Branch was auto-updated.

.gitignore

@@ -1,8 +1,16 @@
 # Ignore example files from contentctl tool
-
+apps/
+test_results/
 detections/*/.yml.example
 stories/*.yml.example
 tests/*/*.yml.example
+artifacts/
+contentctl/*
+dist/DA-ESS-ContentUpdate-*.tar.gz
+dist/DA-ESS-ContentUpdate.tar.gz
+dist/ContentPack-*.appinspect_api_results.html
+dist/ContentPack-*.appinspect_api_results.json
+
 
 # IDE
 .vscode/

.gitlab-ci.yml

@@ -1,27 +1,20 @@
+default:
+  image: docker-hub.repo.splunkdev.net/python:3.9
+
 stages:
-  - publish_build_to_pre_qa
+  - validate
+  - generate
+  - app_inspect
+  - release
+
+include:
+  - local: "pipeline/.validate.yml"
+  - local: "pipeline/.generate.yml"
+  - local: "pipeline/.app_inspect.yml"
+  - local: "pipeline/.release.yml"
 
-publish_build_to_pre_qa:
-  stage: publish_build_to_pre_qa
-  artifacts:
-    when: always
-    paths:
-      - artifacts/*
-  image: python:3.8-alpine
-  before_script:
-    - apk add --update --no-cache make curl bash git
-    - curl -L https://github.com/screwdriver-cd/gitversion/releases/download/v1.1.1/gitversion_linux_amd64 -o /usr/local/bin/gitversion && chmod +x /usr/local/bin/gitversion
-    - eval $(ssh-agent -s)
-  script:
-    - mkdir -p artifacts
-    - pip install requests
-    - VERSION=$(git tag --sort=-creatordate | head -n 1)
-    - echo "Build Version - $VERSION"
-    - python security_content_automation/publish_build_to_pre_qa/publish_build_to_pre_qa.py --version $VERSION --builds DA-ESS-ContentUpdate SSA_Content
-  after_script:
-    - cp publish_build_to_pre_qa.log artifacts/publish_build_to_pre_qa.log
+workflow:
   rules:
-    - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/'
-      when: always
-    - if: '$CI_PIPELINE_SOURCE == "schedule"'
-      when: always
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_COMMIT_TAG
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

.gitmodules

@@ -0,0 +1,4 @@
+[submodule "contentctl"]
+	path = contentctl
+	url = https://github.com/splunk/contentctl.git
+	ignore = all

bin/contentctl_project/contentctl_core/domain/entities/detection.py

@@ -193,14 +193,3 @@ def tests_validate(cls, v, values):
             )
         return v
 
-    @validator("experimental", always=True)
-    def experimental_validate(cls, v, values):
-        if DetectionStatus(values["status"]) == DetectionStatus.experimental:
-            return True
-        return False
-
-    @validator("deprecated", always=True)
-    def deprecated_validate(cls, v, values):
-        if DetectionStatus(values["status"]) == DetectionStatus.deprecated:
-            return True
-        return False

bin/contentctl_project/contentctl_infrastructure/adapter/templates/savedsearches_detections.j2

@@ -5,7 +5,7 @@
 [ESCU - {{ detection.name }} - Rule]
 action.escu = 0
 action.escu.enabled = 1
-{% if detection.deprecated %}
+{% if detection.status == "deprecated" %}
 description = WARNING, this detection has been marked deprecated by the Splunk Threat Research team, this means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. {{ detection.description }} 
 {% else %}
 description = {{ detection.description }}
@@ -52,7 +52,7 @@ cron_schedule = {{ detection.deployment.scheduling.cron_schedule }}
 dispatch.earliest_time = {{ detection.deployment.scheduling.earliest_time }}
 dispatch.latest_time = {{ detection.deployment.scheduling.latest_time }}
 action.correlationsearch.enabled = 1
-{% if detection.deprecated %}
+{% if detection.status == "deprecated" %}
 action.correlationsearch.label = ESCU - Deprecated - {{ detection.name }} - Rule
 {% elif detection.type | lower == "correlation" %}
 action.correlationsearch.label = ESCU - RIR - {{ detection.name }} - Rule

contentctl.yml

@@ -0,0 +1,22 @@
+build:
+  name: DA-ESS-ContentUpdate
+  path_root: dist
+  prefix: ESCU
+  build: 004150
+  version: 4.14.1
+  label: ES Content Updates
+  author_name: Splunk Threat Research Team
+  author_email: research@splunk.com
+  author_company: Splunk
+  description: Explore the Analytic Stories included with ES Content Updates.
+  splunk_app: {}
+  json_objects: null
+  ba_objects: null
+build_ssa:
+  path_root: 'dist/ssa'
+build_api:
+  path_root: 'dist/api'
+enrichments:
+  attack_enrichment: false
+  cve_enrichment: false
+  splunk_app_enrichment: false

contentctl_test.yml

@@ -0,0 +1,70 @@
+version_control_config: null
+infrastructure_config:
+  infrastructure_type: container
+  full_image_path: registry.hub.docker.com/splunk/splunk:latest
+post_test_behavior: always_pause
+mode: all
+detections_list: null
+splunkbase_username: null
+splunkbase_password: null
+apps:
+- uid: 6176
+  appid: Splunk_TA_linux_sysmon
+  title: Add-on for Linux Sysmon
+  description: null
+  release: 1.0.4
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/add-on-for-linux-sysmon_104.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 742
+  appid: Splunk_TA_windows
+  title: Splunk Add-on for Microsoft Windows
+  description: null
+  release: 8.5.0
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-windows_850_PATCHED.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 5709
+  appid: Splunk_TA_microsoft_sysmon
+  title: Splunk Add-on for Sysmon
+  description: null
+  release: 3.0.0
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-sysmon_300.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 833
+  appid: Splunk_TA_nix
+  title: Splunk Add-on for Unix and Linux
+  description: null
+  release: 8.7.0
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-unix-and-linux_860.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 2734
+  appid: utbox
+  title: URL Toolbox
+  description: null
+  release: 1.9.2
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/url-toolbox_192.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 1621
+  appid: Splunk_SA_CIM
+  title: Splunk Common Information Model (CIM)
+  description: null
+  release: 5.0.2
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-common-information-model-cim_501.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false

detections/application/splunk_absolute_path_traversal_using_runshellscript.yml

@@ -7,7 +7,7 @@ status: production
 type: Hunting
 data_source: []
 description: In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.
-search: > 
+search: >- 
   `splunk_python` *runshellscript* 
   | eval log_split=split(_raw, "runshellscript: ")
   | eval array_raw = mvindex(log_split,1)

detections/endpoint/7zip_commandline_to_smb_share_path.yml

@@ -1,5 +1,5 @@
 name: 7zip CommandLine To SMB Share Path
-id: 01d29b48-ff6f-11eb-b81e-acde48001122
+id: 01d29b48-ff6f-11eb-b81e-acde48001123
 version: 1
 date: '2021-08-17'
 author: Teoderick Contreras, Splunk

detections/endpoint/icedid_exfiltrated_archived_file_creation.yml

@@ -27,7 +27,7 @@ tags:
   asset_type: Endpoint
   confidence: 90
   impact: 80
-  message: Process $process_name$ create a file $TargetImage$ on host $dest$
+  message: Process $process_name$ create a file $TargetFilename$ on host $dest$
   mitre_attack_id:
   - T1560.001
   - T1560

detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml

@@ -17,8 +17,11 @@ description: The following analytic leverages Event 4768, A Kerberos authenticat
   ticket may be used to obtain unauthorized access to systems and other network resources.
 data_source:
 - Windows Security 4768
-search: ' `wineventlog_security` EventCode=4768 Ticket_Encryption_Type=0x17 Account_Name!=*$
-  | `kerberos_tgt_request_using_rc4_encryption_filter` '
+search: ' `wineventlog_security` EventCode=4768 Ticket_Encryption_Type=0x17 Account_Name!=*$ 
+  | stats count min(_time) as firstTime max(_time) as lastTime by Account_Name Client_Address dest
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `kerberos_tgt_request_using_rc4_encryption_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   Domain Controller and Kerberos events. The Advanced Security Audit policy setting
   `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.

detections/endpoint/rundll32_dnsquery.yml

@@ -29,8 +29,7 @@ tags:
   asset_type: Endpoint
   confidence: 80
   impact: 70
-  message: rundll32 process $process_name$ having a dns query to $QueryName$ in host
-    $dest$
+  message: rundll32 process $process_name$ made a DNS query for $query$ from host $dest$
   mitre_attack_id:
   - T1218
   - T1218.011

detections/endpoint/windows_admin_permission_discovery.yml

@@ -16,7 +16,7 @@ description: This analytic is developed to identify suspicious file creation in
   similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets.
 search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem 
   where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") 
-  by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guiid Filesystem.file_name Filesystem.file_path Filesystem.user 
+  by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user 
   | `drop_dm_object_name(Filesystem)` 
   | eval dropped_file_path = split(file_path, "\\") 
   | eval dropped_file_path_split_count = mvcount(dropped_file_path) 
@@ -26,7 +26,7 @@ search: '|tstats `security_content_summariesonly` count min(_time) as firstTime
   | `windows_admin_permission_discovery_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that 
   include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
-known_false_positives: administrator is capable of dropping files in root C drive.
+known_false_positives: False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved.
 references:
 - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat
 tags:
@@ -64,6 +64,9 @@ tags:
   - Filesystem.process_id
   - Filesystem.file_name
   - Filesystem.user
+  - Filesystem.dest
+  - Filesystem.process_guid
+  - Filesystem.file_path
   security_domain: endpoint
 tests:
 - name: True Positive Test

detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml

@@ -0,0 +1,66 @@
+name: Citrix ADC and Gateway Unauthorized Data Disclosure
+id: b593cac5-dd20-4358-972a-d945fefdaf17
+version: 1
+date: '2023-10-24'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+data_source: []
+description: The following analytic detects attempts to exploit the Citrix Bleed vulnerability, which can lead to the leaking of session tokens. The vulnerability, identified as CVE-2023-4966, pertains to sensitive information disclosure in NetScaler ADC and NetScaler Gateway when set up as various server configurations. The analytic specifically searches for HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on the aforementioned criteria along with specific user agent details, HTTP method, source and destination IPs, and the sourcetype, the analytic aims to identify potentially malicious requests that fit the profile of this exploit. \
+
+  This behavior is essential for a Security Operations Center (SOC) to identify because if successfully exploited, attackers can gain unauthorized access, leading to a potential breach or further malicious activities within the organization's network. As the Citrix Bleed vulnerability can disclose session tokens, a successful exploit can allow attackers to impersonate legitimate users, bypassing authentication mechanisms and accessing sensitive data or systems. \
+
+  If a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information. \
+
+  Upon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches.
+search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/oauth/idp/.well-known/openid-configuration*")  Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
+  | `drop_dm_object_name("Web")` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` | `citrix_adc_and_gateway_unauthorized_data_disclosure_filter`'
+how_to_implement: This detection requires the Web datamodel to be populated from a
+  supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk
+  for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible.
+known_false_positives: False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only.
+references:
+  - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
+  - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
+tags:
+  analytic_story:
+  - Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
+  asset_type: Web server
+  atomic_guid: []
+  confidence: 90
+  impact: 100
+  message: Possible exploitation of Citrix Bleed vulnerability against $dest$ fron $src$.
+  mitre_attack_id:
+  - T1190
+  observable:
+  - name: dest
+    type: IP Address
+    role:
+    - Victim
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 90
+  required_fields:
+  - Web.http_user_agent
+  - Web.status
+  - Web.http_method
+  - Web.url
+  - Web.url_length
+  - Web.src
+  - Web.dest
+  - sourcetype
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/cve-2023-4966-citrix.log
+    source: suricata
+    sourcetype: suricata

detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml

@@ -1,18 +1,18 @@
 name: Confluence CVE-2023-22515 Trigger Vulnerability
 id: 630ea8b2-2800-4f5d-9cbc-d65c567349b0
-version: 1
-date: '2023-10-12'
+version: 2
+date: '2023-10-23'
 author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source: []
 description: The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise.
-search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
+search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
   | `drop_dm_object_name("Web")`
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
-  on Web traffic that include fields relavent for traffic into the `Web` datamodel.
+  on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv. 
 known_false_positives: False positives may be present with legitimate applications.
   Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers.
 references: