From 56abb4064723f2a9a4d56b040b1096af5465ac0f Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Fri, 29 Sep 2023 13:19:47 -0700 Subject: [PATCH] More observable fixes, including renaming fields in searchers. --- detections/endpoint/net_profiler_uac_bypass.yml | 2 +- .../network_share_discovery_via_dir_command.yml | 3 ++- detections/endpoint/powershell_4104_hunting.yml | 11 ++++++----- ...lgroup_discovery_with_script_block_logging.yml | 10 ++++++---- .../process_deleting_its_process_file_path.yml | 4 ++-- ...very_with_env_vars_powershell_script_block.yml | 15 +++++++++++---- ...n_layer_protocol_rms_radmin_tool_namedpipe.yml | 7 ++++--- ...ripting_interpreter_hunting_path_traversal.yml | 2 +- .../windows_identify_protocol_handlers.yml | 2 +- .../windows_linked_policies_in_adsi_discovery.yml | 10 ++++++---- detections/endpoint/windows_nirsoft_utilities.yml | 2 +- ...windows_non_system_account_targeting_lsass.yml | 7 ++++--- ...ows_raw_access_to_master_boot_record_drive.yml | 5 +++-- ...dows_root_domain_linked_policies_discovery.yml | 13 ++++++++----- .../endpoint/windows_service_stop_win_updates.yml | 5 +++-- ...of_invalid_users_failed_to_auth_using_ntlm.yml | 10 ++++++---- .../endpoint/windows_wmi_impersonate_token.yml | 4 ++-- 17 files changed, 67 insertions(+), 45 deletions(-) diff --git a/detections/endpoint/net_profiler_uac_bypass.yml b/detections/endpoint/net_profiler_uac_bypass.yml index 0416cdfd38..f732b50f99 100644 --- a/detections/endpoint/net_profiler_uac_bypass.yml +++ b/detections/endpoint/net_profiler_uac_bypass.yml @@ -39,7 +39,7 @@ tags: - T1548 observable: - name: dest - type: Hostname + type: Endpoint role: - Victim product: diff --git a/detections/endpoint/network_share_discovery_via_dir_command.yml b/detections/endpoint/network_share_discovery_via_dir_command.yml index 89b49c88d7..2eeefdcb1a 100644 --- a/detections/endpoint/network_share_discovery_via_dir_command.yml +++ b/detections/endpoint/network_share_discovery_via_dir_command.yml @@ -15,6 +15,7 @@ description: The following analytic identifies object access on Windows administ this behavior to try to infect other machines in the infected network. search: '`wineventlog_security` EventCode=5140 ShareName IN("\\\\*\\ADMIN$","\\\\*\\C$","*\\\\*\\IPC$") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer + | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter`' @@ -39,7 +40,7 @@ tags: mitre_attack_id: - T1135 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index 5bcfe78032..308bea7338 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -39,7 +39,8 @@ search: '`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, - invokecmd, base64, get, suspcmdlet, suspkeywrd | `powershell_4104_hunting_filter`' + invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer as dest, UserID as user + | `powershell_4104_hunting_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -63,17 +64,17 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: Powershell was identified on endpoint $Computer$ by user $UserID$ executing suspicious commands. + message: Powershell was identified on endpoint $host$ by user $user$ executing suspicious commands. mitre_attack_id: - T1059 - T1059.001 observable: - - name: UserID + - name: user type: User role: - Victim - - name: Computer - type: Hostname + - name: dest + type: Endpoint role: - Victim product: diff --git a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml index d6351797cf..4441d860a5 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml @@ -22,7 +22,9 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode - ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + ScriptBlockText | rename Computer as dest, UserID as user + | `security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -41,16 +43,16 @@ tags: asset_type: Endpoint confidence: 50 impact: 30 - message: Local group discovery on $Computer$ by $UserID$. + message: Local group discovery on endpoint $dest$ by user $user$. mitre_attack_id: - T1069 - T1069.001 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim - - name: UserID + - name: user type: User role: - Victim diff --git a/detections/endpoint/process_deleting_its_process_file_path.yml b/detections/endpoint/process_deleting_its_process_file_path.yml index 97f37ae181..10c7d047c7 100644 --- a/detections/endpoint/process_deleting_its_process_file_path.yml +++ b/detections/endpoint/process_deleting_its_process_file_path.yml @@ -42,12 +42,12 @@ tags: confidence: 100 impact: 60 message: A process $Image$ tries to delete its process path in commandline $CommandLine$ - as part of defense evasion in host $dest$ + as part of defense evasion in host $dest$ by user $user$ mitre_attack_id: - T1070 observable: - name: dest - type: Hostname + type: Endpoint role: - Victim - name: user diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml index 245ee554b9..30329070ac 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml @@ -14,8 +14,11 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 (ScriptBlockText = "*$env:UserName*" OR ScriptBlockText = "*[System.Environment]::UserName*") | stats count min(_time) as firstTime max(_time) - as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter`' + as lastTime by EventCode ScriptBlockText Computer user_id + | rename Computer as dest, user_id as user + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `user_discovery_with_env_vars_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -29,14 +32,18 @@ tags: asset_type: Endpoint confidence: 50 impact: 30 - message: System user discovery on $Computer$ + message: System user discovery on endpoint $dest$ by user $user$ mitre_attack_id: - T1033 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim + - name: user + type: User + role: + - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml index a56e648ad4..081d51ad6e 100644 --- a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml +++ b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml @@ -16,8 +16,9 @@ description: The following analytic identifies the use of default or publicly kn data_source: [] search: '`sysmon` EventCode IN (17, 18) EventType IN ( "CreatePipe", "ConnectPipe") PipeName IN ("\\RManFUSServerNotify32", "\\RManFUSCallbackNotify32", "\\RMSPrint*") - | stats min(_time) as firstTime max(_time) as lastTime count by Image EventType - ProcessId PipeName dest UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | stats min(_time) as firstTime max(_time) as lastTime count by Image EventType ProcessId PipeName dest UserID + | rename UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -34,7 +35,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 90 - message: possible RMS admin tool named pipe was created in $Computer$ + message: possible RMS admin tool named pipe was created in endpoint $dest$ mitre_attack_id: - T1071 observable: diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml index 7488e771d8..2d5a54ea7d 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml @@ -50,7 +50,7 @@ tags: - T1059 observable: - name: dest - type: Hostname + type: Endpoint role: - Victim product: diff --git a/detections/endpoint/windows_identify_protocol_handlers.yml b/detections/endpoint/windows_identify_protocol_handlers.yml index 544251cf40..b09b6d20c0 100644 --- a/detections/endpoint/windows_identify_protocol_handlers.yml +++ b/detections/endpoint/windows_identify_protocol_handlers.yml @@ -57,7 +57,7 @@ tags: role: - Victim - name: dest - type: Hostname + type: Endpoint role: - Victim - name: parent_process_name diff --git a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml index 29bee5ec15..1d870fb407 100644 --- a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml +++ b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml @@ -14,7 +14,9 @@ data_source: search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*objectcategory=organizationalunit*" ScriptBlockText = "*findAll()*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + Computer user_id + | rename Computer as dest, user_id as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or @@ -31,13 +33,13 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: powershell process having commandline $ScriptBlockText$ for user enumeration on $Computer$ + message: Windows PowerShell [Adsisearcher] was used user enumeration on $user$ mitre_attack_id: - T1087.002 - T1087 observable: - - name: Computer - type: Hostname + - name: dest + type: Endpoint role: - Victim product: diff --git a/detections/endpoint/windows_nirsoft_utilities.yml b/detections/endpoint/windows_nirsoft_utilities.yml index 136a4d60cc..16da2d053d 100644 --- a/detections/endpoint/windows_nirsoft_utilities.yml +++ b/detections/endpoint/windows_nirsoft_utilities.yml @@ -48,7 +48,7 @@ tags: role: - Victim - name: dest - type: Hostname + type: Endpoint role: - Victim - name: parent_process_name diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml index 888d0fe315..17646c3e74 100644 --- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml @@ -14,8 +14,9 @@ data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser="NT AUTHORITY\\*") | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, parent_process_path ,parent_process_id, TargetImage, - GrantedAccess, SourceUser, TargetUser | rename TargetUser - as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + GrantedAccess, SourceUser, TargetUser + | rename TargetUser as user + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -46,7 +47,7 @@ tags: role: - Victim - name: dest - type: Hostname + type: Endpoint role: - Victim - name: parent_process_path diff --git a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml index 0eaf79518a..b39af95943 100644 --- a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml +++ b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml @@ -15,6 +15,7 @@ data_source: search: '`sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest Image Device ProcessGuid ProcessId EventDescription EventCode + | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and @@ -40,13 +41,13 @@ tags: asset_type: Endpoint confidence: 100 impact: 90 - message: process accessing MBR $device$ on $Computer$ + message: process accessing MBR $device$ on $dest$ mitre_attack_id: - T1561.002 - T1561 observable: - name: dest - type: Hostname + type: Endpoint role: - Victim product: diff --git a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml index 3d17582330..a1126b491e 100644 --- a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml +++ b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml @@ -13,8 +13,11 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*.SearchRooT*" ScriptBlockText = "*.gplink*" | stats count min(_time) as firstTime - max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_root_domain_linked_policies_discovery_filter`' + max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | + | rename Computer as dest, user_id as user + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_root_domain_linked_policies_discovery_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -30,13 +33,13 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: powershell process having commandline $ScriptBlockText$ for user enumeration on $Computer$ + message: Windows PowerShell [Adsisearcher] was used user enumeration on endpoint $dest$ mitre_attack_id: - T1087.002 - T1087 observable: - - name: Computer - type: Hostname + - name: dest + type: Endpoint role: - Victim product: diff --git a/detections/endpoint/windows_service_stop_win_updates.yml b/detections/endpoint/windows_service_stop_win_updates.yml index 7782d42eac..52fac9b2c0 100644 --- a/detections/endpoint/windows_service_stop_win_updates.yml +++ b/detections/endpoint/windows_service_stop_win_updates.yml @@ -15,6 +15,7 @@ search: '`wineventlog_system` EventCode=7040 (service_name IN ("Update Orchestrator Service for Windows Update", "WaaSMedicSvc", "Windows Update") OR param1 IN ("UsoSvc", "WaaSMedicSvc", "wuauserv")) AND (param3=disabled OR start_mode = disabled) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4 + | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_win_updates_filter`' @@ -30,11 +31,11 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: Windows update services $service_name$ was being disabled on $Computer$ + message: Windows update services $service_name$ was being disabled on $dest$ mitre_attack_id: - T1489 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml index 89c7842f63..672f37230a 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml @@ -43,7 +43,9 @@ search: ' `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc000 as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) - | search isOutlier=1 | `windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`' + | search isOutlier=1 + | rename Workstation as src + |`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`' status: production tags: analytic_story: @@ -52,15 +54,15 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: Potential NTLM based password spraying attack from $Workstation$ + message: Potential NTLM based password spraying attack from $src$ mitre_attack_id: - T1110.003 - T1110 observable: - - name: Workstation + - name: src + type: Endpoint role: - Attacker - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_wmi_impersonate_token.yml b/detections/endpoint/windows_wmi_impersonate_token.yml index 04e952eebb..c550f23c1c 100644 --- a/detections/endpoint/windows_wmi_impersonate_token.yml +++ b/detections/endpoint/windows_wmi_impersonate_token.yml @@ -35,12 +35,12 @@ tags: confidence: 50 impact: 50 message: wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ - to $TargetImage$ process in $Computer$ + to $TargetImage$ process in $dest$ mitre_attack_id: - T1047 observable: - name: dest - type: Hostname + type: Endpoint role: - Victim product: