Merge branch 'develop' of github.com:splunk/security-content into dev…

…elop
splunk · Dec 11, 2019 · 8148eef · 8148eef
2 parents 570fd7f + 54b0e8a
commit 8148eef
Show file tree

Hide file tree

Showing 11 changed files with 34 additions and 37 deletions.
diff --git a/docs/splunk_docs_categories.wiki b/docs/splunk_docs_categories.wiki
@@ -244,7 +244,7 @@ The detection searches in this Analytic Story are designed to help you uncover A
 
 ====References====
 * https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
-* https://blog.redlock.io/cryptojacking-tesla
+* https://redlock.io/blog/cryptojacking-tesla
 
 creation_date = 2018-03-12
 
@@ -1371,7 +1371,7 @@ The search in this story can help you to detect if attackers are abusing your co
 
 ====References====
 * https://www.us-cert.gov/ncas/alerts/TA13-088A
-* https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
+* https://www.imperva.com/learn/application-security/dns-amplification/
 
 creation_date = 2016-08-24
 
@@ -2646,7 +2646,7 @@ If there is evidence of lateral movement, it is imperative for analysts to colle
 * DE.CM
 
 ====References====
-* https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
+* https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
 * https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html
 
 creation_date = 2016-09-13
@@ -2850,8 +2850,7 @@ If behavioral searches included in this story yield positive hits, iDefense reco
 * DE.CM
 
 ====References====
-* https://intelgraph.idefense.com/#/node/threat_group/view/29fbec10-8cc8-4662-8362-2c24c1eeb74c
-* https://intelgraph.idefense.com/#/node/intelligence_alert/view/62bb3669-9386-4264-b51a-59876cf50ffe
+* https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/
 * http://blog.amossys.fr/badflick-is-not-so-bad.html
 
 creation_date = 2018-07-24

diff --git a/docs/stories_categories.md b/docs/stories_categories.md
@@ -311,7 +311,7 @@ The detection searches in this Analytic Story are designed to help you uncover A
 
 ##### References
 * https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
-* https://blog.redlock.io/cryptojacking-tesla
+* https://redlock.io/blog/cryptojacking-tesla
 
 ### Cloud Cryptomining
 * id = `3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a`
@@ -1550,7 +1550,7 @@ Network_Resolution
 
 ##### References
 * https://www.us-cert.gov/ncas/alerts/TA13-088A
-* https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
+* https://www.imperva.com/learn/application-security/dns-amplification/
 
 ### Data Protection
 * id = `91c676cf-0b23-438d-abee-f6335e1fce33`
@@ -3043,7 +3043,7 @@ Endpoint
 * company = davidd@splunk.com
 
 ##### References
-* https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
+* https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
 * https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html
 
 ### Malicious PowerShell
@@ -3262,8 +3262,7 @@ Endpoint
 * company = iDefense.IntelOps@accenture.com
 
 ##### References
-* https://intelgraph.idefense.com/#/node/threat_group/view/29fbec10-8cc8-4662-8362-2c24c1eeb74c
-* https://intelgraph.idefense.com/#/node/intelligence_alert/view/62bb3669-9386-4264-b51a-59876cf50ffe
+* https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/
 * http://blog.amossys.fr/badflick-is-not-so-bad.html
 
 ### SQL Injection

diff --git a/package/app.manifest b/package/app.manifest
@@ -5,7 +5,7 @@
     "id": {
       "group": null, 
       "name": "DA-ESS-ContentUpdate", 
-      "version": "1.0.45"
+      "version": "1.0.46"
     }, 
     "author": [
       {

diff --git a/package/default/analytic_stories.conf b/package/default/analytic_stories.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security-content
-# On Date: 2019-11-26T19:56:51 UTC
+# On Date: 2019-12-10T20:37:52 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############
@@ -83,7 +83,7 @@ creation_date = 2018-03-12
 modification_date = 2018-03-12
 id = 2e8948a5-5239-406b-b56b-6c50f1269af3
 version = 1.0
-reference = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://blog.redlock.io/cryptojacking-tesla"]
+reference = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"]
 detection_searches = ["ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule", "ESCU - Detect new API calls from user roles - Rule"]
 mappings = {"cis20": ["CIS 1", "CIS 16"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["Credential Access", "Execution"], "nist": ["DE.CM", "DE.DP", "ID.AM", "PR.AC"]}
 investigative_searches = ["ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Investigate AWS User Activities by user field"]
@@ -307,7 +307,7 @@ creation_date = 2016-08-24
 modification_date = 2016-09-13
 id = e8afd39e-3294-11e6-b39d-a45e60c6700
 version = 1.0
-reference = ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/"]
+reference = ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"]
 detection_searches = ["ESCU - Large Volume of DNS ANY Queries - Rule"]
 mappings = {"cis20": ["CIS 11", "CIS 12"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": [], "nist": ["DE.AE", "PR.IP", "PR.PT"]}
 investigative_searches = ["ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User"]
@@ -479,7 +479,7 @@ creation_date = 2016-09-13
 modification_date = 2018-05-31
 id = 399d65dc-1f08-499b-a259-aad9051f38ad
 version = 1.0
-reference = ["https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/", "https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"]
+reference = ["https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"]
 detection_searches = ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Schtasks scheduling job on remote system - Rule"]
 mappings = {"cis20": ["CIS 16", "CIS 3", "CIS 5", "CIS 8", "CIS 9"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["Commonly Used Port", "Defense Evasion", "Execution", "Lateral Movement", "Pass the Hash", "Persistence", "Remote Desktop Protocol", "Remote Services", "Scheduled Task"], "nist": ["DE.AE", "DE.CM", "PR.AC", "PR.AT", "PR.IP", "PR.PT"]}
 investigative_searches = ["ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Parent Process Info", "ESCU - Get Process Info", "ESCU - Get Process Information For Port Activity", "ESCU - Get Registry Activities", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get User Information from Identity Table", "ESCU - Investigate Successful Remote Desktop Authentications"]
@@ -635,7 +635,7 @@ creation_date = 2018-07-24
 modification_date = 2018-07-24
 id = 988C59C5-0A1C-45B6-A555-0C62276E327E
 version = 1.0
-reference = ["https://intelgraph.idefense.com/#/node/threat_group/view/29fbec10-8cc8-4662-8362-2c24c1eeb74c", "https://intelgraph.idefense.com/#/node/intelligence_alert/view/62bb3669-9386-4264-b51a-59876cf50ffe", "http://blog.amossys.fr/badflick-is-not-so-bad.html"]
+reference = ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"]
 detection_searches = ["ESCU - First time seen command line argument - Rule", "ESCU - Malicious PowerShell Process - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Unusually Long Command Line - Rule"]
 mappings = {"cis20": ["CIS 3", "CIS 7", "CIS 8"], "kill_chain_phases": ["Actions on Objectives", "Command and Control"], "mitre_attack": ["AppInit DLLs", "Authentication Package", "Command-Line Interface", "Execution", "Persistence", "PowerShell", "Registry Run Keys / Start Folder", "Scripting"], "nist": ["DE.AE", "DE.CM", "PR.IP", "PR.PT"]}
 investigative_searches = ["ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Parent Process Info", "ESCU - Get Process Info", "ESCU - Get Registry Activities", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get User Information from Identity Table", "ESCU - Investigate Web Activity From Host"]

diff --git a/package/default/analyticstories.conf b/package/default/analyticstories.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security-content
-# On Date: 2019-11-26T19:32:14 UTC
+# On Date: 2019-12-10T20:37:52 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############
@@ -61,7 +61,7 @@ This Analytic Story was designed to provide you with flexibility in the precisio
 category = Cloud Security
 last_updated = 2018-03-12
 version = 1.0
-references = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://blog.redlock.io/cryptojacking-tesla"]
+references = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"]
 maintainers = [{"company": "Splunk", "email": "bpatel@splunk.com", "name": "Bhavin Patel"}]
 spec_version = 2
 searches = ["ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule", "ESCU - Detect new API calls from user roles - Rule", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Investigate AWS User Activities by user field", "ESCU - Baseline of API Calls per User ARN", "ESCU - Baseline of Security Group Activity by ARN", "ESCU - Create a list of approved AWS service accounts", "ESCU - Previously seen API call per user roles in CloudTrail"]
@@ -225,7 +225,7 @@ Suspicious activities--spikes in SMB traffic, processes that launch netsh (to mo
 category = Abuse
 last_updated = 2016-09-13
 version = 1.0
-references = ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/"]
+references = ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"]
 maintainers = [{"company": "Splunk", "email": "bpatel@splunk.com", "name": "Bhavin Patel"}]
 spec_version = 2
 searches = ["ESCU - Large Volume of DNS ANY Queries - Rule", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User"]
@@ -352,7 +352,7 @@ It can also be helpful to examine various behaviors of and the parent of the pro
 category = Adversary Tactics
 last_updated = 2018-05-31
 version = 1.0
-references = ["https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/", "https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"]
+references = ["https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"]
 maintainers = [{"company": "Splunk", "email": "davidd@splunk.com", "name": "David Dorsey"}]
 spec_version = 2
 searches = ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Parent Process Info", "ESCU - Get Process Info", "ESCU - Get Process Information For Port Activity", "ESCU - Get Registry Activities", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get User Information from Identity Table", "ESCU - Investigate Successful Remote Desktop Authentications", "ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"]
@@ -468,7 +468,7 @@ This Analytic Story focuses on detecting signs that a malicious payload has been
 category = Adversary Tactics
 last_updated = 2018-07-24
 version = 1.0
-references = ["https://intelgraph.idefense.com/#/node/threat_group/view/29fbec10-8cc8-4662-8362-2c24c1eeb74c", "https://intelgraph.idefense.com/#/node/intelligence_alert/view/62bb3669-9386-4264-b51a-59876cf50ffe", "http://blog.amossys.fr/badflick-is-not-so-bad.html"]
+references = ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"]
 maintainers = [{"company": "iDefense", "email": "iDefense.IntelOps@accenture.com", "name": "iDefense Cyber Espionage Team"}]
 spec_version = 2
 searches = ["ESCU - First time seen command line argument - Rule", "ESCU - Malicious PowerShell Process - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Parent Process Info", "ESCU - Get Process Info", "ESCU - Get Registry Activities", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get User Information from Identity Table", "ESCU - Investigate Web Activity From Host", "ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"]

diff --git a/package/default/app.conf b/package/default/app.conf
@@ -4,7 +4,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 3109
+build = 3213
 
 [triggers]
 reload.analytic_stories = simple
@@ -20,7 +20,7 @@ reload.content-version = simple
 
 [launcher]
 author = Splunk
-version = 1.0.45
+version = 1.0.46
 description = Explore the Analytic Stories included with ES Content Updates.
 
 [ui]

diff --git a/package/default/content-version.conf b/package/default/content-version.conf
@@ -1,2 +1,2 @@
 [content-version]
-version = 1.0.45
+version = 1.0.46
diff --git a/package/default/macros.conf b/package/default/macros.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security-content
-# On Date: 2019-11-26T19:56:51 UTC
+# On Date: 2019-12-10T20:37:52 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############
@@ -141,11 +141,10 @@ description = This macro limits the output to files that have been identified as
 definition = eval domain=trim(domain,"*") | search NOT[| inputlookup domains]  NOT[ |inputlookup cim_corporate_email_domain_lookup] NOT[inputlookup cim_corporate_web_domain_lookup] | eval domain="*"+domain+"*"
 description = This macro removes valid domains from the output
 
-# runstory functionality was moved to https://github.com/splunk/analytic_story_execution
-# [runstory(1)]
-# args = story_name
-# definition = runstory story=$story_name$ | table name, num_search_results, description, kill_chain_phases, mitre_attack
-# description = This macro takes an analytic story name and runs it
+[runstory(1)]
+args = story_name
+definition = runstory story=$story_name$ | table name, num_search_results, description, kill_chain_phases, mitre_attack
+description = This macro takes an analytic story name and runs it
 
 [securityGroupAPIs]
 definition = (eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)

diff --git a/package/default/savedsearches.conf b/package/default/savedsearches.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security-content
-# On Date: 2019-11-26T19:56:51 UTC
+# On Date: 2019-12-10T20:37:52 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############

diff --git a/package/default/transforms.conf b/package/default/transforms.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security-content
-# On Date: 2019-11-26T19:56:51 UTC
+# On Date: 2019-12-10T20:37:52 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############