:%") - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="cipher.exe" + AND process_cmd_line LIKE "%/W:%" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. diff --git a/ssa_detections/endpoint/ssa___delete_a_net_user.yml b/ssa_detections/endpoint/ssa___delete_a_net_user.yml index 0b7efb37b6..0c92f19069 100644 --- a/ssa_detections/endpoint/ssa___delete_a_net_user.yml +++ b/ssa_detections/endpoint/ssa___delete_a_net_user.yml @@ -13,25 +13,16 @@ description: This analytic will detect a suspicious net.exe/net1.exe command-lin any other user accounts created before or after. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%user%") AND like(process_cmd_line, "%/delete%") - AND (process_file_name="net.exe" OR process_file_name="net1.exe") --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%user%" + AND process_cmd_line LIKE "%/delete%" AND (process_file_name="net.exe" OR process_file_name="net1.exe") + --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___deny_permission_using_cacls_utility.yml b/ssa_detections/endpoint/ssa___deny_permission_using_cacls_utility.yml index bd18dc381d..3bb94bc52e 100644 --- a/ssa_detections/endpoint/ssa___deny_permission_using_cacls_utility.yml +++ b/ssa_detections/endpoint/ssa___deny_permission_using_cacls_utility.yml @@ -11,26 +11,16 @@ description: The following analytic identifies the use of `cacls.exe`, `icacls.e adversary files on disk. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="icacls.exe" OR process_file_name="xcacls.exe" - OR process_file_name="cacls.exe") AND match_regex(process_cmd_line, /(?i)deny/)=true - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="icacls.exe" + OR process_file_name="xcacls.exe" OR process_file_name="cacls.exe") AND match(process_cmd_line, + /(?i)deny/)=true --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe.yml b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe.yml index 5b8c1e4f57..62afc13388 100644 --- a/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe.yml +++ b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe.yml @@ -11,31 +11,21 @@ description: The following analytic identifies parent processes, browsers, Windo need to be tuned to further enhance the risk. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where ((actor_process_file_name="winword.exe" OR actor_process_file_name="excel.exe" - OR actor_process_file_name="outlook.exe" OR actor_process_file_name="acrobat.exe" - OR actor_process_file_name="acrord32.exe" OR actor_process_file_name="iexplore.exe" - OR actor_process_file_name="opera.exe" OR actor_process_file_name="firefox.exe" - OR actor_process_file_name="powershell.exe") OR (actor_process_file_name="java.exe" - AND (NOT match_regex(actor_process_file_name, /(?i)patch1-Hotfix1a/)=true)) OR (actor_process_file_name="chrome.exe" - AND (NOT process_cmd_line="chrome-extension"))) AND process_file_name="cmd.exe" - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where ((actor_process_file_name="winword.exe" + OR actor_process_file_name="excel.exe" OR actor_process_file_name="outlook.exe" + OR actor_process_file_name="acrobat.exe" OR actor_process_file_name="acrord32.exe" + OR actor_process_file_name="iexplore.exe" OR actor_process_file_name="opera.exe" + OR actor_process_file_name="firefox.exe" OR actor_process_file_name="powershell.exe") + OR (actor_process_file_name="java.exe" AND (NOT match(actor_process_file_name, /(?i)patch1-Hotfix1a/)=true)) + OR (actor_process_file_name="chrome.exe" AND (NOT process_cmd_line="chrome-extension"))) + AND process_file_name="cmd.exe" --finding_report--' how_to_implement: In order to successfully implement this analytic, you will need endpoint process data from a EDR product or Sysmon. This search has been modified to process raw sysmon data from attack_range's nxlogs on DSP. diff --git a/ssa_detections/endpoint/ssa___detect_rclone_command_line_usage.yml b/ssa_detections/endpoint/ssa___detect_rclone_command_line_usage.yml index 74ecbde3b8..54126b3ce8 100644 --- a/ssa_detections/endpoint/ssa___detect_rclone_command_line_usage.yml +++ b/ssa_detections/endpoint/ssa___detect_rclone_command_line_usage.yml @@ -14,29 +14,19 @@ description: This analytic identifies commonly used command-line arguments used investigating by review file modifications and parallel processes. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%--multi-thread-streams%") OR like(process_cmd_line, - "%--transfers%") OR like(process_cmd_line, "%--auto-confirm%") OR like(process_cmd_line, - "%--ignore-existing%") OR like(process_cmd_line, "%--no-check-certificate%") OR - like(process_cmd_line, "%--progress%") OR like(process_cmd_line, "%--config%") OR - like(process_cmd_line, "%ftp%") OR like(process_cmd_line, "%pcloud%") OR like(process_cmd_line, - "%mega%") OR like(process_cmd_line, "%copy%")) AND process_file_name="rclone.exe" +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%--multi-thread-streams%" + OR process_cmd_line LIKE "%--transfers%" OR process_cmd_line LIKE "%--auto-confirm%" + OR process_cmd_line LIKE "%--ignore-existing%" OR process_cmd_line LIKE "%--no-check-certificate%" + OR process_cmd_line LIKE "%--progress%" OR process_cmd_line LIKE "%--config%" OR + process_cmd_line LIKE "%ftp%" OR process_cmd_line LIKE "%pcloud%" OR process_cmd_line + LIKE "%mega%" OR process_cmd_line LIKE "%copy%") AND process_file_name="rclone.exe" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from diff --git a/ssa_detections/endpoint/ssa___disable_net_user_account.yml b/ssa_detections/endpoint/ssa___disable_net_user_account.yml index 1af618919e..9ac1cb56ac 100644 --- a/ssa_detections/endpoint/ssa___disable_net_user_account.yml +++ b/ssa_detections/endpoint/ssa___disable_net_user_account.yml @@ -11,25 +11,16 @@ description: This analytic will identify a suspicious command-line that disables impact against the organization. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%user%") AND like(process_cmd_line, "%/active:no%") - AND (process_file_name="net.exe" OR process_file_name="net1.exe") --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%user%" + AND process_cmd_line LIKE "%/active:no%" AND (process_file_name="net.exe" OR process_file_name="net1.exe") + --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___dns_exfiltration_using_nslookup_app.yml b/ssa_detections/endpoint/ssa___dns_exfiltration_using_nslookup_app.yml index 479110d105..42f165f747 100644 --- a/ssa_detections/endpoint/ssa___dns_exfiltration_using_nslookup_app.yml +++ b/ssa_detections/endpoint/ssa___dns_exfiltration_using_nslookup_app.yml @@ -13,26 +13,17 @@ description: This search is to detect potential DNS exfiltration using nslookup C2 DNS multiple tries. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%-retry=%") OR like(process_cmd_line, "%-type=%") - OR like(process_cmd_line, "%-q=%") OR like(process_cmd_line, "%-qt=%") OR like(process_cmd_line, - "%-querytype=%")) AND process_file_name="nslookup.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%-retry=%" + OR process_cmd_line LIKE "%-type=%" OR process_cmd_line LIKE "%-q=%" OR process_cmd_line + LIKE "%-qt=%" OR process_cmd_line LIKE "%-querytype=%") AND process_file_name="nslookup.exe" + --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. diff --git a/ssa_detections/endpoint/ssa___fsutil_zeroing_file.yml b/ssa_detections/endpoint/ssa___fsutil_zeroing_file.yml index f4c6e3fa0d..d16c8727c3 100644 --- a/ssa_detections/endpoint/ssa___fsutil_zeroing_file.yml +++ b/ssa_detections/endpoint/ssa___fsutil_zeroing_file.yml @@ -10,25 +10,15 @@ description: This search is to detect a suspicious fsutil process to zeroing a t malware path as part of its defense evasion after encrypting the compromised host. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%setzerodata%") AND process_file_name="fsutil.exe" - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%setzerodata%" + AND process_file_name="fsutil.exe" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___grant_permission_using_cacls_utility.yml b/ssa_detections/endpoint/ssa___grant_permission_using_cacls_utility.yml index aec2f7bbb0..f3b20295f2 100644 --- a/ssa_detections/endpoint/ssa___grant_permission_using_cacls_utility.yml +++ b/ssa_detections/endpoint/ssa___grant_permission_using_cacls_utility.yml @@ -11,26 +11,16 @@ description: The following analytic identifies the use of `cacls.exe`, `icacls.e responders to review or gaining access to adversary files on disk. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="icacls.exe" OR process_file_name="xcacls.exe" - OR process_file_name="cacls.exe") AND match_regex(process_cmd_line, /(?i)grant/)=true - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="icacls.exe" + OR process_file_name="xcacls.exe" OR process_file_name="cacls.exe") AND match(process_cmd_line, + /(?i)grant/)=true --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___hiding_files_and_directories_with_attrib_exe.yml b/ssa_detections/endpoint/ssa___hiding_files_and_directories_with_attrib_exe.yml index 559e5078c7..c7a66d164b 100644 --- a/ssa_detections/endpoint/ssa___hiding_files_and_directories_with_attrib_exe.yml +++ b/ssa_detections/endpoint/ssa___hiding_files_and_directories_with_attrib_exe.yml @@ -11,25 +11,15 @@ description: Attackers leverage an existing Windows binary, attrib.exe, to mark to hide files. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="attrib.exe" AND match_regex(process_cmd_line, /(?i)/)=true - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="attrib.exe" + AND match(process_cmd_line, /(?i)/)=true --finding_report--' how_to_implement: You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. diff --git a/ssa_detections/endpoint/ssa___modify_acls_permission_of_files_or_folders.yml b/ssa_detections/endpoint/ssa___modify_acls_permission_of_files_or_folders.yml index 56be05c9ba..96b99a50d0 100644 --- a/ssa_detections/endpoint/ssa___modify_acls_permission_of_files_or_folders.yml +++ b/ssa_detections/endpoint/ssa___modify_acls_permission_of_files_or_folders.yml @@ -13,26 +13,16 @@ description: This analytic identifies suspicious modification of ACL permission an account with no permission to do so. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (match_regex(process_cmd_line, /(?i)S-1-1-0:/)=true OR match_regex(process_cmd_line, - /(?i)SYSTEM:/)=true OR match_regex(process_cmd_line, /(?i)everyone:/)=true) AND - (process_file_name="icacls.exe" OR process_file_name="xcacls.exe" OR process_file_name="cacls.exe") +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (match(process_cmd_line, /(?i)S-1-1-0:/)=true + OR match(process_cmd_line, /(?i)SYSTEM:/)=true OR match(process_cmd_line, /(?i)everyone:/)=true) + AND (process_file_name="icacls.exe" OR process_file_name="xcacls.exe" OR process_file_name="cacls.exe") --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your diff --git a/ssa_detections/endpoint/ssa___office_product_spawning_windows_script_host.yml b/ssa_detections/endpoint/ssa___office_product_spawning_windows_script_host.yml index 22fa4abe4d..8f99a7f8fa 100644 --- a/ssa_detections/endpoint/ssa___office_product_spawning_windows_script_host.yml +++ b/ssa_detections/endpoint/ssa___office_product_spawning_windows_script_host.yml @@ -10,28 +10,18 @@ description: The following analytic will identify a Windows Office Product spawn usage that may spawn scripts from an Office product. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="cscript.exe" OR process_file_name="wscript.exe") - AND (match_regex(actor_process_file_name, /(?i)visio.exe/)=true OR match_regex(actor_process_file_name, - /(?i)mspub.exe/)=true OR match_regex(actor_process_file_name, /(?i)powerpnt.exe/)=true - OR match_regex(actor_process_file_name, /(?i)excel.exe/)=true OR match_regex(actor_process_file_name, - /(?i)winword.exe/)=true) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="cscript.exe" + OR process_file_name="wscript.exe") AND (match(actor_process_file_name, /(?i)visio.exe/)=true + OR match(actor_process_file_name, /(?i)mspub.exe/)=true OR match(actor_process_file_name, + /(?i)powerpnt.exe/)=true OR match(actor_process_file_name, /(?i)excel.exe/)=true + OR match(actor_process_file_name, /(?i)winword.exe/)=true) --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___resize_shadowstorage_volume.yml b/ssa_detections/endpoint/ssa___resize_shadowstorage_volume.yml index 14e8a6f7c5..84a5006170 100644 --- a/ssa_detections/endpoint/ssa___resize_shadowstorage_volume.yml +++ b/ssa_detections/endpoint/ssa___resize_shadowstorage_volume.yml @@ -11,25 +11,15 @@ description: The following analytic identifies the resizing of shadowstorage usi the shadowstorage. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%shadowstorage%") AND like(process_cmd_line, - "%resize%") AND like(process_cmd_line, "%maxsize%") AND process_file_name="vssadmin.exe" +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%shadowstorage%" + AND process_cmd_line LIKE "%resize%" AND process_cmd_line LIKE "%maxsize%" AND process_file_name="vssadmin.exe" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your diff --git a/ssa_detections/endpoint/ssa___sdelete_application_execution.yml b/ssa_detections/endpoint/ssa___sdelete_application_execution.yml index 0db0a277f5..60a7d419b7 100644 --- a/ssa_detections/endpoint/ssa___sdelete_application_execution.yml +++ b/ssa_detections/endpoint/ssa___sdelete_application_execution.yml @@ -12,35 +12,26 @@ description: This analytic will detect the execution of sdelete.exe attempting t artifact on the targeted host. