Updating Github with Content from ESCU - v4.30.0

contentctl.yml

@@ -6,7 +6,7 @@ build:
   path_root: dist
   prefix: ESCU
   build: 004210
-  version: 4.29.0
+  version: 4.30.0
   label: ES Content Updates
   author_name: Splunk Threat Research Team
   author_email: research@splunk.com

dist/DA-ESS-ContentUpdate/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null, 
       "name": "DA-ESS-ContentUpdate", 
-      "version": "4.29.0"
+      "version": "4.30.0"
     }, 
     "author": [
       {

dist/DA-ESS-ContentUpdate/default/app.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-04-04T18:45:26 UTC
+# On Date: 2024-04-17T22:08:10 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -10,7 +10,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 20240404184345
+build = 20240417220604
 
 [triggers]
 reload.analytic_stories = simple
@@ -26,7 +26,7 @@ reload.es_investigations = simple
 
 [launcher]
 author = Splunk
-version = 4.29.0 
+version = 4.30.0 
 description = Explore the Analytic Stories included with ES Content Updates.
 
 [ui]

dist/DA-ESS-ContentUpdate/default/collections.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-04-04T18:45:26 UTC
+# On Date: 2024-04-17T22:08:10 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/content-version.conf

@@ -1,8 +1,8 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-04-04T18:45:26 UTC
+# On Date: 2024-04-17T22:08:10 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
 [content-version]
-version = 4.29.0 
+version = 4.30.0 

dist/DA-ESS-ContentUpdate/default/es_investigations.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-04-04T18:45:26 UTC
+# On Date: 2024-04-17T22:08:10 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/macros.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-04-04T18:45:26 UTC
+# On Date: 2024-04-17T22:08:10 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -1629,10 +1629,6 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
-[okta_user_logins_from_multiple_cities_filter]
-definition = search *
-description = Update this macro to limit the output results to filter out false positives.
-
 [open_redirect_in_splunk_web_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.

dist/DA-ESS-ContentUpdate/default/transforms.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-04-04T18:45:26 UTC
+# On Date: 2024-04-17T22:08:10 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/workflow_actions.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-04-04T18:45:26 UTC
+# On Date: 2024-04-17T22:08:10 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/api/version.json

@@ -1 +1 @@
-{"version": {"name": "v4.29.0", "published_at": "2024-04-04T18:48:50Z"}}
+{"version": {"name": "v4.30.0", "published_at": "2024-04-17T22:11:55Z"}}

dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml

@@ -1,12 +1,13 @@
 name: Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
 id: c842931e-661f-42bc-a4df-0460d93cfb69
-version: 4
+version: 5
 status: production
 detection_type: STREAMING
 description: The following analytic identifies AccCheckConsole.exe which is a native
   living off the land binary or script (LOLBAS) within the Windows operating system
   that may be abused by adversaries by moving it to a new directory. The list of binaries
-  was derived from the https://lolbas-project.github.io site.
+  was derived from the https://lolbas-project.github.io site. The specific default
+  filepath for AccCheckConsole.exe is within "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\".
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
   = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
@@ -15,7 +16,7 @@ search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = me
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =
   actor_process_file.path | eval actor_process_file_name = actor_process_file.name
   | eval device_hostname = device.hostname | where process_file_name="acccheckconsole.exe"
-  AND (NOT match(process_file_path, /(?i)\\program files (x86)\\windows kits\\10\\bin\\10.0.22000.0\\arm64\\accchecker/)=true)
+  AND (NOT match(process_file_path, /(?i)\\program files \(x86\)\\windows kits\\10\\bin\\10.0.22000.0\\(x86|x64|arm|arm64)\\accchecker\\/)=true)
   
   | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}],
     time = timestamp,
@@ -55,7 +56,7 @@ known_false_positives: False positives may be present and filtering may be requi
 references:
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
 - https://attack.mitre.org/techniques/T1036/003/
-- https://lolbas-project.github.io/
+- https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/
 tags:
   required_fields:
   - process.pid

dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml

@@ -1,12 +1,13 @@
 name: Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
 id: ecaaf956-c516-4980-b08e-8c01c19614ca
-version: 4
+version: 5
 status: production
 detection_type: STREAMING
 description: The following analytic identifies adplus.exe which is a native living
   off the land binary or script (LOLBAS) within the Windows operating system that
   may be abused by adversaries by moving it to a new directory. The list of binaries
-  was derived from the https://lolbas-project.github.io site.
+  was derived from the https://lolbas-project.github.io site. The specific default
+  filepath for adplus.exe is within "C:\Program Files (x86)\Windows Kits\10\Debuggers".
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
   = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
@@ -15,7 +16,7 @@ search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = me
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =
   actor_process_file.path | eval actor_process_file_name = actor_process_file.name
   | eval device_hostname = device.hostname | where process_file_name="adplus.exe"
-  AND (NOT match(process_file_path, /(?i)\\program files (x86)\\windows kits\\10\\debuggers\\x86/)=true)
+  AND (NOT match(process_file_path, /(?i)\\program files \(x86\)\\windows kits\\10\\debuggers\\(x86|x64|arm|arm64)\\/)=true)
   
   | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}],
     time = timestamp,
@@ -55,7 +56,7 @@ known_false_positives: False positives may be present and filtering may be requi
 references:
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
 - https://attack.mitre.org/techniques/T1036/003/
-- https://lolbas-project.github.io/
+- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
 tags:
   required_fields:
   - process.pid

dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml

@@ -1,12 +1,13 @@
 name: Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path
 id: 3284e4f4-67f7-49b6-ad5e-a8fcead2eef8
-version: 4
+version: 5
 status: production
 detection_type: STREAMING
 description: The following analytic identifies Advpack.dll which is a native living
   off the land binary or script (LOLBAS) within the Windows operating system that
   may be abused by adversaries by moving it to a new directory. The list of binaries
-  was derived from the https://lolbas-project.github.io site.
+  was derived from the https://lolbas-project.github.io site. The specific default
+  filepath for advpack.dll is within either "C:\Windows\System32" or "C:\Windows\SysWOW64".
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
   = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
@@ -15,7 +16,8 @@ search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = me
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =
   actor_process_file.path | eval actor_process_file_name = actor_process_file.name
   | eval device_hostname = device.hostname | where process_file_name="advpack.dll"
-  AND (NOT match(process_file_path, /(?i)\\windows\\syswow64/)=true) 
+  AND (NOT match(process_file_path, /(?i)\\windows\\(syswow64|system32)\\/)=true)
+  
   | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}],
     time = timestamp,
     evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source},
@@ -54,7 +56,7 @@ known_false_positives: False positives may be present and filtering may be requi
 references:
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
 - https://attack.mitre.org/techniques/T1036/003/
-- https://lolbas-project.github.io/
+- https://lolbas-project.github.io/lolbas/Libraries/Advpack/
 tags:
   required_fields:
   - process.pid

dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml

@@ -1,12 +1,14 @@
 name: Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
 id: e124f71f-11bc-47e4-9931-6046d256005d
-version: 4
+version: 5
 status: production
 detection_type: STREAMING
 description: The following analytic identifies AgentExecutor.exe which is a native
   living off the land binary or script (LOLBAS) within the Windows operating system
   that may be abused by adversaries by moving it to a new directory. The list of binaries
-  was derived from the https://lolbas-project.github.io site.
+  was derived from the https://lolbas-project.github.io site. The specific default
+  filepath for AgentExecutor.exe should be "C:\Program Files (x86)\Microsoft Intune
+  Management Extension".
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
   = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
@@ -15,7 +17,8 @@ search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = me
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =
   actor_process_file.path | eval actor_process_file_name = actor_process_file.name
   | eval device_hostname = device.hostname | where process_file_name="agentexecutor.exe"
-  AND (NOT match(process_file_path, /(?i)\\program files (x86)/)=true) 
+  AND (NOT match(process_file_path, /(?i)\\program files (x86)\\microsoft intune management
+  extension\\/)=true) 
   | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}],
     time = timestamp,
     evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source},
@@ -54,7 +57,7 @@ known_false_positives: False positives may be present and filtering may be requi
 references:
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
 - https://attack.mitre.org/techniques/T1036/003/
-- https://lolbas-project.github.io/
+- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/
 tags:
   required_fields:
   - process.pid

dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml

@@ -1,12 +1,13 @@
 name: Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
 id: 057c06c7-ef31-4749-b5c9-199152e53a06
-version: 4
+version: 5
 status: production
 detection_type: STREAMING
 description: The following analytic identifies AppInstaller.exe which is a native
   living off the land binary or script (LOLBAS) within the Windows operating system
   that may be abused by adversaries by moving it to a new directory. The list of binaries
-  was derived from the https://lolbas-project.github.io site.
+  was derived from the https://lolbas-project.github.io site. The specific default
+  filepath for AppInstaller.exe should be in "C:\Program Files\WindowsApps\".
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
   = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
@@ -15,7 +16,7 @@ search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = me
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =
   actor_process_file.path | eval actor_process_file_name = actor_process_file.name
   | eval device_hostname = device.hostname | where process_file_name="appinstaller.exe"
-  AND (NOT match(process_file_path, /(?i)\\program files\\windowsapps\\microsoft.desktopappinstaller_1.11.2521.0_x64__8wekyb3d8bbwe/)=true)
+  AND (NOT match(process_file_path, /(?i)\\program files\\windowsapps\\microsoft.desktopappinstaller_/)=true)
   
   | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}],
     time = timestamp,
@@ -55,7 +56,7 @@ known_false_positives: False positives may be present and filtering may be requi
 references:
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
 - https://attack.mitre.org/techniques/T1036/003/
-- https://lolbas-project.github.io/
+- https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
 tags:
   required_fields:
   - process.pid

dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml

@@ -1,12 +1,13 @@
 name: Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
 id: 93862a89-abe0-4094-909a-08ec390aa5e3
-version: 4
+version: 5
 status: production
 detection_type: STREAMING
 description: The following analytic identifies Appvlp.exe which is a native living
   off the land binary or script (LOLBAS) within the Windows operating system that
   may be abused by adversaries by moving it to a new directory. The list of binaries
-  was derived from the https://lolbas-project.github.io site.
+  was derived from the https://lolbas-project.github.io site. The specific default
+  filepath for Appvlp.exe should be "C:\Program Files\Microsoft Office\root\client".
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
   = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
@@ -15,7 +16,7 @@ search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = me
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =
   actor_process_file.path | eval actor_process_file_name = actor_process_file.name
   | eval device_hostname = device.hostname | where process_file_name="appvlp.exe"
-  AND (NOT match(process_file_path, /(?i)\\program files (x86)\\microsoft office\\root\\client/)=true)
+  AND (NOT match(process_file_path, /(?i)\\program files(| \(x86\))\\microsoft office\\root\\client/)=true)
   
   | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}],
     time = timestamp,
@@ -55,7 +56,7 @@ known_false_positives: False positives may be present and filtering may be requi
 references:
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
 - https://attack.mitre.org/techniques/T1036/003/
-- https://lolbas-project.github.io/
+- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/
 tags:
   required_fields:
   - process.pid

dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml

@@ -1,12 +1,13 @@
 name: Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
 id: d75cc561-3828-4d0a-92c4-0eb93bfe0929
-version: 4
+version: 5
 status: production
 detection_type: STREAMING
 description: The following analytic identifies Aspnet_Compiler.exe which is a native
   living off the land binary or script (LOLBAS) within the Windows operating system
   that may be abused by adversaries by moving it to a new directory. The list of binaries
-  was derived from the https://lolbas-project.github.io site.
+  was derived from the https://lolbas-project.github.io site. The specific default
+  filepath for the Aspnet_compiler.exe should be in "C:\Windows\Microsoft.NET\Framework\".
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
   = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
@@ -15,7 +16,7 @@ search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = me
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =
   actor_process_file.path | eval actor_process_file_name = actor_process_file.name
   | eval device_hostname = device.hostname | where process_file_name="aspnet_compiler.exe"
-  AND (NOT match(process_file_path, /(?i)\\windows\\microsoft.net\\framework64\\v4.0.30319/)=true)
+  AND (NOT match(process_file_path, /(?i)\\windows\\microsoft.net\\(framework|framework64)\\v[0-9]+\.[0-9]+\.[0-9]+\\/)=true)
   
   | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}],
     time = timestamp,
@@ -55,7 +56,7 @@ known_false_positives: False positives may be present and filtering may be requi
 references:
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
 - https://attack.mitre.org/techniques/T1036/003/
-- https://lolbas-project.github.io/
+- https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
 tags:
   required_fields:
   - process.pid