Merge pull request #2910 from splunk/gitlab_release_v4.15.0

Gitlab release v4.15.0
splunk · Nov 1, 2023 · dfd7454 · dfd7454
2 parents a907039 + 698d9b7
commit dfd7454
Show file tree

Hide file tree

Showing 159 changed files with 3,249 additions and 1,562 deletions.
diff --git a/contentctl b/contentctl
diff --git a/contentctl.yml b/contentctl.yml
@@ -0,0 +1,25 @@
+build:
+  #Temporary fix to support testing. The following
+  #line will be reverted soon
+  title: DA-ESS-ContentUpdate
+  name: DA-ESS-ContentUpdate
+  path_root: dist
+  prefix: ESCU
+  build: 004150
+  version: 4.15.0
+  label: ES Content Updates
+  author_name: Splunk Threat Research Team
+  author_email: research@splunk.com
+  author_company: Splunk
+  description: Explore the Analytic Stories included with ES Content Updates.
+  splunk_app: {}
+  json_objects: null
+  ba_objects: null
+build_ssa:
+  path_root: 'dist/ssa'
+build_api:
+  path_root: 'dist/api'
+enrichments:
+  attack_enrichment: true
+  cve_enrichment: true
+  splunk_app_enrichment: false
diff --git a/contentctl_test.yml b/contentctl_test.yml
@@ -0,0 +1,70 @@
+version_control_config: {}
+infrastructure_config:
+  infrastructure_type: container
+  full_image_path: registry.hub.docker.com/splunk/splunk:latest
+post_test_behavior: always_pause
+mode: all
+detections_list: null
+splunkbase_username: null
+splunkbase_password: null
+apps:
+- uid: 6176
+  appid: Splunk_TA_linux_sysmon
+  title: Add-on for Linux Sysmon
+  description: null
+  release: 1.0.4
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/add-on-for-linux-sysmon_104.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 742
+  appid: Splunk_TA_windows
+  title: Splunk Add-on for Microsoft Windows
+  description: null
+  release: 8.5.0
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-windows_850_PATCHED.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 5709
+  appid: Splunk_TA_microsoft_sysmon
+  title: Splunk Add-on for Sysmon
+  description: null
+  release: 3.0.0
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-sysmon_300.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 833
+  appid: Splunk_TA_nix
+  title: Splunk Add-on for Unix and Linux
+  description: null
+  release: 8.7.0
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-unix-and-linux_860.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 2734
+  appid: utbox
+  title: URL Toolbox
+  description: null
+  release: 1.9.2
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/url-toolbox_192.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
+- uid: 1621
+  appid: Splunk_SA_CIM
+  title: Splunk Common Information Model (CIM)
+  description: null
+  release: 5.0.2
+  local_path: null
+  http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-common-information-model-cim_501.tgz
+  splunkbase_path: null
+  environment_path: ENVIRONMENT_PATH_NOT_SET
+  force_local: false
diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml
@@ -30,6 +30,7 @@ tags:
   - Windows Registry Abuse
   - Azorult
   - NjRAT
+  - PlugX
   asset_type: Endpoint
   confidence: 50
   impact: 50

diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml
@@ -51,6 +51,7 @@ tags:
   - Data Destruction
   - Warzone RAT
   - NjRAT
+  - PlugX
   asset_type: Endpoint
   automated_detection_testing: passed
   confidence: 50

diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml
@@ -63,6 +63,7 @@ tags:
   - BlackByte Ransomware
   - Warzone RAT
   - NjRAT
+  - PlugX
   asset_type: Endpoint
   confidence: 50
   impact: 40

diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml
@@ -39,6 +39,7 @@ tags:
   - Azorult
   - BlackByte Ransomware
   - NjRAT
+  - PlugX
   asset_type: Endpoint
   confidence: 50
   impact: 50

diff --git a/detections/endpoint/network_connection_discovery_with_netstat.yml b/detections/endpoint/network_connection_discovery_with_netstat.yml
@@ -38,6 +38,7 @@ tags:
   - Windows Post-Exploitation
   - Prestige Ransomware
   - Volt Typhoon
+  - PlugX
   asset_type: Endpoint
   confidence: 50
   impact: 30

diff --git a/detections/endpoint/office_application_drop_executable.yml b/detections/endpoint/office_application_drop_executable.yml
@@ -40,6 +40,7 @@ tags:
   - AgentTesla
   - CVE-2023-21716 Word RTF Heap Corruption
   - Warzone RAT
+  - PlugX
   asset_type: Endpoint
   confidence: 80
   impact: 80

diff --git a/detections/endpoint/office_document_executing_macro_code.yml b/detections/endpoint/office_document_executing_macro_code.yml
@@ -41,6 +41,7 @@ tags:
   - Qakbot
   - Azorult
   - Remcos
+  - PlugX
   asset_type: Endpoint
   confidence: 50
   impact: 70

diff --git a/detections/endpoint/office_document_spawned_child_process_to_download.yml b/detections/endpoint/office_document_spawned_child_process_to_download.yml
@@ -37,6 +37,7 @@ tags:
   analytic_story:
   - Spearphishing Attachments
   - CVE-2023-36884 Office and Windows HTML RCE Vulnerability
+  - PlugX
   asset_type: Endpoint
   confidence: 50
   impact: 70

diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml
@@ -49,6 +49,7 @@ tags:
   - CVE-2023-21716 Word RTF Heap Corruption
   - CVE-2023-36884 Office and Windows HTML RCE Vulnerability
   - Warzone RAT
+  - PlugX
   asset_type: Endpoint
   confidence: 80
   impact: 70

diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml
@@ -71,6 +71,7 @@ tags:
   - Amadey
   - BlackByte Ransomware
   - Warzone RAT
+  - PlugX
   asset_type: Endpoint
   confidence: 50
   impact: 70

diff --git a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml
@@ -28,6 +28,7 @@ references: []
 tags:
   analytic_story:
   - Collection and Staging
+  - PlugX
   asset_type: Windows
   confidence: 70
   impact: 40

diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml
@@ -36,6 +36,7 @@ tags:
   analytic_story:
   - Brute Ratel C4
   - AsyncRAT
+  - PlugX
   asset_type: Endpoint
   confidence: 60
   impact: 60

diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml
@@ -26,7 +26,7 @@ references:
 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting
 tags:
   analytic_story:
-  - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log
+  - Sneaky Active Directory Persistence Tricks
   asset_type: endpoint
   confidence: 50
   impact: 60

diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml
@@ -42,6 +42,7 @@ tags:
   analytic_story:
   - Chaos Ransomware
   - NjRAT
+  - PlugX
   asset_type: Endpoint
   confidence: 80
   impact: 80

diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml
@@ -34,6 +34,7 @@ tags:
   - Qakbot
   - Snake Malware
   - Flax Typhoon
+  - PlugX
   asset_type: Endpoint
   confidence: 80
   impact: 70

diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml
@@ -30,6 +30,7 @@ tags:
   - Windows Persistence Techniques
   - Windows Registry Abuse
   - Brute Ratel C4
+  - PlugX
   asset_type: Endpoint
   confidence: 80
   impact: 80

diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml
@@ -29,6 +29,7 @@ references:
 tags:
   analytic_story:
   - Brute Ratel C4
+  - PlugX
   asset_type: Endpoint
   confidence: 30
   impact: 60

diff --git a/detections/web/confluence_data_center_and_server_privilege_escalation.yml b/detections/web/confluence_data_center_and_server_privilege_escalation.yml
@@ -58,8 +58,3 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log
     source: nginx:plus:kv
     sourcetype: nginx:plus:kv
-- name: Suricata Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_cve-2023-22515.log
-    source: suricata
-    sourcetype: suricata
diff --git a/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml
@@ -0,0 +1,57 @@
+name: Detect Prohibited Applications Spawning cmd exe browsers
+id: c10a18cb-fd70-4ffa-a844-25026e0a0c94
+version: 1
+date: '2023-10-26'
+author: Lou Stella, Splunk
+status: validation
+type: Anomaly
+description: The following analytic identifies parent processes that are browsers, spawning cmd.exe. By its very nature,
+  many applications spawn cmd.exe natively or built into macros. Much of this will
+  need to be tuned to further enhance the risk.
+data_source:
+- Windows Security 4688
+search:
+  selection1:
+    actor.process.file.name:
+    - iexplore.exe
+    - opera.exe
+    - firefox.exe
+  selection2:
+    actor.process.file.name: chrome.exe
+  selection3:
+    process.cmd_line: chrome-extension
+  selection4:
+    process.file.name: cmd.exe
+  condition: ((selection1) or (selection2 and not selection3)) and selection4
+how_to_implement: In order to successfully implement this analytic, you will need
+  endpoint process data from a EDR product or Sysmon. This search has been modified
+  to process raw sysmon data from attack_range's nxlogs on DSP.
+known_false_positives: There are circumstances where an application may legitimately
+  execute and interact with the Windows command-line interface.
+references:
+- https://attack.mitre.org/techniques/T1059/
+tags:
+  analytic_story:
+  - Suspicious Command-Line Executions
+  - Insider Threat
+  asset_type: Endpoint
+  confidence: 50
+  impact: 70
+  message: An instance of $parent_process_name$ spawning $process_name$ was identified
+    on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event
+    that warrants investigating.
+  mitre_attack_id:
+  - T1059
+  observable: []
+  product:
+  - Splunk Behavioral Analytics
+  required_fields: []
+  kill_chain_phases:
+  - Exploitation
+  risk_score: 35
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ssa_validation/browsers/windows-security.log
+    source: WinEventLog:Security
diff --git a/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml
@@ -0,0 +1,55 @@
+name: Detect Prohibited Applications Spawning cmd exe office
+id: c10a18cb-fd70-4ffa-a844-25026e0b0c94
+version: 1
+date: '2023-10-26'
+author: Lou Stella, Splunk
+status: validation
+type: Anomaly
+description: The following analytic identifies parent processes that are office/productivity applications, spawning cmd.exe. By its very nature,
+  many applications spawn cmd.exe natively or built into macros. Much of this will
+  need to be tuned to further enhance the risk.
+data_source:
+- Windows Security 4688
+search:
+  selection1:
+    actor.process.file.name:
+    - winword.exe
+    - excel.exe
+    - outlook.exe
+    - acrobat.exe
+    - acrord32.exe
+  selection2:
+    process.file.name: cmd.exe
+  condition: selection1 and selection2
+how_to_implement: In order to successfully implement this analytic, you will need
+  endpoint process data from a EDR product or Sysmon. This search has been modified
+  to process raw sysmon data from attack_range's nxlogs on DSP.
+known_false_positives: There are circumstances where an application may legitimately
+  execute and interact with the Windows command-line interface.
+references:
+- https://attack.mitre.org/techniques/T1059/
+tags:
+  analytic_story:
+  - Suspicious Command-Line Executions
+  - Insider Threat
+  asset_type: Endpoint
+  confidence: 50
+  impact: 70
+  message: An instance of $parent_process_name$ spawning $process_name$ was identified
+    on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event
+    that warrants investigating.
+  mitre_attack_id:
+  - T1059
+  observable: []
+  product:
+  - Splunk Behavioral Analytics
+  required_fields: []
+  kill_chain_phases:
+  - Exploitation
+  risk_score: 35
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ssa_validation/office/windows-security.log
+    source: WinEventLog:Security