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%.xls%") OR like(process_cmd_line, "%.gz%") - OR like(process_cmd_line, "%.tar%") OR like(process_cmd_line, "%.rar%") OR like(process_cmd_line, - "%.zip%") OR like(process_cmd_line, "%.7z%") OR like(process_cmd_line, "%.bmp%") - OR like(process_cmd_line, "%.gif%") OR like(process_cmd_line, "%.png%") OR like(process_cmd_line, - "%.jpg%") OR like(process_cmd_line, "%.txt%") OR like(process_cmd_line, "%.log%") - OR like(process_cmd_line, "%.key%") OR like(process_cmd_line, "%.pdf%") OR like(process_cmd_line, - "%.rtf%") OR like(process_cmd_line, "%.ppt%") OR like(process_cmd_line, "%.xls%") - OR like(process_cmd_line, "%.doc%") OR like(process_cmd_line, "%-nobanner%") OR - like(process_cmd_line, "%/accepteula%") OR like(process_cmd_line, "%-z %") OR like(process_cmd_line, - "%-s %") OR like(process_cmd_line, "%-q %") OR like(process_cmd_line, "%-r %") OR - like(process_cmd_line, "%-p %") OR like(process_cmd_line, "%-f %") OR like(process_cmd_line, - "%-c %")) AND like(process_file_name, "%sdelete%") --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%.xls%" + OR process_cmd_line LIKE "%.gz%" OR process_cmd_line LIKE "%.tar%" OR process_cmd_line + LIKE "%.rar%" OR process_cmd_line LIKE "%.zip%" OR process_cmd_line LIKE "%.7z%" + OR process_cmd_line LIKE "%.bmp%" OR process_cmd_line LIKE "%.gif%" OR process_cmd_line + LIKE "%.png%" OR process_cmd_line LIKE "%.jpg%" OR process_cmd_line LIKE "%.txt%" + OR process_cmd_line LIKE "%.log%" OR process_cmd_line LIKE "%.key%" OR process_cmd_line + LIKE "%.pdf%" OR process_cmd_line LIKE "%.rtf%" OR process_cmd_line LIKE "%.ppt%" + OR process_cmd_line LIKE "%.xls%" OR process_cmd_line LIKE "%.doc%" OR process_cmd_line + LIKE "%-nobanner%" OR process_cmd_line LIKE "%/accepteula%" OR process_cmd_line + LIKE "%-z %" OR process_cmd_line LIKE "%-s %" OR process_cmd_line LIKE "%-q %" OR + process_cmd_line LIKE "%-r %" OR process_cmd_line LIKE "%-p %" OR process_cmd_line + LIKE "%-f %" OR process_cmd_line LIKE "%-c %") AND process_file_name LIKE "%sdelete%" + --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___system_process_running_from_unexpected_location.yml b/ssa_detections/endpoint/ssa___system_process_running_from_unexpected_location.yml index 4782fdb7f9..0246d7e2d6 100644 --- a/ssa_detections/endpoint/ssa___system_process_running_from_unexpected_location.yml +++ b/ssa_detections/endpoint/ssa___system_process_running_from_unexpected_location.yml @@ -13,235 +13,125 @@ description: An attacker tries might try to use different version of a system co and the original detection https://github.com/splunk/security_content/blob/develop/detections/system_processes_run_from_unexpected_locations.yml data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="xwizard.exe" OR process_file_name="xpsrchvw.exe" - OR process_file_name="xcopy.exe" OR process_file_name="wusa.exe" OR process_file_name="wuauclt.exe" - OR process_file_name="wuapp.exe" OR process_file_name="wuapihost.exe" OR process_file_name="wsqmcons.exe" - OR process_file_name="wsmprovhost.exe" OR process_file_name="wscript.exe" OR process_file_name="write.exe" - OR process_file_name="wpr.exe" OR process_file_name="wpnpinst.exe" OR process_file_name="wowreg32.exe" - OR process_file_name="wlrmdr.exe" OR process_file_name="wlanext.exe" OR process_file_name="wksprt.exe" - OR process_file_name="wkspbroker.exe" OR process_file_name="wisptis.exe" OR process_file_name="winver.exe" - OR process_file_name="winrshost.exe" OR process_file_name="winrs.exe" OR process_file_name="winresume.exe" - OR process_file_name="winlogon.exe" OR process_file_name="winload.exe" OR process_file_name="wininit.exe" - OR process_file_name="wimserv.exe" OR process_file_name="wifitask.exe" OR process_file_name="wiawow64.exe" - OR process_file_name="wiaacmgr.exe" OR process_file_name="whoami.exe" OR process_file_name="where.exe" - OR process_file_name="wextract.exe" OR process_file_name="wevtutil.exe" OR process_file_name="wermgr.exe" - OR process_file_name="wecutil.exe" OR process_file_name="wbengine.exe" OR process_file_name="wbadmin.exe" - OR process_file_name="waitfor.exe" OR process_file_name="w32tm.exe" OR process_file_name="vssadmin.exe" - OR process_file_name="vmicsvc.exe" OR process_file_name="verifiergui.exe" OR process_file_name="verifier.exe" - OR process_file_name="verclsid.exe" OR process_file_name="vdsldr.exe" OR process_file_name="vds.exe" - OR process_file_name="userinit.exe" OR process_file_name="upnpcont.exe" OR process_file_name="unregmp2.exe" - OR process_file_name="unlodctr.exe" OR process_file_name="ucsvc.exe" OR process_file_name="tzutil.exe" - OR process_file_name="tzsync.exe" OR process_file_name="typeperf.exe" OR process_file_name="tskill.exe" - OR process_file_name="tsdiscon.exe" OR process_file_name="tscon.exe" OR process_file_name="tracerpt.exe" - OR process_file_name="tpmvscmgrsvr.exe" OR process_file_name="tpmvscmgr.exe" OR - process_file_name="timeout.exe" OR process_file_name="tcmsetup.exe" OR process_file_name="taskmgr.exe" - OR process_file_name="tasklist.exe" OR process_file_name="taskkill.exe" OR process_file_name="taskhostw.exe" - OR process_file_name="taskhost.exe" OR process_file_name="taskeng.exe" OR process_file_name="takeown.exe" - OR process_file_name="tabcal.exe" OR process_file_name="systray.exe" OR process_file_name="systemreset.exe" - OR process_file_name="systeminfo.exe" OR process_file_name="syskey.exe" OR process_file_name="sxstrace.exe" - OR process_file_name="svchost.exe" OR process_file_name="subst.exe" OR process_file_name="srdelayed.exe" - OR process_file_name="spreview.exe" OR process_file_name="sppsvc.exe" OR process_file_name="spoolsv.exe" - OR process_file_name="spinstall.exe" OR process_file_name="sort.exe" OR process_file_name="snmptrap.exe" - OR process_file_name="smss.exe" OR process_file_name="slui.exe" OR process_file_name="sihost.exe" - OR process_file_name="sigverif.exe" OR process_file_name="shutdown.exe" OR process_file_name="shrpubw.exe" - OR process_file_name="shadow.exe" OR process_file_name="setx.exe" OR process_file_name="setupugc.exe" - OR process_file_name="setupcl.exe" OR process_file_name="setspn.exe" OR process_file_name="sethc.exe" - OR process_file_name="sessionmsg.exe" OR process_file_name="services.exe" OR process_file_name="secinit.exe" - OR process_file_name="sdiagnhost.exe" OR process_file_name="sdclt.exe" OR process_file_name="sdchange.exe" - OR process_file_name="sdbinst.exe" OR process_file_name="schtasks.exe" OR process_file_name="sc.exe" - OR process_file_name="sbunattend.exe" OR process_file_name="rwinsta.exe" OR process_file_name="runonce.exe" - OR process_file_name="rundll32.exe" OR process_file_name="runas.exe" OR process_file_name="rstrui.exe" - OR process_file_name="rrinstaller.exe" OR process_file_name="rmttpmvscmgrsvr.exe" - OR process_file_name="resmon.exe" OR process_file_name="reset.exe" OR process_file_name="replace.exe" - OR process_file_name="repair-bde.exe" OR process_file_name="relog.exe" OR process_file_name="rekeywiz.exe" - OR process_file_name="regsvr32.exe" OR process_file_name="regini.exe" OR process_file_name="regedt32.exe" - OR process_file_name="reg.exe" OR process_file_name="recover.exe" OR process_file_name="recdisc.exe" - OR process_file_name="rdrleakdiag.exe" OR process_file_name="rdpinput.exe" OR process_file_name="rdpclip.exe" - OR process_file_name="rasphone.exe" OR process_file_name="raserver.exe" OR process_file_name="rasdial.exe" - OR process_file_name="rasautou.exe" OR process_file_name="qwinsta.exe" OR process_file_name="quser.exe" - OR process_file_name="query.exe" OR process_file_name="qprocess.exe" OR process_file_name="qappsrv.exe" - OR process_file_name="pwlauncher.exe" OR process_file_name="psr.exe" OR process_file_name="provtool.exe" - OR process_file_name="proquota.exe" OR process_file_name="printui.exe" OR process_file_name="printfilterpipelinesvc.exe" - OR process_file_name="print.exe" OR process_file_name="prevhost.exe" OR process_file_name="powercfg.exe" - OR process_file_name="poqexec.exe" OR process_file_name="plasrv.exe" OR process_file_name="phoneactivate.exe" - OR process_file_name="perfmon.exe" OR process_file_name="pcwrun.exe" OR process_file_name="pcawrk.exe" - OR process_file_name="pcaui.exe" OR process_file_name="pcalua.exe" OR process_file_name="p2phost.exe" - OR process_file_name="osk.exe" OR process_file_name="openfiles.exe" OR process_file_name="omadmprc.exe" - OR process_file_name="omadmclient.exe" OR process_file_name="odbcconf.exe" OR process_file_name="odbcad32.exe" - OR process_file_name="ocsetup.exe" OR process_file_name="ntprint.exe" OR process_file_name="ntoskrnl.exe" - OR process_file_name="nslookup.exe" OR process_file_name="notepad.exe" OR process_file_name="nltest.exe" - OR process_file_name="newdev.exe" OR process_file_name="netsh.exe" OR process_file_name="netiougc.exe" - OR process_file_name="netcfg.exe" OR process_file_name="netbtugc.exe" OR process_file_name="net1.exe" - OR process_file_name="net.exe" OR process_file_name="ndadmin.exe" OR process_file_name="nbtstat.exe" - OR process_file_name="mtstocom.exe" OR process_file_name="mstsc.exe" OR process_file_name="msra.exe" - OR process_file_name="mspaint.exe" OR process_file_name="msinfo32.exe" OR process_file_name="msiexec.exe" - OR process_file_name="mshta.exe" OR process_file_name="msg.exe" OR process_file_name="msfeedssync.exe" - OR process_file_name="msdtc.exe" OR process_file_name="msdt.exe" OR process_file_name="msconfig.exe" - OR process_file_name="mpnotify.exe" OR process_file_name="mountvol.exe" OR process_file_name="mobsync.exe" - OR process_file_name="mmc.exe" OR process_file_name="mfpmp.exe" OR process_file_name="mctadmin.exe" - OR process_file_name="mcbuilder.exe" OR process_file_name="mblctr.exe" OR process_file_name="manage-bde.exe" - OR process_file_name="makecab.exe" OR process_file_name="lsm.exe" OR process_file_name="lsass.exe" - OR process_file_name="lpremove.exe" OR process_file_name="lpksetup.exe" OR process_file_name="lpkinstall.exe" - OR process_file_name="logoff.exe" OR process_file_name="logman.exe" OR process_file_name="logagent.exe" - OR process_file_name="lodctr.exe" OR process_file_name="licensingdiag.exe" OR process_file_name="label.exe" - OR process_file_name="ktmutil.exe" OR process_file_name="ksetup.exe" OR process_file_name="klist.exe" - OR process_file_name="isoburn.exe" OR process_file_name="iscsicpl.exe" OR process_file_name="iscsicli.exe" - OR process_file_name="irftp.exe" OR process_file_name="ipconfig.exe" OR process_file_name="immersivetpmvscmgrsvr.exe" - OR process_file_name="iexpress.exe" OR process_file_name="ieetwcollector.exe" OR - process_file_name="ieunatt.exe" OR process_file_name="ie4uinit.exe" OR process_file_name="icsunattend.exe" - OR process_file_name="icardagt.exe" OR process_file_name="icacls.exe" OR process_file_name="hwrreg.exe" - OR process_file_name="hwrcomp.exe" OR process_file_name="help.exe" OR process_file_name="hdwwiz.exe" - OR process_file_name="grpconv.exe" OR process_file_name="gpupdate.exe" OR process_file_name="gpscript.exe" - OR process_file_name="gpresult.exe" OR process_file_name="getmac.exe" OR process_file_name="fveprompt.exe" - OR process_file_name="fvenotify.exe" OR process_file_name="ftp.exe" OR process_file_name="fsutil.exe" - OR process_file_name="fsquirt.exe" OR process_file_name="fsavailux.exe" OR process_file_name="forfiles.exe" - OR process_file_name="fontview.exe" OR process_file_name="fontdrvhost.exe" OR process_file_name="fodhelper.exe" - OR process_file_name="fltmc.exe" OR process_file_name="fixmapi.exe" OR process_file_name="finger.exe" - OR process_file_name="findstr.exe" OR process_file_name="find.exe" OR process_file_name="fhmanagew.exe" - OR process_file_name="fc.exe" OR process_file_name="extrac32.exe" OR process_file_name="expand.exe" - OR process_file_name="eventvwr.exe" OR process_file_name="eventcreate.exe" OR process_file_name="eudcedit.exe" - OR process_file_name="esentutl.exe" OR process_file_name="embeddedapplauncher.exe" - OR process_file_name="efsui.exe" OR process_file_name="easinvoker.exe" OR process_file_name="dxdiag.exe" - OR process_file_name="dwm.exe" OR process_file_name="dvdupgrd.exe" OR process_file_name="dvdplay.exe" - OR process_file_name="dstokenclean.exe" OR process_file_name="dsregcmd.exe" OR process_file_name="drvinst.exe" - OR process_file_name="drvcfg.exe" OR process_file_name="driverquery.exe" OR process_file_name="dpnsvr.exe" - OR process_file_name="dpapimig.exe" OR process_file_name="doskey.exe" OR process_file_name="dnscacheugc.exe" - OR process_file_name="dmclient.exe" OR process_file_name="dmcfghost.exe" OR process_file_name="dmcertinst.exe" - OR process_file_name="dllhst3g.exe" OR process_file_name="dllhost.exe" OR process_file_name="djoin.exe" - OR process_file_name="dispdiag.exe" OR process_file_name="diskraid.exe" OR process_file_name="diskperf.exe" - OR process_file_name="diskpart.exe" OR process_file_name="dinotify.exe" OR process_file_name="diantz.exe" - OR process_file_name="dialer.exe" OR process_file_name="dfrgui.exe" OR process_file_name="ddodiag.exe" - OR process_file_name="dcomcnfg.exe" OR process_file_name="dccw.exe" OR process_file_name="dashost.exe" - OR process_file_name="cttunesvr.exe" OR process_file_name="cttune.exe" OR process_file_name="ctfmon.exe" - OR process_file_name="csrss.exe" OR process_file_name="cscript.exe" OR process_file_name="credwiz.exe" - OR process_file_name="convert.exe" OR process_file_name="control.exe" OR process_file_name="consent.exe" - OR process_file_name="conhost.exe" OR process_file_name="compact.exe" OR process_file_name="comp.exe" - OR process_file_name="colorcpl.exe" OR process_file_name="cofire.exe" OR process_file_name="cmstp.exe" - OR process_file_name="cmmon32.exe" OR process_file_name="cmdl32.exe" OR process_file_name="cmdkey.exe" - OR process_file_name="cmd.exe" OR process_file_name="clip.exe" OR process_file_name="cliconfg.exe" - OR process_file_name="cleanmgr.exe" OR process_file_name="cipher.exe" OR process_file_name="choice.exe" - OR process_file_name="chkntfs.exe" OR process_file_name="chkdsk.exe" OR process_file_name="chgusr.exe" - OR process_file_name="chgport.exe" OR process_file_name="chglogon.exe" OR process_file_name="charmap.exe" - OR process_file_name="changepk.exe" OR process_file_name="change.exe" OR process_file_name="certutil.exe" - OR process_file_name="certreq.exe" OR process_file_name="cdpreference.exe" OR process_file_name="calc.exe" - OR process_file_name="cacls.exe" OR process_file_name="bthudtask.exe" OR process_file_name="browser_broker.exe" - OR process_file_name="bridgeunattend.exe" OR process_file_name="bootsect.exe" OR - process_file_name="bootim.exe" OR process_file_name="bootcfg.exe" OR process_file_name="bitsadmin.exe" - OR process_file_name="bdeunlock.exe" OR process_file_name="bdechangepin.exe" OR - process_file_name="bcdedit.exe" OR process_file_name="bcdboot.exe" OR process_file_name="bcastdvr.exe" - OR process_file_name="backgroundtaskhost.exe" OR process_file_name="baaupdate.exe" - OR process_file_name="autofmt.exe" OR process_file_name="autoconv.exe" OR process_file_name="autochk.exe" - OR process_file_name="auditpol.exe" OR process_file_name="audiodg.exe" OR process_file_name="attrib.exe" - OR process_file_name="at.exe" OR process_file_name="appidpolicyconverter.exe" OR - process_file_name="appidcertstorecheck.exe" OR process_file_name="alg.exe" OR process_file_name="aitstatic.exe" - OR process_file_name="aitagent.exe" OR process_file_name="acu.exe" OR process_file_name="wpcmon.exe" - OR process_file_name="workfolders.exe" OR process_file_name="windowsupdateelevatedinstaller.exe" - OR process_file_name="windowsanytimeupgradeui.exe" OR process_file_name="windowsanytimeupgraderesults.exe" - OR process_file_name="windowsanytimeupgrade.exe" OR process_file_name="windowsactiondialog.exe" - OR process_file_name="windows.media.backgroundplayback.exe" OR process_file_name="winsat.exe" - OR process_file_name="werfaultsecure.exe" OR process_file_name="werfault.exe" OR - process_file_name="webcache.exe" OR process_file_name="wallpaperhost.exe" OR process_file_name="wwahost.exe" - OR process_file_name="wudfhost.exe" OR process_file_name="wsreset.exe" OR process_file_name="wsmanhttpconfig.exe" - OR process_file_name="wscollect.exe" OR process_file_name="wpdshextautoplay.exe" - OR process_file_name="wmpdmc.exe" OR process_file_name="wfs.exe" OR process_file_name="vaultsysui.exe" - OR process_file_name="vaultcmd.exe" OR process_file_name="vssvc.exe" OR process_file_name="utilman.exe" - OR process_file_name="usoclient.exe" OR process_file_name="useraccountcontrolsettings.exe" - OR process_file_name="useraccountbroker.exe" OR process_file_name="upgraderesultsui.exe" - OR process_file_name="ui0detect.exe" OR process_file_name="tswpfwrp.exe" OR process_file_name="tpminit.exe" - OR process_file_name="tokenbrokercookies.exe" OR process_file_name="thumbnailextractionhost.exe" - OR process_file_name="taskmgr.exe" OR process_file_name="tapiunattend.exe" OR process_file_name="tswbprxy.exe" - OR process_file_name="tstheme.exe" OR process_file_name="tracert.exe" OR process_file_name="tcpsvcs.exe" - OR process_file_name="systemsettingsremovedevice.exe" OR process_file_name="systemsettingsbroker.exe" - OR process_file_name="systemsettingsadminflows.exe" OR process_file_name="systempropertiesremote.exe" - OR process_file_name="systempropertiesprotection.exe" OR process_file_name="systempropertiesperformance.exe" - OR process_file_name="systempropertieshardware.exe" OR process_file_name="systempropertiesdataexecutionprevention.exe" - OR process_file_name="systempropertiescomputername.exe" OR process_file_name="systempropertiesadvanced.exe" - OR process_file_name="sysreseterr.exe" OR process_file_name="synchost.exe" OR process_file_name="stikynot.exe" - OR process_file_name="srtasks.exe" OR process_file_name="sppextcomobj.exe" OR process_file_name="spaceagent.exe" - OR process_file_name="soundrecorder.exe" OR process_file_name="snippingtool.exe" - OR process_file_name="sndvol.exe" OR process_file_name="smartscreensettings.exe" - OR process_file_name="slidetoshutdown.exe" OR process_file_name="settingsynchost.exe" - OR process_file_name="setieinstalleddate.exe" OR process_file_name="sensordataservice.exe" - OR process_file_name="secedit.exe" OR process_file_name="searchprotocolhost.exe" - OR process_file_name="searchindexer.exe" OR process_file_name="searchfilterhost.exe" - OR process_file_name="sihclient.exe" OR process_file_name="runtimebroker.exe" OR - process_file_name="runlegacycplelevated.exe" OR process_file_name="rpcping.exe" - OR process_file_name="rmclient.exe" OR process_file_name="remoteposworker.exe" OR - process_file_name="relpost.exe" OR process_file_name="registeriepkeys.exe" OR process_file_name="register-cimprovider.exe" - OR process_file_name="recoverydrive.exe" OR process_file_name="reagentc.exe" OR - process_file_name="rdpsauachelper.exe" OR process_file_name="rdpsaproxy.exe" OR - process_file_name="rdpsa.exe" OR process_file_name="route.exe" OR process_file_name="rmactivate_ssp_isv.exe" - OR process_file_name="rmactivate_ssp.exe" OR process_file_name="rmactivate_isv.exe" - OR process_file_name="rmactivate.exe" OR process_file_name="rdspnf.exe" OR process_file_name="proximityuxhost.exe" - OR process_file_name="printisolationhost.exe" OR process_file_name="printdialoghost3d.exe" - OR process_file_name="printdialoghost.exe" OR process_file_name="printbrmui.exe" - OR process_file_name="presentationsettings.exe" OR process_file_name="presentationhost.exe" - OR process_file_name="pnputil.exe" OR process_file_name="pnpunattend.exe" OR process_file_name="pkgmgr.exe" - OR process_file_name="pickerhost.exe" OR process_file_name="passwordonwakesettingflyout.exe" - OR process_file_name="ping.exe" OR process_file_name="pathping.exe" OR process_file_name="optionalfeatures.exe" - OR process_file_name="openwith.exe" OR process_file_name="networkuxbroker.exe" OR - process_file_name="netplwiz.exe" OR process_file_name="netproj.exe" OR process_file_name="netevtfwdr.exe" - OR process_file_name="netcfgnotifyobjecthost.exe" OR process_file_name="narrator.exe" - OR process_file_name="netstat.exe" OR process_file_name="napstat.exe" OR process_file_name="musnotificationux.exe" - OR process_file_name="musnotification.exe" OR process_file_name="multidigimon.exe" - OR process_file_name="muiunattend.exe" OR process_file_name="msspellcheckinghost.exe" - OR process_file_name="mpsigstub.exe" OR process_file_name="migautoplay.exe" OR process_file_name="mdsched.exe" - OR process_file_name="mdres.exe" OR process_file_name="mbaeparsertask.exe" OR process_file_name="magnify.exe" - OR process_file_name="mschedexe.exe" OR process_file_name="mrt.exe" OR process_file_name="mrinfo.exe" - OR process_file_name="mdmappinstaller.exe" OR process_file_name="mdmagent.exe" OR - process_file_name="mdeserver.exe" OR process_file_name="lsaiso.exe" OR process_file_name="logonui.exe" - OR process_file_name="lockscreencontentserver.exe" OR process_file_name="lockapphost.exe" - OR process_file_name="locator.exe" OR process_file_name="locationnotifications.exe" - OR process_file_name="locationnotificationwindows.exe" OR process_file_name="licensingui.exe" - OR process_file_name="licensemanagershellext.exe" OR process_file_name="legacynetuxhost.exe" - OR process_file_name="launchwinapp.exe" OR process_file_name="launchtm.exe" OR process_file_name="languagecomponentsinstallercomhandler.exe" - OR process_file_name="installagent.exe" OR process_file_name="infdefaultinstall.exe" - OR process_file_name="icsentitlementhost.exe" OR process_file_name="hostname.exe" - OR process_file_name="gettingstarted.exe" OR process_file_name="genvalobj.exe" OR - process_file_name="gamepanel.exe" OR process_file_name="fondue.exe" OR process_file_name="filehistory.exe" - OR process_file_name="fxsunatd.exe" OR process_file_name="fxssvc.exe" OR process_file_name="fxscover.exe" - OR process_file_name="ehstorauthn.exe" OR process_file_name="easeofaccessdialog.exe" - OR process_file_name="easpoliciesbrokerhost.exe" OR process_file_name="eap3host.exe" - OR process_file_name="eosnotify.exe" OR process_file_name="edpcleanup.exe" OR process_file_name="dxpserver.exe" - OR process_file_name="dsmusertask.exe" OR process_file_name="dpiscaling.exe" OR - process_file_name="dmomacpmo.exe" OR process_file_name="dmnotificationbroker.exe" - OR process_file_name="displayswitch.exe" OR process_file_name="dism.exe" OR process_file_name="disksnapshot.exe" - OR process_file_name="deviceproperties.exe" OR process_file_name="devicepairingwizard.exe" - OR process_file_name="deviceenroller.exe" OR process_file_name="deviceeject.exe" - OR process_file_name="devicedisplayobjectprovider.exe" OR process_file_name="defrag.exe" - OR process_file_name="dataexchangehost.exe" OR process_file_name="dwwin.exe" OR - process_file_name="dfdwiz.exe" OR process_file_name="credentialuibroker.exe" OR - process_file_name="computerdefaults.exe" OR process_file_name="compattelrunner.exe" - OR process_file_name="compmgmtlauncher.exe" OR process_file_name="cloudstoragewizard.exe" - OR process_file_name="cloudnotifications.exe" OR process_file_name="cloudexperiencehostbroker.exe" - OR process_file_name="clipup.exe" OR process_file_name="checknetisolation.exe" OR - process_file_name="certenrollctrl.exe" OR process_file_name="castsrv.exe" OR process_file_name="camerasettingsuihost.exe" - OR process_file_name="bytecodegenerator.exe" OR process_file_name="bitlockerwizardelev.exe" - OR process_file_name="bitlockerwizard.exe" OR process_file_name="bitlockerdeviceencryption.exe" - OR process_file_name="bdeunlockwizard.exe" OR process_file_name="bdeuisrv.exe" OR - process_file_name="bdehdcfg.exe" OR process_file_name="backgroundtransferhost.exe" - OR process_file_name="axinstui.exe" OR process_file_name="autoworkplace.exe" OR - process_file_name="authhost.exe" OR process_file_name="atbroker.exe" OR process_file_name="applicationframehost.exe" - OR process_file_name="adaptertroubleshooter.exe" OR process_file_name="arp.exe") - AND (NOT match_regex(process_file_path, /(?i)\\windows\\syswow64/)=true) AND (NOT - match_regex(process_file_path, /(?i)\\windows\\system32/)=true) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name IN ("xwizard.exe", + "xpsrchvw.exe", "xcopy.exe", "wusa.exe", "wuauclt.exe", "wuapp.exe", "wuapihost.exe", + "wsqmcons.exe", "wsmprovhost.exe", "wscript.exe", "write.exe", "wpr.exe", "wpnpinst.exe", + "wowreg32.exe", "wlrmdr.exe", "wlanext.exe", "wksprt.exe", "wkspbroker.exe", "wisptis.exe", + "winver.exe", "winrshost.exe", "winrs.exe", "winresume.exe", "winlogon.exe", "winload.exe", + "wininit.exe", "wimserv.exe", "wifitask.exe", "wiawow64.exe", "wiaacmgr.exe", "whoami.exe", + "where.exe", "wextract.exe", "wevtutil.exe", "wermgr.exe", "wecutil.exe", "wbengine.exe", + "wbadmin.exe", "waitfor.exe", "w32tm.exe", "vssadmin.exe", "vmicsvc.exe", "verifiergui.exe", + "verifier.exe", "verclsid.exe", "vdsldr.exe", "vds.exe", "userinit.exe", "upnpcont.exe", + "unregmp2.exe", "unlodctr.exe", "ucsvc.exe", "tzutil.exe", "tzsync.exe", "typeperf.exe", + "tskill.exe", "tsdiscon.exe", "tscon.exe", "tracerpt.exe", "tpmvscmgrsvr.exe", "tpmvscmgr.exe", + "timeout.exe", "tcmsetup.exe", "taskmgr.exe", "tasklist.exe", "taskkill.exe", "taskhostw.exe", + "taskhost.exe", "taskeng.exe", "takeown.exe", "tabcal.exe", "systray.exe", "systemreset.exe", + "systeminfo.exe", "syskey.exe", "sxstrace.exe", "svchost.exe", "subst.exe", "srdelayed.exe", + "spreview.exe", "sppsvc.exe", "spoolsv.exe", "spinstall.exe", "sort.exe", "snmptrap.exe", + "smss.exe", "slui.exe", "sihost.exe", "sigverif.exe", "shutdown.exe", "shrpubw.exe", + "shadow.exe", "setx.exe", "setupugc.exe", "setupcl.exe", "setspn.exe", "sethc.exe", + "sessionmsg.exe", "services.exe", "secinit.exe", "sdiagnhost.exe", "sdclt.exe", + "sdchange.exe", "sdbinst.exe", "schtasks.exe", "sc.exe", "sbunattend.exe", "rwinsta.exe", + "runonce.exe", "rundll32.exe", "runas.exe", "rstrui.exe", "rrinstaller.exe", "rmttpmvscmgrsvr.exe", + "resmon.exe", "reset.exe", "replace.exe", "repair-bde.exe", "relog.exe", "rekeywiz.exe", + "regsvr32.exe", "regini.exe", "regedt32.exe", "reg.exe", "recover.exe", "recdisc.exe", + "rdrleakdiag.exe", "rdpinput.exe", "rdpclip.exe", "rasphone.exe", "raserver.exe", + "rasdial.exe", "rasautou.exe", "qwinsta.exe", "quser.exe", "query.exe", "qprocess.exe", + "qappsrv.exe", "pwlauncher.exe", "psr.exe", "provtool.exe", "proquota.exe", "printui.exe", + "printfilterpipelinesvc.exe", "print.exe", "prevhost.exe", "powercfg.exe", "poqexec.exe", + "plasrv.exe", "phoneactivate.exe", "perfmon.exe", "pcwrun.exe", "pcawrk.exe", "pcaui.exe", + "pcalua.exe", "p2phost.exe", "osk.exe", "openfiles.exe", "omadmprc.exe", "omadmclient.exe", + "odbcconf.exe", "odbcad32.exe", "ocsetup.exe", "ntprint.exe", "ntoskrnl.exe", "nslookup.exe", + "notepad.exe", "nltest.exe", "newdev.exe", "netsh.exe", "netiougc.exe", "netcfg.exe", + "netbtugc.exe", "net1.exe", "net.exe", "ndadmin.exe", "nbtstat.exe", "mtstocom.exe", + "mstsc.exe", "msra.exe", "mspaint.exe", "msinfo32.exe", "msiexec.exe", "mshta.exe", + "msg.exe", "msfeedssync.exe", "msdtc.exe", "msdt.exe", "msconfig.exe", "mpnotify.exe", + "mountvol.exe", "mobsync.exe", "mmc.exe", "mfpmp.exe", "mctadmin.exe", "mcbuilder.exe", + "mblctr.exe", "manage-bde.exe", "makecab.exe", "lsm.exe", "lsass.exe", "lpremove.exe", + "lpksetup.exe", "lpkinstall.exe", "logoff.exe", "logman.exe", "logagent.exe", "lodctr.exe", + "licensingdiag.exe", "label.exe", "ktmutil.exe", "ksetup.exe", "klist.exe", "isoburn.exe", + "iscsicpl.exe", "iscsicli.exe", "irftp.exe", "ipconfig.exe", "immersivetpmvscmgrsvr.exe", + "iexpress.exe", "ieetwcollector.exe", "ieunatt.exe", "ie4uinit.exe", "icsunattend.exe", + "icardagt.exe", "icacls.exe", "hwrreg.exe", "hwrcomp.exe", "help.exe", "hdwwiz.exe", + "grpconv.exe", "gpupdate.exe", "gpscript.exe", "gpresult.exe", "getmac.exe", "fveprompt.exe", + "fvenotify.exe", "ftp.exe", "fsutil.exe", "fsquirt.exe", "fsavailux.exe", "forfiles.exe", + "fontview.exe", "fontdrvhost.exe", "fodhelper.exe", "fltmc.exe", "fixmapi.exe", + "finger.exe", "findstr.exe", "find.exe", "fhmanagew.exe", "fc.exe", "extrac32.exe", + "expand.exe", "eventvwr.exe", "eventcreate.exe", "eudcedit.exe", "esentutl.exe", + "embeddedapplauncher.exe", "efsui.exe", "easinvoker.exe", "dxdiag.exe", "dwm.exe", + "dvdupgrd.exe", "dvdplay.exe", "dstokenclean.exe", "dsregcmd.exe", "drvinst.exe", + "drvcfg.exe", "driverquery.exe", "dpnsvr.exe", "dpapimig.exe", "doskey.exe", "dnscacheugc.exe", + "dmclient.exe", "dmcfghost.exe", "dmcertinst.exe", "dllhst3g.exe", "dllhost.exe", + "djoin.exe", "dispdiag.exe", "diskraid.exe", "diskperf.exe", "diskpart.exe", "dinotify.exe", + "diantz.exe", "dialer.exe", "dfrgui.exe", "ddodiag.exe", "dcomcnfg.exe", "dccw.exe", + "dashost.exe", "cttunesvr.exe", "cttune.exe", "ctfmon.exe", "csrss.exe", "cscript.exe", + "credwiz.exe", "convert.exe", "control.exe", "consent.exe", "conhost.exe", "compact.exe", + "comp.exe", "colorcpl.exe", "cofire.exe", "cmstp.exe", "cmmon32.exe", "cmdl32.exe", + "cmdkey.exe", "cmd.exe", "clip.exe", "cliconfg.exe", "cleanmgr.exe", "cipher.exe", + "choice.exe", "chkntfs.exe", "chkdsk.exe", "chgusr.exe", "chgport.exe", "chglogon.exe", + "charmap.exe", "changepk.exe", "change.exe", "certutil.exe", "certreq.exe", "cdpreference.exe", + "calc.exe", "cacls.exe", "bthudtask.exe", "browser_broker.exe", "bridgeunattend.exe", + "bootsect.exe", "bootim.exe", "bootcfg.exe", "bitsadmin.exe", "bdeunlock.exe", "bdechangepin.exe", + "bcdedit.exe", "bcdboot.exe", "bcastdvr.exe", "backgroundtaskhost.exe", "baaupdate.exe", + "autofmt.exe", "autoconv.exe", "autochk.exe", "auditpol.exe", "audiodg.exe", "attrib.exe", + "at.exe", "appidpolicyconverter.exe", "appidcertstorecheck.exe", "alg.exe", "aitstatic.exe", + "aitagent.exe", "acu.exe", "wpcmon.exe", "workfolders.exe", "windowsupdateelevatedinstaller.exe", + "windowsanytimeupgradeui.exe", "windowsanytimeupgraderesults.exe", "windowsanytimeupgrade.exe", + "windowsactiondialog.exe", "windows.media.backgroundplayback.exe", "winsat.exe", + "werfaultsecure.exe", "werfault.exe", "webcache.exe", "wallpaperhost.exe", "wwahost.exe", + "wudfhost.exe", "wsreset.exe", "wsmanhttpconfig.exe", "wscollect.exe", "wpdshextautoplay.exe", + "wmpdmc.exe", "wfs.exe", "vaultsysui.exe", "vaultcmd.exe", "vssvc.exe", "utilman.exe", + "usoclient.exe", "useraccountcontrolsettings.exe", "useraccountbroker.exe", "upgraderesultsui.exe", + "ui0detect.exe", "tswpfwrp.exe", "tpminit.exe", "tokenbrokercookies.exe", "thumbnailextractionhost.exe", + "taskmgr.exe", "tapiunattend.exe", "tswbprxy.exe", "tstheme.exe", "tracert.exe", + "tcpsvcs.exe", "systemsettingsremovedevice.exe", "systemsettingsbroker.exe", "systemsettingsadminflows.exe", + "systempropertiesremote.exe", "systempropertiesprotection.exe", "systempropertiesperformance.exe", + "systempropertieshardware.exe", "systempropertiesdataexecutionprevention.exe", "systempropertiescomputername.exe", + "systempropertiesadvanced.exe", "sysreseterr.exe", "synchost.exe", "stikynot.exe", + "srtasks.exe", "sppextcomobj.exe", "spaceagent.exe", "soundrecorder.exe", "snippingtool.exe", + "sndvol.exe", "smartscreensettings.exe", "slidetoshutdown.exe", "settingsynchost.exe", + "setieinstalleddate.exe", "sensordataservice.exe", "secedit.exe", "searchprotocolhost.exe", + "searchindexer.exe", "searchfilterhost.exe", "sihclient.exe", "runtimebroker.exe", + "runlegacycplelevated.exe", "rpcping.exe", "rmclient.exe", "remoteposworker.exe", + "relpost.exe", "registeriepkeys.exe", "register-cimprovider.exe", "recoverydrive.exe", + "reagentc.exe", "rdpsauachelper.exe", "rdpsaproxy.exe", "rdpsa.exe", "route.exe", + "rmactivate_ssp_isv.exe", "rmactivate_ssp.exe", "rmactivate_isv.exe", "rmactivate.exe", + "rdspnf.exe", "proximityuxhost.exe", "printisolationhost.exe", "printdialoghost3d.exe", + "printdialoghost.exe", "printbrmui.exe", "presentationsettings.exe", "presentationhost.exe", + "pnputil.exe", "pnpunattend.exe", "pkgmgr.exe", "pickerhost.exe", "passwordonwakesettingflyout.exe", + "ping.exe", "pathping.exe", "optionalfeatures.exe", "openwith.exe", "networkuxbroker.exe", + "netplwiz.exe", "netproj.exe", "netevtfwdr.exe", "netcfgnotifyobjecthost.exe", "narrator.exe", + "netstat.exe", "napstat.exe", "musnotificationux.exe", "musnotification.exe", "multidigimon.exe", + "muiunattend.exe", "msspellcheckinghost.exe", "mpsigstub.exe", "migautoplay.exe", + "mdsched.exe", "mdres.exe", "mbaeparsertask.exe", "magnify.exe", "mschedexe.exe", + "mrt.exe", "mrinfo.exe", "mdmappinstaller.exe", "mdmagent.exe", "mdeserver.exe", + "lsaiso.exe", "logonui.exe", "lockscreencontentserver.exe", "lockapphost.exe", "locator.exe", + "locationnotifications.exe", "locationnotificationwindows.exe", "licensingui.exe", + "licensemanagershellext.exe", "legacynetuxhost.exe", "launchwinapp.exe", "launchtm.exe", + "languagecomponentsinstallercomhandler.exe", "installagent.exe", "infdefaultinstall.exe", + "icsentitlementhost.exe", "hostname.exe", "gettingstarted.exe", "genvalobj.exe", + "gamepanel.exe", "fondue.exe", "filehistory.exe", "fxsunatd.exe", "fxssvc.exe", + "fxscover.exe", "ehstorauthn.exe", "easeofaccessdialog.exe", "easpoliciesbrokerhost.exe", + "eap3host.exe", "eosnotify.exe", "edpcleanup.exe", "dxpserver.exe", "dsmusertask.exe", + "dpiscaling.exe", "dmomacpmo.exe", "dmnotificationbroker.exe", "displayswitch.exe", + "dism.exe", "disksnapshot.exe", "deviceproperties.exe", "devicepairingwizard.exe", + "deviceenroller.exe", "deviceeject.exe", "devicedisplayobjectprovider.exe", "defrag.exe", + "dataexchangehost.exe", "dwwin.exe", "dfdwiz.exe", "credentialuibroker.exe", "computerdefaults.exe", + "compattelrunner.exe", "compmgmtlauncher.exe", "cloudstoragewizard.exe", "cloudnotifications.exe", + "cloudexperiencehostbroker.exe", "clipup.exe", "checknetisolation.exe", "certenrollctrl.exe", + "castsrv.exe", "camerasettingsuihost.exe", "bytecodegenerator.exe", "bitlockerwizardelev.exe", + "bitlockerwizard.exe", "bitlockerdeviceencryption.exe", "bdeunlockwizard.exe", "bdeuisrv.exe", + "bdehdcfg.exe", "backgroundtransferhost.exe", "axinstui.exe", "autoworkplace.exe", + "authhost.exe", "atbroker.exe", "applicationframehost.exe", "adaptertroubleshooter.exe", + "arp.exe")) AND (NOT match(process_file_path, /(?i)\\windows\\syswow64/)=true) AND + (NOT match(process_file_path, /(?i)\\windows\\system32/)=true) --finding_report--' how_to_implement: Collect endpoint data such as sysmon or 4688 events. known_false_positives: None references: [] diff --git a/ssa_detections/endpoint/ssa___wbadmin_delete_system_backups.yml b/ssa_detections/endpoint/ssa___wbadmin_delete_system_backups.yml index 57350b2a5f..ade37b9816 100644 --- a/ssa_detections/endpoint/ssa___wbadmin_delete_system_backups.yml +++ b/ssa_detections/endpoint/ssa___wbadmin_delete_system_backups.yml @@ -10,25 +10,16 @@ description: This search looks for flags passed to wbadmin.exe (Windows Backup A recovery. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="wbadmin.exe" AND (like(process_cmd_line, "%systemstatebackup%") - OR like(process_cmd_line, "%catalog%") OR like(process_cmd_line, "%delete%")) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="wbadmin.exe" + AND (process_cmd_line LIKE "%systemstatebackup%" OR process_cmd_line LIKE "%catalog%" + OR process_cmd_line LIKE "%delete%") --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. diff --git a/ssa_detections/endpoint/ssa___wevtutil_usage_to_clear_logs.yml b/ssa_detections/endpoint/ssa___wevtutil_usage_to_clear_logs.yml index e3188eeac6..7924a16f66 100644 --- a/ssa_detections/endpoint/ssa___wevtutil_usage_to_clear_logs.yml +++ b/ssa_detections/endpoint/ssa___wevtutil_usage_to_clear_logs.yml @@ -10,28 +10,18 @@ description: The wevtutil.exe application is the windows event log utility. This powershell, sysmon, or system event logs. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (match_regex(process_cmd_line, /(?i)powershell/)=true OR match_regex(process_cmd_line, - /(?i)setup/)=true OR match_regex(process_cmd_line, /(?i)application/)=true OR match_regex(process_cmd_line, - /(?i)sysmon/)=true OR match_regex(process_cmd_line, /(?i)system/)=true OR match_regex(process_cmd_line, - /(?i)security/)=true) AND like(process_cmd_line, "% cl %") AND process_file_name="wevtutil.exe" - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (match(process_cmd_line, /(?i)powershell/)=true + OR match(process_cmd_line, /(?i)setup/)=true OR match(process_cmd_line, /(?i)application/)=true + OR match(process_cmd_line, /(?i)sysmon/)=true OR match(process_cmd_line, /(?i)system/)=true + OR match(process_cmd_line, /(?i)security/)=true) AND process_cmd_line LIKE "% cl + %" AND process_file_name="wevtutil.exe" --finding_report--' how_to_implement: You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. diff --git a/ssa_detections/endpoint/ssa___wevtutil_usage_to_disable_logs.yml b/ssa_detections/endpoint/ssa___wevtutil_usage_to_disable_logs.yml index 8309897e63..fea74b71fd 100644 --- a/ssa_detections/endpoint/ssa___wevtutil_usage_to_disable_logs.yml +++ b/ssa_detections/endpoint/ssa___wevtutil_usage_to_disable_logs.yml @@ -10,25 +10,15 @@ description: This search is to detect execution of wevtutil.exe to disable logs. and detections in compromised host. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%/e:false%") AND like(process_cmd_line, "% - sl %") AND process_file_name="wevtutil.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%/e:false%" + AND process_cmd_line LIKE "% sl %" AND process_file_name="wevtutil.exe" --finding_report--' how_to_implement: You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. diff --git a/ssa_detections/endpoint/ssa___windows_bits_job_persistence.yml b/ssa_detections/endpoint/ssa___windows_bits_job_persistence.yml index 477e43b714..daf1f5e452 100644 --- a/ssa_detections/endpoint/ssa___windows_bits_job_persistence.yml +++ b/ssa_detections/endpoint/ssa___windows_bits_job_persistence.yml @@ -14,27 +14,18 @@ description: The following query identifies Microsoft Background Intelligent Tra identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%resume%") OR like(process_cmd_line, "%setcustomheaders%") - OR like(process_cmd_line, "%setminretrydelay%") OR like(process_cmd_line, "%setnotifycmdline%") - OR like(process_cmd_line, "%setnotifyflags%") OR like(process_cmd_line, "%addfile%") - OR like(process_cmd_line, "%create%")) AND process_file_name="bitsadmin.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%resume%" + OR process_cmd_line LIKE "%setcustomheaders%" OR process_cmd_line LIKE "%setminretrydelay%" + OR process_cmd_line LIKE "%setnotifycmdline%" OR process_cmd_line LIKE "%setnotifyflags%" + OR process_cmd_line LIKE "%addfile%" OR process_cmd_line LIKE "%create%") AND process_file_name="bitsadmin.exe" + --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___windows_bitsadmin_download_file.yml b/ssa_detections/endpoint/ssa___windows_bitsadmin_download_file.yml index 580df7e9ec..1f081b9633 100644 --- a/ssa_detections/endpoint/ssa___windows_bitsadmin_download_file.yml +++ b/ssa_detections/endpoint/ssa___windows_bitsadmin_download_file.yml @@ -19,25 +19,15 @@ description: The following query identifies Microsoft Background Intelligent Tra to list out the jobs during investigation. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%transfer%") AND process_file_name="bitsadmin.exe" - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%transfer%" + AND process_file_name="bitsadmin.exe" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___windows_certutil_decode_file.yml b/ssa_detections/endpoint/ssa___windows_certutil_decode_file.yml index 4b5caa023a..b29ebbf928 100644 --- a/ssa_detections/endpoint/ssa___windows_certutil_decode_file.yml +++ b/ssa_detections/endpoint/ssa___windows_certutil_decode_file.yml @@ -15,25 +15,15 @@ description: CertUtil.exe may be used to `encode` and `decode` a file, including Review its contents or execution behavior for further analysis. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%decode%") AND process_file_name="certutil.exe" - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%decode%" + AND process_file_name="certutil.exe" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___windows_certutil_urlcache_download.yml b/ssa_detections/endpoint/ssa___windows_certutil_urlcache_download.yml index c4804364a8..021f54aab8 100644 --- a/ssa_detections/endpoint/ssa___windows_certutil_urlcache_download.yml +++ b/ssa_detections/endpoint/ssa___windows_certutil_urlcache_download.yml @@ -14,26 +14,16 @@ description: Certutil.exe may download a file from a remote destination using `- remote IP or domain in question. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="certutil.exe" AND like(process_cmd_line, "%split%") - AND like(process_cmd_line, "%urlcache%")) OR like(process_cmd_line, "%urlcache%") - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="certutil.exe" + AND process_cmd_line LIKE "%split%" AND process_cmd_line LIKE "%urlcache%") OR process_cmd_line + LIKE "%urlcache%" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. diff --git a/ssa_detections/endpoint/ssa___windows_certutil_verifyctl_download.yml b/ssa_detections/endpoint/ssa___windows_certutil_verifyctl_download.yml index be0dcadd4a..342885f6dc 100644 --- a/ssa_detections/endpoint/ssa___windows_certutil_verifyctl_download.yml +++ b/ssa_detections/endpoint/ssa___windows_certutil_verifyctl_download.yml @@ -14,26 +14,16 @@ description: 'Certutil.exe may download a file from a remote destination using ` written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. ' data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="certutil.exe" AND like(process_cmd_line, "%split%") - AND like(process_cmd_line, "%verifyctl%")) OR like(process_cmd_line, "%verifyctl%") - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="certutil.exe" + AND process_cmd_line LIKE "%split%" AND process_cmd_line LIKE "%verifyctl%") OR + process_cmd_line LIKE "%verifyctl%" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. diff --git a/ssa_detections/endpoint/ssa___windows_com_hijacking_inprocserver32_modification.yml b/ssa_detections/endpoint/ssa___windows_com_hijacking_inprocserver32_modification.yml index 1e1801b118..b2722a57f9 100644 --- a/ssa_detections/endpoint/ssa___windows_com_hijacking_inprocserver32_modification.yml +++ b/ssa_detections/endpoint/ssa___windows_com_hijacking_inprocserver32_modification.yml @@ -15,25 +15,15 @@ description: The following analytic identifies the use of reg.exe performing an the adversary's code will be executed instead. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where match_regex(process_cmd_line, /(?i)inprocserver32/)=true AND process_file_name="reg.exe" - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where match(process_cmd_line, /(?i)inprocserver32/)=true + AND process_file_name="reg.exe" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_curl_upload_to_remote_destination.yml b/ssa_detections/endpoint/ssa___windows_curl_upload_to_remote_destination.yml index 0eef7c072c..67be892bf2 100644 --- a/ssa_detections/endpoint/ssa___windows_curl_upload_to_remote_destination.yml +++ b/ssa_detections/endpoint/ssa___windows_curl_upload_to_remote_destination.yml @@ -25,27 +25,17 @@ description: 'The following analytic identifies the use of Windows Curl.exe uplo in network logs. If a file was uploaded, isolate the endpoint and review.' data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%-F %") OR like(process_cmd_line, "%--data - %") OR like(process_cmd_line, "%-d %") OR like(process_cmd_line, "%--upload-file - %") OR like(process_cmd_line, "%-T %")) AND match_regex(process_file_name, /(?i)curl.exe/)=true - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%-F %" + OR process_cmd_line LIKE "%--data %" OR process_cmd_line LIKE "%-d %" OR process_cmd_line + LIKE "%--upload-file %" OR process_cmd_line LIKE "%-T %") AND match(process_file_name, + /(?i)curl.exe/)=true --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. diff --git a/ssa_detections/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml b/ssa_detections/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml index 97b6acf6b2..b25cc43b1e 100644 --- a/ssa_detections/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml +++ b/ssa_detections/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml @@ -17,26 +17,16 @@ description: The following analytic identifies the potential edition of a defaul of the default GPOs. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="mmc.exe" AND like(process_cmd_line, "%gpme.msc%")) - OR like(process_cmd_line, "%31B2F340-016D-11D2-945F-00C04FB984F9%") OR like(process_cmd_line, - "%6AC1786C-016F-11D2-945F-00C04fB984F9%") --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="mmc.exe" AND + process_cmd_line LIKE "%gpme.msc%") OR process_cmd_line LIKE "%31B2F340-016D-11D2-945F-00C04FB984F9%" + OR process_cmd_line LIKE "%6AC1786C-016F-11D2-945F-00C04fB984F9%" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_defender_tools_in_non_standard_path.yml b/ssa_detections/endpoint/ssa___windows_defender_tools_in_non_standard_path.yml index 68f28a13d9..97e3b5c5aa 100644 --- a/ssa_detections/endpoint/ssa___windows_defender_tools_in_non_standard_path.yml +++ b/ssa_detections/endpoint/ssa___windows_defender_tools_in_non_standard_path.yml @@ -9,26 +9,16 @@ description: The following analytic identifies usage of the MPCmdRun utility tha can be abused by adversaries by moving it to a new directory. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where match_regex(process_file_name, /(?i)mpcmdrun.exe/)=true AND (NOT match_regex(process_file_path, - /(?i)\\windows defender/)=true) AND (NOT match_regex(process_file_path, /(?i)\\microsoft\\windows - defender\\platform/)=true) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where match(process_file_name, /(?i)mpcmdrun.exe/)=true + AND (NOT match(process_file_path, /(?i)\\windows defender/)=true) AND (NOT match(process_file_path, + /(?i)\\microsoft\\windows defender\\platform/)=true) --finding_report--' how_to_implement: Collect endpoint data such as sysmon or 4688 events. known_false_positives: False positives may be present and filtering may be required. references: diff --git a/ssa_detections/endpoint/ssa___windows_diskshadow_proxy_execution.yml b/ssa_detections/endpoint/ssa___windows_diskshadow_proxy_execution.yml index ea66adef4d..c5eebba164 100644 --- a/ssa_detections/endpoint/ssa___windows_diskshadow_proxy_execution.yml +++ b/ssa_detections/endpoint/ssa___windows_diskshadow_proxy_execution.yml @@ -13,25 +13,15 @@ description: DiskShadow.exe is a Microsoft Signed binary present on Windows Serv by diskshadow. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%/s%") OR like(process_cmd_line, "%-S%")) - AND process_file_name="diskshadow.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%/s%" OR + process_cmd_line LIKE "%-S%") AND process_file_name="diskshadow.exe" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. diff --git a/ssa_detections/endpoint/ssa___windows_dotnet_binary_in_non_standard_path.yml b/ssa_detections/endpoint/ssa___windows_dotnet_binary_in_non_standard_path.yml index 6ef87c5781..aa304945f6 100644 --- a/ssa_detections/endpoint/ssa___windows_dotnet_binary_in_non_standard_path.yml +++ b/ssa_detections/endpoint/ssa___windows_dotnet_binary_in_non_standard_path.yml @@ -13,57 +13,45 @@ description: The following analytic identifies native .net binaries within the W captured in the list. Lookup - https://github.com/splunk/security_content/blob/develop/lookups/is_net_windows_file.csv. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (match_regex(process_file_name, /(?i)MSBuild.exe/)=true OR match_regex(process_file_name, - /(?i)comsvcconfig.exe/)=true OR match_regex(process_file_name, /(?i)dfsradmin.exe/)=true - OR match_regex(process_file_name, /(?i)dfsvc.exe/)=true OR match_regex(process_file_name, - /(?i)microsoft.workflow.compiler.exe/)=true OR match_regex(process_file_name, /(?i)smsvchost.exe/)=true - OR match_regex(process_file_name, /(?i)wsatconfig.exe/)=true OR match_regex(process_file_name, - /(?i)addinprocess.exe/)=true OR match_regex(process_file_name, /(?i)addinprocess32.exe/)=true - OR match_regex(process_file_name, /(?i)addinutil.exe/)=true OR match_regex(process_file_name, - /(?i)aspnet_compiler.exe/)=true OR match_regex(process_file_name, /(?i)aspnet_regbrowsers.exe/)=true - OR match_regex(process_file_name, /(?i)aspnet_regsql.exe/)=true OR match_regex(process_file_name, - /(?i)caspol.exe/)=true OR match_regex(process_file_name, /(?i)datasvcutil.exe/)=true - OR match_regex(process_file_name, /(?i)edmgen.exe/)=true OR match_regex(process_file_name, - /(?i)installutil.exe/)=true OR match_regex(process_file_name, /(?i)jsc.exe/)=true - OR match_regex(process_file_name, /(?i)ngentask.exe/)=true OR match_regex(process_file_name, - /(?i)regasm.exe/)=true OR match_regex(process_file_name, /(?i)regsvcs.exe/)=true - OR match_regex(process_file_name, /(?i)sdnbr.exe/)=true OR match_regex(process_file_name, - /(?i)acu.exe/)=true OR match_regex(process_file_name, /(?i)appvstreamingux.exe/)=true - OR match_regex(process_file_name, /(?i)dsac.exe/)=true OR match_regex(process_file_name, - /(?i)lbfoadmin.exe/)=true OR match_regex(process_file_name, /(?i)microsoft.uev.synccontroller.exe/)=true - OR match_regex(process_file_name, /(?i)mtedit.exe/)=true OR match_regex(process_file_name, - /(?i)scriptrunner.exe/)=true OR match_regex(process_file_name, /(?i)servermanager.exe/)=true - OR match_regex(process_file_name, /(?i)stordiag.exe/)=true OR match_regex(process_file_name, - /(?i)tzsync.exe/)=true OR match_regex(process_file_name, /(?i)uevagentpolicygenerator.exe/)=true - OR match_regex(process_file_name, /(?i)uevappmonitor.exe/)=true OR match_regex(process_file_name, - /(?i)uevtemplatebaselinegenerator.exe/)=true OR match_regex(process_file_name, /(?i)uevtemplateconfigitemgenerator.exe/)=true - OR match_regex(process_file_name, /(?i)powershell_ise.exe/)=true OR match_regex(process_file_name, - /(?i)iediagcmd.exe/)=true OR match_regex(process_file_name, /(?i)xbox.tcui.exe/)=true - OR match_regex(process_file_name, /(?i)microsoft.activedirectory.webservices.exe/)=true - OR match_regex(process_file_name, /(?i)iisual.exe/)=true OR match_regex(process_file_name, - /(?i)filehistory.exe/)=true OR match_regex(process_file_name, /(?i)secureassessmentbrowser.exe/)=true) - AND (NOT (match_regex(process_file_path, /(?i)\\windows\\system32/)=true OR match_regex(process_file_path, - /(?i)\\windows\\syswow64/)=true OR match_regex(process_file_path, /(?i)\\windows\\adws/)=true - OR match_regex(process_file_path, /(?i)\\windows\\networkcontroller/)=true OR match_regex(process_file_path, - /(?i)\\windows\\systemapps/)=true OR match_regex(process_file_path, /(?i)\\winsxs/)=true - OR match_regex(process_file_path, /(?i)\\microsoft.net/)=true)) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (match(process_file_name, /(?i)MSBuild.exe/)=true + OR match(process_file_name, /(?i)comsvcconfig.exe/)=true OR match(process_file_name, + /(?i)dfsradmin.exe/)=true OR match(process_file_name, /(?i)dfsvc.exe/)=true OR match(process_file_name, + /(?i)microsoft.workflow.compiler.exe/)=true OR match(process_file_name, /(?i)smsvchost.exe/)=true + OR match(process_file_name, /(?i)wsatconfig.exe/)=true OR match(process_file_name, + /(?i)addinprocess.exe/)=true OR match(process_file_name, /(?i)addinprocess32.exe/)=true + OR match(process_file_name, /(?i)addinutil.exe/)=true OR match(process_file_name, + /(?i)aspnet_compiler.exe/)=true OR match(process_file_name, /(?i)aspnet_regbrowsers.exe/)=true + OR match(process_file_name, /(?i)aspnet_regsql.exe/)=true OR match(process_file_name, + /(?i)caspol.exe/)=true OR match(process_file_name, /(?i)datasvcutil.exe/)=true OR + match(process_file_name, /(?i)edmgen.exe/)=true OR match(process_file_name, /(?i)installutil.exe/)=true + OR match(process_file_name, /(?i)jsc.exe/)=true OR match(process_file_name, /(?i)ngentask.exe/)=true + OR match(process_file_name, /(?i)regasm.exe/)=true OR match(process_file_name, /(?i)regsvcs.exe/)=true + OR match(process_file_name, /(?i)sdnbr.exe/)=true OR match(process_file_name, /(?i)acu.exe/)=true + OR match(process_file_name, /(?i)appvstreamingux.exe/)=true OR match(process_file_name, + /(?i)dsac.exe/)=true OR match(process_file_name, /(?i)lbfoadmin.exe/)=true OR match(process_file_name, + /(?i)microsoft.uev.synccontroller.exe/)=true OR match(process_file_name, /(?i)mtedit.exe/)=true + OR match(process_file_name, /(?i)scriptrunner.exe/)=true OR match(process_file_name, + /(?i)servermanager.exe/)=true OR match(process_file_name, /(?i)stordiag.exe/)=true + OR match(process_file_name, /(?i)tzsync.exe/)=true OR match(process_file_name, /(?i)uevagentpolicygenerator.exe/)=true + OR match(process_file_name, /(?i)uevappmonitor.exe/)=true OR match(process_file_name, + /(?i)uevtemplatebaselinegenerator.exe/)=true OR match(process_file_name, /(?i)uevtemplateconfigitemgenerator.exe/)=true + OR match(process_file_name, /(?i)powershell_ise.exe/)=true OR match(process_file_name, + /(?i)iediagcmd.exe/)=true OR match(process_file_name, /(?i)xbox.tcui.exe/)=true + OR match(process_file_name, /(?i)microsoft.activedirectory.webservices.exe/)=true + OR match(process_file_name, /(?i)iisual.exe/)=true OR match(process_file_name, /(?i)filehistory.exe/)=true + OR match(process_file_name, /(?i)secureassessmentbrowser.exe/)=true) AND (NOT (match(process_file_path, + /(?i)\\windows\\system32/)=true OR match(process_file_path, /(?i)\\windows\\syswow64/)=true + OR match(process_file_path, /(?i)\\windows\\adws/)=true OR match(process_file_path, + /(?i)\\windows\\networkcontroller/)=true OR match(process_file_path, /(?i)\\windows\\systemapps/)=true + OR match(process_file_path, /(?i)\\winsxs/)=true OR match(process_file_path, /(?i)\\microsoft.net/)=true)) + --finding_report--' how_to_implement: Collect endpoint data such as sysmon or 4688 events. known_false_positives: False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application diff --git a/ssa_detections/endpoint/ssa___windows_exchange_powershell_module_usage.yml b/ssa_detections/endpoint/ssa___windows_exchange_powershell_module_usage.yml index 54989536c3..ebeb2baa38 100644 --- a/ssa_detections/endpoint/ssa___windows_exchange_powershell_module_usage.yml +++ b/ssa_detections/endpoint/ssa___windows_exchange_powershell_module_usage.yml @@ -29,20 +29,13 @@ description: 'The following analytic identifies the usage of Exchange PowerShell mail contacts, and distribution groups).' data_source: - Powershell 4104 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), - "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", - null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) - | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), - "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", - null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | - eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, - /(?i)get-recipient/)=true OR match_regex(process_cmd_line, /(?i)new-mailboxsearch/)=true - OR match_regex(process_cmd_line, /(?i)new-managementroleassignment/)=true OR match_regex(process_cmd_line, - /(?i)new-mailboxexportrequest/)=true --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval device_hostname = device.hostname | eval process_file = process.file | eval + process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid + | where match(process_cmd_line, /(?i)get-recipient/)=true OR match(process_cmd_line, + /(?i)new-mailboxsearch/)=true OR match(process_cmd_line, /(?i)new-managementroleassignment/)=true + OR match(process_cmd_line, /(?i)new-mailboxexportrequest/)=true --finding_report--' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. diff --git a/ssa_detections/endpoint/ssa___windows_execute_arbitrary_commands_with_msdt.yml b/ssa_detections/endpoint/ssa___windows_execute_arbitrary_commands_with_msdt.yml index 4e22c110a1..0af85436d8 100644 --- a/ssa_detections/endpoint/ssa___windows_execute_arbitrary_commands_with_msdt.yml +++ b/ssa_detections/endpoint/ssa___windows_execute_arbitrary_commands_with_msdt.yml @@ -12,29 +12,19 @@ description: The following analytic identifies a recently disclosed arbitraty co process execution that may be related, including an Office Product. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where ((like(process_cmd_line, "%ms-msdt:/id%") OR like(process_cmd_line, - "%ms-msdt:-id%") OR like(process_cmd_line, "%ms-msdt:/id%") OR like(process_cmd_line, - "%ms-msdt:%") OR like(process_cmd_line, "%msdt%")) AND process_file_name="msdt.exe") - AND (match_regex(process_cmd_line, /(?i).xml/)=true OR match_regex(process_cmd_line, - /(?i)it_rebrowseforfile=/)=true OR match_regex(process_cmd_line, /(?i)it_browseforfile=/)=true) - AND match_regex(process_cmd_line, /(?i)pcwdiagnostic/)=true --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where ((process_cmd_line LIKE "%ms-msdt:/id%" + OR process_cmd_line LIKE "%ms-msdt:-id%" OR process_cmd_line LIKE "%ms-msdt:/id%" + OR process_cmd_line LIKE "%ms-msdt:%" OR process_cmd_line LIKE "%msdt%") AND process_file_name="msdt.exe") + AND (match(process_cmd_line, /(?i).xml/)=true OR match(process_cmd_line, /(?i)it_rebrowseforfile=/)=true + OR match(process_cmd_line, /(?i)it_browseforfile=/)=true) AND match(process_cmd_line, + /(?i)pcwdiagnostic/)=true --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_file_share_discovery_with_powerview.yml b/ssa_detections/endpoint/ssa___windows_file_share_discovery_with_powerview.yml index 9fc3a90784..dc0a56c184 100644 --- a/ssa_detections/endpoint/ssa___windows_file_share_discovery_with_powerview.yml +++ b/ssa_detections/endpoint/ssa___windows_file_share_discovery_with_powerview.yml @@ -14,18 +14,11 @@ description: The following analytic identifies the use of the Invoke-ShareFinder or Lateral Movement. data_source: - Powershell 4104 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), - "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", - null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) - | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), - "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", - null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | - eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, - /(?i)invoke-sharefinder/)=true --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval device_hostname = device.hostname | eval process_file = process.file | eval + process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid + | where match(process_cmd_line, /(?i)invoke-sharefinder/)=true --finding_report--' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. diff --git a/ssa_detections/endpoint/ssa___windows_findstr_gpp_discovery.yml b/ssa_detections/endpoint/ssa___windows_findstr_gpp_discovery.yml index 9a807b25d7..3990d363b0 100644 --- a/ssa_detections/endpoint/ssa___windows_findstr_gpp_discovery.yml +++ b/ssa_detections/endpoint/ssa___windows_findstr_gpp_discovery.yml @@ -15,25 +15,15 @@ description: The following analytic identifies the use of the findstr command em existing Group Policy Preferences files with passwords are not removed from SYSVOL. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="findstr.exe" AND like(process_cmd_line, "%cpassword%") - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="findstr.exe" + AND process_cmd_line LIKE "%cpassword%" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_ingress_tool_transfer_using_explorer.yml b/ssa_detections/endpoint/ssa___windows_ingress_tool_transfer_using_explorer.yml index 19b0ead9d5..bd290f26df 100644 --- a/ssa_detections/endpoint/ssa___windows_ingress_tool_transfer_using_explorer.yml +++ b/ssa_detections/endpoint/ssa___windows_ingress_tool_transfer_using_explorer.yml @@ -15,25 +15,15 @@ description: The following analytic identifies the Windows Explorer process with is not commonly used to open an URL. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%https://%") OR like(process_cmd_line, "%http://%")) - AND process_file_name="explorer.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%https://%" + OR process_cmd_line LIKE "%http://%") AND process_file_name="explorer.exe" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints. diff --git a/ssa_detections/endpoint/ssa___windows_lateral_tool_transfer_remcom.yml b/ssa_detections/endpoint/ssa___windows_lateral_tool_transfer_remcom.yml index 7250c821d4..5ff0ea5241 100644 --- a/ssa_detections/endpoint/ssa___windows_lateral_tool_transfer_remcom.yml +++ b/ssa_detections/endpoint/ssa___windows_lateral_tool_transfer_remcom.yml @@ -10,25 +10,16 @@ description: This analytic identifies the use of RemCom.exe - The open source ps remotely. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%/user:%") OR like(process_cmd_line, "%/pwd:%") - OR like(process_cmd_line, "%\\%")) AND process_file_name="remcom.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%/user:%" + OR process_cmd_line LIKE "%/pwd:%" OR process_cmd_line LIKE "%\\%") AND process_file_name="remcom.exe" + --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___windows_lolbin_binary_in_non_standard_path.yml b/ssa_detections/endpoint/ssa___windows_lolbin_binary_in_non_standard_path.yml index 54af1e4cce..ccd9af5497 100644 --- a/ssa_detections/endpoint/ssa___windows_lolbin_binary_in_non_standard_path.yml +++ b/ssa_detections/endpoint/ssa___windows_lolbin_binary_in_non_standard_path.yml @@ -12,36 +12,27 @@ description: The following analytic identifies native living off the land binari regedit.exe) and DotNet binaries. It also does not include the category of OtherMSBinaries. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="bitsadmin.exe" OR process_file_name="certoc.exe" - OR process_file_name="certreq.exe" OR process_file_name="certutil.exe" OR process_file_name="cmdkey.exe" - OR process_file_name="cmdl32.exe" OR process_file_name="cmstp.exe" OR process_file_name="configsecuritypolicy.exe" - OR process_file_name="control.exe" OR process_file_name="cscript.exe" OR process_file_name="datasvcutil.exe" - OR process_file_name="desktopimgdownldr.exe" OR process_file_name="dfsvc.exe" OR - process_file_name="diantz.exe" OR process_file_name="diskshadow.exe" OR process_file_name="dllhost.exe" - OR process_file_name="dnscmd.exe" OR process_file_name="esentutl.exe" OR process_file_name="eventvwr.exe" - OR process_file_name="expand.exe" OR process_file_name="extexport.exe" OR process_file_name="extrac32.exe" - OR process_file_name="findstr.exe" OR process_file_name="finger.exe" OR process_file_name="fltmc.exe" - OR process_file_name="forfiles.exe" OR process_file_name="ftp.exe" OR process_file_name="gfxdownloadwrapper.exe" - OR process_file_name="gpscript.exe" OR process_file_name="imewdbld.exe" OR process_file_name="ie4uinit.exe" - OR process_file_name="ieexec.exe" OR process_file_name="ilasm.exe" OR process_file_name="infdefaultinstall.exe" - OR process_file_name="makecab.exe" OR process_file_name="mavinject.exe" OR process_file_name="microsoft.workflow.compiler.exe" +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="bitsadmin.exe" + OR process_file_name="certoc.exe" OR process_file_name="certreq.exe" OR process_file_name="certutil.exe" + OR process_file_name="cmdkey.exe" OR process_file_name="cmdl32.exe" OR process_file_name="cmstp.exe" + OR process_file_name="configsecuritypolicy.exe" OR process_file_name="control.exe" + OR process_file_name="cscript.exe" OR process_file_name="datasvcutil.exe" OR process_file_name="desktopimgdownldr.exe" + OR process_file_name="dfsvc.exe" OR process_file_name="diantz.exe" OR process_file_name="diskshadow.exe" + OR process_file_name="dllhost.exe" OR process_file_name="dnscmd.exe" OR process_file_name="esentutl.exe" + OR process_file_name="eventvwr.exe" OR process_file_name="expand.exe" OR process_file_name="extexport.exe" + OR process_file_name="extrac32.exe" OR process_file_name="findstr.exe" OR process_file_name="finger.exe" + OR process_file_name="fltmc.exe" OR process_file_name="forfiles.exe" OR process_file_name="ftp.exe" + OR process_file_name="gfxdownloadwrapper.exe" OR process_file_name="gpscript.exe" + OR process_file_name="imewdbld.exe" OR process_file_name="ie4uinit.exe" OR process_file_name="ieexec.exe" + OR process_file_name="ilasm.exe" OR process_file_name="infdefaultinstall.exe" OR + process_file_name="makecab.exe" OR process_file_name="mavinject.exe" OR process_file_name="microsoft.workflow.compiler.exe" OR process_file_name="mmc.exe" OR process_file_name="msconfig.exe" OR process_file_name="msdt.exe" OR process_file_name="mshta.exe" OR process_file_name="msiexec.exe" OR process_file_name="netsh.exe" OR process_file_name="odbcconf.exe" OR process_file_name="offlinescannershell.exe" @@ -58,11 +49,11 @@ search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(inpu OR process_file_name="verclsid.exe" OR process_file_name="wab.exe" OR process_file_name="wlrmdr.exe" OR process_file_name="wmic.exe" OR process_file_name="workfolders.exe" OR process_file_name="wscript.exe" OR process_file_name="wsreset.exe" OR process_file_name="wuauclt.exe" OR process_file_name="xwizard.exe") - AND (NOT (match_regex(process_file_path, /(?i)(?i)\\windows\\system32/)=true OR - match_regex(process_file_path, /(?i)(?i)\\windows\\syswow64/)=true OR match_regex(process_file_path, - /(?i)(?i)\\windows\\networkcontrolle/)=true OR match_regex(process_file_path, /(?i)(?i)\\windows\\systemapps/)=true - OR match_regex(process_file_path, /(?i)(?i)\\winsxs/)=true OR match_regex(process_file_path, - /(?i)(?i)\\microsoft.net/)=true)) --finding_report--' + AND (NOT (match(process_file_path, /(?i)(?i)\\windows\\system32/)=true OR match(process_file_path, + /(?i)(?i)\\windows\\syswow64/)=true OR match(process_file_path, /(?i)(?i)\\windows\\networkcontrolle/)=true + OR match(process_file_path, /(?i)(?i)\\windows\\systemapps/)=true OR match(process_file_path, + /(?i)(?i)\\winsxs/)=true OR match(process_file_path, /(?i)(?i)\\microsoft.net/)=true)) + --finding_report--' how_to_implement: Collect endpoint data such as sysmon or 4688 events. known_false_positives: False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application diff --git a/ssa_detections/endpoint/ssa___windows_mshta_child_process.yml b/ssa_detections/endpoint/ssa___windows_mshta_child_process.yml index f37120c357..27226312ef 100644 --- a/ssa_detections/endpoint/ssa___windows_mshta_child_process.yml +++ b/ssa_detections/endpoint/ssa___windows_mshta_child_process.yml @@ -11,28 +11,19 @@ description: The following analytic identifies child processes spawning from "m "mshta.exe" and its child process. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="wscript.exe" OR process_file_name="cscript.exe" - OR process_file_name="searchprotocolhost.exe" OR process_file_name="microsoft.workflow.compiler.exe" - OR process_file_name="msbuild.exe" OR process_file_name="colorcpl.exe" OR process_file_name="scrcons.exe" - OR process_file_name="cmd.exe" OR process_file_name="powershell.exe") AND like(actor_process_file_name, - "%mshta.exe") --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="wscript.exe" + OR process_file_name="cscript.exe" OR process_file_name="searchprotocolhost.exe" + OR process_file_name="microsoft.workflow.compiler.exe" OR process_file_name="msbuild.exe" + OR process_file_name="colorcpl.exe" OR process_file_name="scrcons.exe" OR process_file_name="cmd.exe" + OR process_file_name="powershell.exe") AND actor_process_file_name LIKE "%mshta.exe" + --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_mshta_command_line_url.yml b/ssa_detections/endpoint/ssa___windows_mshta_command_line_url.yml index 05cf77767c..aca5330bd7 100644 --- a/ssa_detections/endpoint/ssa___windows_mshta_command_line_url.yml +++ b/ssa_detections/endpoint/ssa___windows_mshta_command_line_url.yml @@ -14,25 +14,15 @@ description: This analytic identifies when Microsoft HTML Application Host (msht as well as the target system, the user, process "rundll32.exe" and its parent process. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%https://%") OR like(process_cmd_line, "%http://%")) - AND process_file_name="mshta.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%https://%" + OR process_cmd_line LIKE "%http://%") AND process_file_name="mshta.exe" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___windows_mshta_inline_hta_execution.yml b/ssa_detections/endpoint/ssa___windows_mshta_inline_hta_execution.yml index 596fb1de8c..5a5bee65d3 100644 --- a/ssa_detections/endpoint/ssa___windows_mshta_inline_hta_execution.yml +++ b/ssa_detections/endpoint/ssa___windows_mshta_inline_hta_execution.yml @@ -12,25 +12,16 @@ description: The following analytic identifies "mshta.exe" execution with inline as well as the target system, the user, process "mshta.exe" and its parent process. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%about%") OR like(process_cmd_line, "%javascript%") - OR like(process_cmd_line, "%vbscript%")) AND process_file_name="mshta.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%about%" + OR process_cmd_line LIKE "%javascript%" OR process_cmd_line LIKE "%vbscript%") AND + process_file_name="mshta.exe" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___windows_odbcconf_load_response_file.yml b/ssa_detections/endpoint/ssa___windows_odbcconf_load_response_file.yml index cf48c2debf..7922777483 100644 --- a/ssa_detections/endpoint/ssa___windows_odbcconf_load_response_file.yml +++ b/ssa_detections/endpoint/ssa___windows_odbcconf_load_response_file.yml @@ -12,25 +12,16 @@ description: The following analytic identifies the odbcconf.exe, Windows Open Da During triage, review file modifications and parallel processes. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where ((like(process_cmd_line, "%/f %") OR like(process_cmd_line, "%-f %")) - AND process_file_name="odbcconf.exe") AND like(process_cmd_line, "%.rsp%") --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where ((process_cmd_line LIKE "%/f %" + OR process_cmd_line LIKE "%-f %") AND process_file_name="odbcconf.exe") AND process_cmd_line + LIKE "%.rsp%" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml b/ssa_detections/endpoint/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml index 775bffd7d0..ab807767f5 100644 --- a/ssa_detections/endpoint/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml +++ b/ssa_detections/endpoint/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml @@ -18,25 +18,15 @@ description: 'Monitor for signs that Ntdsutil is being used to Extract Active Di will yield a file modification named ntds.dit to the destination.' data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="ntdsutil.exe" AND (like(process_cmd_line, "%create%") - AND like(process_cmd_line, "%ntds%")) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="ntdsutil.exe" + AND (process_cmd_line LIKE "%create%" AND process_cmd_line LIKE "%ntds%") --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_os_credential_dumping_with_procdump.yml b/ssa_detections/endpoint/ssa___windows_os_credential_dumping_with_procdump.yml index 29f8863b1b..d4ba5ce686 100644 --- a/ssa_detections/endpoint/ssa___windows_os_credential_dumping_with_procdump.yml +++ b/ssa_detections/endpoint/ssa___windows_os_credential_dumping_with_procdump.yml @@ -17,26 +17,16 @@ description: 'Detect procdump.exe dumping the lsass process. This query looks fo into lsass.exe.' data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where ((like(process_cmd_line, "%-ma %") OR like(process_cmd_line, "%-mm - %")) AND (process_file_name="procdump64.exe" OR process_file_name="procdump.exe")) - AND like(process_cmd_line, "%lsass%") --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where ((process_cmd_line LIKE "%-ma %" + OR process_cmd_line LIKE "%-mm %") AND (process_file_name="procdump64.exe" OR process_file_name="procdump.exe")) + AND process_cmd_line LIKE "%lsass%" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml b/ssa_detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml index b2caa8668f..267fc4abc4 100644 --- a/ssa_detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml +++ b/ssa_detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml @@ -16,27 +16,17 @@ description: The following hunting analytic identifies PowerShell commands utili the hyphen. We have added endash, emdash, horizontal bar, and forward slash. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="powershell_ise.exe" OR process_file_name="powershell.exe" - OR process_file_name="sqltoolsps.exe" OR process_file_name="sqlps.exe" OR process_file_name="pwsh.exe") - AND match_regex(process_cmd_line, /(?i)[\-|\/]w(in*d*o*w*s*t*y*l*e*)*\s+h(i*d*d*e*n*)\s+/)=true - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="powershell_ise.exe" + OR process_file_name="powershell.exe" OR process_file_name="sqltoolsps.exe" OR process_file_name="sqlps.exe" + OR process_file_name="pwsh.exe" OR process_file_name="pwsh.exe") AND match(process_cmd_line, + /(?i)[\-|\/]w(in*d*o*w*s*t*y*l*e*)*\s+h(i*d*d*e*n*)\s+/)=true --finding_report--' how_to_implement: You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. diff --git a/ssa_detections/endpoint/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml b/ssa_detections/endpoint/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml index d161cbe9ff..7e4dc440bf 100644 --- a/ssa_detections/endpoint/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml +++ b/ssa_detections/endpoint/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml @@ -15,18 +15,12 @@ description: The following analytic utilizes PowerShell Script Block Logging (Ev their passwords offline. data_source: - Powershell 4104 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), - "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", - null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) - | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), - "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", - null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | - eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where like(process_cmd_line, - "%4194304%") AND match_regex(process_cmd_line, /(?i)get-aduser/)=true --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval device_hostname = device.hostname | eval process_file = process.file | eval + process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid + | where process_cmd_line LIKE "%4194304%" AND match(process_cmd_line, /(?i)get-aduser/)=true + --finding_report--' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. diff --git a/ssa_detections/endpoint/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/ssa_detections/endpoint/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml index 55afcb9a07..aac779b072 100644 --- a/ssa_detections/endpoint/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml +++ b/ssa_detections/endpoint/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml @@ -15,19 +15,12 @@ description: The following analytic utilizes PowerShell Script Block Logging (Ev and attempt to crack their passwords offline. data_source: - Powershell 4104 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), - "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", - null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) - | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), - "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", - null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | - eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, - /(?i)preauthnotrequired/)=true AND match_regex(process_cmd_line, /(?i)get-domainuser/)=true - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval device_hostname = device.hostname | eval process_file = process.file | eval + process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid + | where match(process_cmd_line, /(?i)preauthnotrequired/)=true AND match(process_cmd_line, + /(?i)get-domainuser/)=true --finding_report--' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. diff --git a/ssa_detections/endpoint/ssa___windows_powershell_downloadfile.yml b/ssa_detections/endpoint/ssa___windows_powershell_downloadfile.yml index 22cfaf36b6..4e7323720d 100644 --- a/ssa_detections/endpoint/ssa___windows_powershell_downloadfile.yml +++ b/ssa_detections/endpoint/ssa___windows_powershell_downloadfile.yml @@ -12,27 +12,17 @@ description: The following analytic identifies the use of PowerShell downloading transaction logs are available, review for further details of the implant. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="powershell_ise.exe" OR process_file_name="powershell.exe" - OR process_file_name="sqltoolsps.exe" OR process_file_name="sqlps.exe" OR process_file_name="pwsh.exe" - OR process_file_name="pwsh.exe") AND match_regex(process_cmd_line, /(?i)downloadfile/)=true - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="powershell_ise.exe" + OR process_file_name="powershell.exe" OR process_file_name="sqltoolsps.exe" OR process_file_name="sqlps.exe" + OR process_file_name="pwsh.exe" OR process_file_name="pwsh.exe") AND match(process_cmd_line, + /(?i)downloadfile/)=true --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___windows_powershell_export_certificate.yml b/ssa_detections/endpoint/ssa___windows_powershell_export_certificate.yml index 3e2c96fb12..45f2fd5c76 100644 --- a/ssa_detections/endpoint/ssa___windows_powershell_export_certificate.yml +++ b/ssa_detections/endpoint/ssa___windows_powershell_export_certificate.yml @@ -11,18 +11,11 @@ description: The following analytic identifies the PowerShell Cmdlet export-cert Store. data_source: - Powershell 4104 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), - "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", - null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) - | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), - "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", - null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | - eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, - /(?i)export-certificate/)=true --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval device_hostname = device.hostname | eval process_file = process.file | eval + process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid + | where match(process_cmd_line, /(?i)export-certificate/)=true --finding_report--' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. diff --git a/ssa_detections/endpoint/ssa___windows_powershell_export_pfxcertificate.yml b/ssa_detections/endpoint/ssa___windows_powershell_export_pfxcertificate.yml index c375c6604d..895cd59795 100644 --- a/ssa_detections/endpoint/ssa___windows_powershell_export_pfxcertificate.yml +++ b/ssa_detections/endpoint/ssa___windows_powershell_export_pfxcertificate.yml @@ -11,18 +11,11 @@ description: The following analytic identifies the PowerShell Cmdlet export-pfxc Store. data_source: - Powershell 4104 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), - "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", - null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) - | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), - "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", - null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | - eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, - /(?i)export-pfxcertificate/)=true --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval device_hostname = device.hostname | eval process_file = process.file | eval + process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid + | where match(process_cmd_line, /(?i)export-pfxcertificate/)=true --finding_report--' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. diff --git a/ssa_detections/endpoint/ssa___windows_powershell_start_bitstransfer.yml b/ssa_detections/endpoint/ssa___windows_powershell_start_bitstransfer.yml index bbd6c30d1f..d7c0e9641b 100644 --- a/ssa_detections/endpoint/ssa___windows_powershell_start_bitstransfer.yml +++ b/ssa_detections/endpoint/ssa___windows_powershell_start_bitstransfer.yml @@ -14,27 +14,17 @@ description: Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Si domain or IP, what is the reputation? data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (process_file_name="powershell_ise.exe" OR process_file_name="powershell.exe" - OR process_file_name="sqltoolsps.exe" OR process_file_name="sqlps.exe" OR process_file_name="pwsh.exe" - OR process_file_name="pwsh.exe") AND match_regex(process_cmd_line, /(?i)start-bitstransfer/)=true - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_file_name="powershell_ise.exe" + OR process_file_name="powershell.exe" OR process_file_name="sqltoolsps.exe" OR process_file_name="sqlps.exe" + OR process_file_name="pwsh.exe" OR process_file_name="pwsh.exe") AND match(process_cmd_line, + /(?i)start-bitstransfer/)=true --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint_Processess` datamodel. diff --git a/ssa_detections/endpoint/ssa___windows_powersploit_gpp_discovery.yml b/ssa_detections/endpoint/ssa___windows_powersploit_gpp_discovery.yml index 7c904bfeaa..a6e373f9af 100644 --- a/ssa_detections/endpoint/ssa___windows_powersploit_gpp_discovery.yml +++ b/ssa_detections/endpoint/ssa___windows_powersploit_gpp_discovery.yml @@ -16,18 +16,11 @@ description: The following analytic identifies the use of the Get-GPPPassword Po are not removed from SYSVOL. data_source: - Powershell 4104 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), - "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", - null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) - | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), - "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", - null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | - eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, - /(?i)get-gpppassword/)=true --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval device_hostname = device.hostname | eval process_file = process.file | eval + process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid + | where match(process_cmd_line, /(?i)get-gpppassword/)=true --finding_report--' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. diff --git a/ssa_detections/endpoint/ssa___windows_rasautou_dll_execution.yml b/ssa_detections/endpoint/ssa___windows_rasautou_dll_execution.yml index a8765ced9b..5b06e7fe22 100644 --- a/ssa_detections/endpoint/ssa___windows_rasautou_dll_execution.yml +++ b/ssa_detections/endpoint/ssa___windows_rasautou_dll_execution.yml @@ -11,25 +11,16 @@ description: The following analytic identifies the Windows Windows Remote Auto D parent and child process behavior including file and image loads. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="rasautou.exe" AND match_regex(process_cmd_line, - /(?i)-p /)=true AND match_regex(process_cmd_line, /(?i)-d /)=true --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="rasautou.exe" + AND match(process_cmd_line, /(?i)-p /)=true AND match(process_cmd_line, /(?i)-d + /)=true --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___windows_remote_create_service.yml b/ssa_detections/endpoint/ssa___windows_remote_create_service.yml index 2264865145..82a3000a0b 100644 --- a/ssa_detections/endpoint/ssa___windows_remote_create_service.yml +++ b/ssa_detections/endpoint/ssa___windows_remote_create_service.yml @@ -11,25 +11,15 @@ description: This analytic identifies an endpoint that remotely connects to anot with all the resulting service information. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (match_regex(process_cmd_line, /(?i)create/)=true OR match_regex(process_cmd_line, - /(?i)\\/)=true) AND process_file_name="sc.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (match(process_cmd_line, /(?i)create/)=true + OR match(process_cmd_line, /(?i)\\/)=true) AND process_file_name="sc.exe" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml index a7fb7fcc2f..8ddf0d7212 100644 --- a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml +++ b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml @@ -11,25 +11,15 @@ description: The following analytic identifies AccCheckConsole.exe which is a na was derived from the https://lolbas-project.github.io site. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="acccheckconsole.exe" AND (NOT match_regex(process_file_path, - /(?i)\\program files (x86)\\windows kits\\10\\bin\\10.0.22000.0\\arm64\\accchecker/)=true) +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="acccheckconsole.exe" + AND (NOT match(process_file_path, /(?i)\\program files (x86)\\windows kits\\10\\bin\\10.0.22000.0\\arm64\\accchecker/)=true) --finding_report--' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. diff --git a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml index a25578275c..089394a343 100644 --- a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml +++ b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml @@ -11,25 +11,16 @@ description: The following analytic identifies adplus.exe which is a native livi was derived from the https://lolbas-project.github.io site. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="adplus.exe" AND (NOT match_regex(process_file_path, - /(?i)\\program files (x86)\\windows kits\\10\\debuggers\\x86/)=true) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="adplus.exe" + AND (NOT match(process_file_path, /(?i)\\program files (x86)\\windows kits\\10\\debuggers\\x86/)=true) + --finding_report--' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. diff --git a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml index 4ece03abc5..396f7c09dd 100644 --- a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml +++ b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml @@ -11,25 +11,15 @@ description: The following analytic identifies Advpack.dll which is a native liv was derived from the https://lolbas-project.github.io site. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="advpack.dll" AND (NOT match_regex(process_file_path, - /(?i)\\windows\\syswow64/)=true) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="advpack.dll" + AND (NOT match(process_file_path, /(?i)\\windows\\syswow64/)=true) --finding_report--' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. diff --git a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml index e501a1e021..3643a3c25a 100644 --- a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml +++ b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml @@ -11,25 +11,15 @@ description: The following analytic identifies AgentExecutor.exe which is a nati was derived from the https://lolbas-project.github.io site. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="agentexecutor.exe" AND (NOT match_regex(process_file_path, - /(?i)\\program files (x86)/)=true) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="agentexecutor.exe" + AND (NOT match(process_file_path, /(?i)\\program files (x86)/)=true) --finding_report--' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. diff --git a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml index ae25453e47..0344c095dd 100644 --- a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml +++ b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml @@ -11,25 +11,15 @@ description: The following analytic identifies AppInstaller.exe which is a nativ was derived from the https://lolbas-project.github.io site. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="appinstaller.exe" AND (NOT match_regex(process_file_path, - /(?i)\\program files\\windowsapps\\microsoft.desktopappinstaller_1.11.2521.0_x64__8wekyb3d8bbwe/)=true) +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="appinstaller.exe" + AND (NOT match(process_file_path, /(?i)\\program files\\windowsapps\\microsoft.desktopappinstaller_1.11.2521.0_x64__8wekyb3d8bbwe/)=true) --finding_report--' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. diff --git a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml index 6f8496d0b7..865e257a60 100644 --- a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml +++ b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml @@ -11,25 +11,16 @@ description: The following analytic identifies Appvlp.exe which is a native livi was derived from the https://lolbas-project.github.io site. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="appvlp.exe" AND (NOT match_regex(process_file_path, - /(?i)\\program files (x86)\\microsoft office\\root\\client/)=true) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="appvlp.exe" + AND (NOT match(process_file_path, /(?i)\\program files (x86)\\microsoft office\\root\\client/)=true) + --finding_report--' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. diff --git a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml index 518186bc0a..9d2b863ad1 100644 --- a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml +++ b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml @@ -11,25 +11,16 @@ description: The following analytic identifies Aspnet_Compiler.exe which is a na was derived from the https://lolbas-project.github.io site. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="aspnet_compiler.exe" AND (NOT match_regex(process_file_path, - /(?i)\\windows\\microsoft.net\\framework64\\v4.0.30319/)=true) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="aspnet_compiler.exe" + AND (NOT match(process_file_path, /(?i)\\windows\\microsoft.net\\framework64\\v4.0.30319/)=true) + --finding_report--' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. diff --git a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml index 065beffafe..c7972db282 100644 --- a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml +++ b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml @@ -11,25 +11,15 @@ description: The following analytic identifies At.exe which is a native living o derived from the https://lolbas-project.github.io site. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="at.exe" AND (NOT match_regex(process_file_path, - /(?i)\\windows\\syswow64/)=true) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="at.exe" AND + (NOT match(process_file_path, /(?i)\\windows\\syswow64/)=true) --finding_report--' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. diff --git a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml index d8061c5c35..a6e598f94c 100644 --- a/ssa_detections/endpoint/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml +++ b/ssa_detections/endpoint/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml @@ -11,25 +11,15 @@ description: The following analytic identifies Atbroker.exe which is a native li was derived from the https://lolbas-project.github.io site. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="atbroker.exe" AND (NOT match_regex(process_file_path, - /(?i)\\windows\\syswow64/)=true) --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="atbroker.exe" + AND (NOT match(process_file_path, /(?i)\\windows\\syswow64/)=true) --finding_report--' how_to_implement: To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. Collect endpoint data such as Sysmon or Windows Events 4688. diff --git a/ssa_detections/endpoint/ssa___windows_rundll32_comsvcs_memory_dump.yml b/ssa_detections/endpoint/ssa___windows_rundll32_comsvcs_memory_dump.yml index 41d78ec4ab..bc39ea7fcf 100644 --- a/ssa_detections/endpoint/ssa___windows_rundll32_comsvcs_memory_dump.yml +++ b/ssa_detections/endpoint/ssa___windows_rundll32_comsvcs_memory_dump.yml @@ -10,25 +10,16 @@ description: The following analytic identifies memory dumping using comsvcs.dll who would like to dump the memory of lsass.exe. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (match_regex(process_cmd_line, /(?i)minidump/)=true AND process_file_name="rundll32.exe") - AND match_regex(process_cmd_line, /(?i)comsvcs.dll/)=true --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (match(process_cmd_line, /(?i)minidump/)=true + AND process_file_name="rundll32.exe") AND match(process_cmd_line, /(?i)comsvcs.dll/)=true + --finding_report--' how_to_implement: You must be ingesting endpoint data that tracks process activity, including Windows command line logging. You can see how we test this with [Event Code 4688](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688a) diff --git a/ssa_detections/endpoint/ssa___windows_rundll32_inline_hta_execution.yml b/ssa_detections/endpoint/ssa___windows_rundll32_inline_hta_execution.yml index 2de0b7b3aa..2ed5d482c2 100644 --- a/ssa_detections/endpoint/ssa___windows_rundll32_inline_hta_execution.yml +++ b/ssa_detections/endpoint/ssa___windows_rundll32_inline_hta_execution.yml @@ -14,25 +14,16 @@ description: The following analytic identifies "rundll32.exe" execution with inl "rundll32.exe" and its parent process. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%about%") OR like(process_cmd_line, "%javascript%") - OR like(process_cmd_line, "%vbscript%")) AND process_file_name="rundll32.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%about%" + OR process_cmd_line LIKE "%javascript%" OR process_cmd_line LIKE "%vbscript%") AND + process_file_name="rundll32.exe" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___windows_script_host_spawn_msbuild.yml b/ssa_detections/endpoint/ssa___windows_script_host_spawn_msbuild.yml index b169c9e05b..b5e78fe232 100644 --- a/ssa_detections/endpoint/ssa___windows_script_host_spawn_msbuild.yml +++ b/ssa_detections/endpoint/ssa___windows_script_host_spawn_msbuild.yml @@ -13,26 +13,16 @@ description: This analytic is to detect a suspicious child process of MSBuild sp without having command-line arguments. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="MSBuild.exe" AND (match_regex(actor_process_file_name, - /(?i)cscript.exe/)=true OR match_regex(actor_process_file_name, /(?i)wscript.exe/)=true) - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="MSBuild.exe" + AND (match(actor_process_file_name, /(?i)cscript.exe/)=true OR match(actor_process_file_name, + /(?i)wscript.exe/)=true) --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___windows_service_create_with_tscon.yml b/ssa_detections/endpoint/ssa___windows_service_create_with_tscon.yml index 13e1db4005..b303b0ddb8 100644 --- a/ssa_detections/endpoint/ssa___windows_service_create_with_tscon.yml +++ b/ssa_detections/endpoint/ssa___windows_service_create_with_tscon.yml @@ -16,25 +16,15 @@ description: The following analytic detects potential RDP Hijacking attempts by mitigating potential risks and impacts on targeted systems. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where match_regex(process_cmd_line, /(?i)/dest:rdp-tcp/)=true AND process_file_name="sc.exe" - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where match(process_cmd_line, /(?i)/dest:rdp-tcp/)=true + AND process_file_name="sc.exe" --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml index bcc100d5c2..7c104da311 100644 --- a/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ b/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml @@ -13,25 +13,15 @@ description: The following analytic identifies the decompile parameter with the the next stage. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where like(process_cmd_line, "%-decompile%") AND process_file_name="hh.exe" - --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_cmd_line LIKE "%-decompile%" + AND process_file_name="hh.exe" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml b/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml index 49ac3c20a6..8fe198cecf 100644 --- a/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml +++ b/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml @@ -18,25 +18,15 @@ description: The following analytic identifies hh.exe (HTML Help) execution of a original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%https://%") OR like(process_cmd_line, "%http://%")) - AND process_file_name="hh.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%https://%" + OR process_cmd_line LIKE "%http://%") AND process_file_name="hh.exe" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml b/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml index abd8a1442d..5070b3336c 100644 --- a/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml +++ b/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml @@ -21,25 +21,15 @@ description: The following analytic identifies hh.exe (HTML Help) execution of a C:\Windows\syswow64. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%mk:@MSITStore:%") OR like(process_cmd_line, - "%its:%")) AND process_file_name="hh.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%mk:@MSITStore:%" + OR process_cmd_line LIKE "%its:%") AND process_file_name="hh.exe" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml b/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml index c314f2f25d..7b90b0f9f5 100644 --- a/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml +++ b/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml @@ -10,25 +10,15 @@ description: The following analytic identifies the usage of msiexec.exe using th Upon triage, review parent process and capture any artifacts for further review. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%-y %") OR like(process_cmd_line, "%/y %")) - AND process_file_name="msiexec.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%-y %" + OR process_cmd_line LIKE "%/y %") AND process_file_name="msiexec.exe" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml b/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml index a4494465de..60829a59b0 100644 --- a/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml +++ b/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml @@ -10,25 +10,15 @@ description: The following analytic identifies msiexec.exe with http in the comm triage, review parallel processes and capture any artifacts on disk for review. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%https://%") OR like(process_cmd_line, "%http://%")) - AND process_file_name="msiexec.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%https://%" + OR process_cmd_line LIKE "%http://%") AND process_file_name="msiexec.exe" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml b/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml index e13bc11735..d63f023d28 100644 --- a/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml +++ b/ssa_detections/endpoint/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml @@ -10,25 +10,15 @@ description: The following analytic identifies the usage of msiexec.exe using th Upon triage, review parent process and capture any artifacts for further review. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where (like(process_cmd_line, "%-z %") OR like(process_cmd_line, "%/z %")) - AND process_file_name="msiexec.exe" --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%-z %" + OR process_cmd_line LIKE "%/z %") AND process_file_name="msiexec.exe" --finding_report--' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/ssa_detections/endpoint/ssa___windows_wmiprvse_spawn_msbuild.yml b/ssa_detections/endpoint/ssa___windows_wmiprvse_spawn_msbuild.yml index 7d6d33ddad..f8a462ae4c 100644 --- a/ssa_detections/endpoint/ssa___windows_wmiprvse_spawn_msbuild.yml +++ b/ssa_detections/endpoint/ssa___windows_wmiprvse_spawn_msbuild.yml @@ -14,25 +14,15 @@ description: The following analytic identifies wmiprvse.exe spawning msbuild.exe powershell.exe is far less common and should be investigated. data_source: - Windows Security 4688 -search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", - null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", - null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval - process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), - "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", - null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) - | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval - actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), - "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), - "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", - null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), - "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), - "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", - null) | where process_file_name="MSBuild.exe" AND match_regex(actor_process_file_name, - /(?i)wmiprvse.exe/)=true --finding_report--' +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = actor_process_file.name + | eval device_hostname = device.hostname | where process_file_name="MSBuild.exe" + AND match(actor_process_file_name, /(?i)wmiprvse.exe/)=true --finding_report--' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/stories/njrat.yml b/stories/njrat.yml new file mode 100644 index 0000000000..8076793ff8 --- /dev/null +++ b/stories/njrat.yml @@ -0,0 +1,26 @@ +name: NjRat +id: f6d52454-6cf3-4759-9627-5868a3e2b2b1 +version: 2 +date: '2023-09-07' +author: Teoderick Contreras, Splunk +description: NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. + This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. + These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, + monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially + malicious actions. +narrative: NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. + While its primary infection vectors are phishing attacks and drive-by downloads, it also has "worm" capability to spread itself via infected removable drives. This RAT has various of capabilities including + keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. + NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information. +references: + - https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/#:~:text=NJRat%20%E2%80%94%20also%20known%20as%20Bladabindi,malware%20variant%20in%20March%202023. + - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +tags: + analytic_story: NjRAT + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection