diff --git a/contentctl b/contentctl new file mode 160000 index 0000000000..48c1c275e3 --- /dev/null +++ b/contentctl @@ -0,0 +1 @@ +Subproject commit 48c1c275e35b1191068465cc23dc3e3781982ef8 diff --git a/contentctl.yml b/contentctl.yml new file mode 100644 index 0000000000..abcf6ae395 --- /dev/null +++ b/contentctl.yml @@ -0,0 +1,25 @@ +build: + #Temporary fix to support testing. The following + #line will be reverted soon + title: DA-ESS-ContentUpdate + name: DA-ESS-ContentUpdate + path_root: dist + prefix: ESCU + build: 004150 + version: 4.15.0 + label: ES Content Updates + author_name: Splunk Threat Research Team + author_email: research@splunk.com + author_company: Splunk + description: Explore the Analytic Stories included with ES Content Updates. + splunk_app: {} + json_objects: null + ba_objects: null +build_ssa: + path_root: 'dist/ssa' +build_api: + path_root: 'dist/api' +enrichments: + attack_enrichment: true + cve_enrichment: true + splunk_app_enrichment: false \ No newline at end of file diff --git a/contentctl_test.yml b/contentctl_test.yml new file mode 100644 index 0000000000..46b843fadc --- /dev/null +++ b/contentctl_test.yml @@ -0,0 +1,70 @@ +version_control_config: {} +infrastructure_config: + infrastructure_type: container + full_image_path: registry.hub.docker.com/splunk/splunk:latest +post_test_behavior: always_pause +mode: all +detections_list: null +splunkbase_username: null +splunkbase_password: null +apps: +- uid: 6176 + appid: Splunk_TA_linux_sysmon + title: Add-on for Linux Sysmon + description: null + release: 1.0.4 + local_path: null + http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/add-on-for-linux-sysmon_104.tgz + splunkbase_path: null + environment_path: ENVIRONMENT_PATH_NOT_SET + force_local: false +- uid: 742 + appid: Splunk_TA_windows + title: Splunk Add-on for Microsoft Windows + description: null + release: 8.5.0 + local_path: null + http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-windows_850_PATCHED.tgz + splunkbase_path: null + environment_path: ENVIRONMENT_PATH_NOT_SET + force_local: false +- uid: 5709 + appid: Splunk_TA_microsoft_sysmon + title: Splunk Add-on for Sysmon + description: null + release: 3.0.0 + local_path: null + http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-sysmon_300.tgz + splunkbase_path: null + environment_path: ENVIRONMENT_PATH_NOT_SET + force_local: false +- uid: 833 + appid: Splunk_TA_nix + title: Splunk Add-on for Unix and Linux + description: null + release: 8.7.0 + local_path: null + http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-unix-and-linux_860.tgz + splunkbase_path: null + environment_path: ENVIRONMENT_PATH_NOT_SET + force_local: false +- uid: 2734 + appid: utbox + title: URL Toolbox + description: null + release: 1.9.2 + local_path: null + http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/url-toolbox_192.tgz + splunkbase_path: null + environment_path: ENVIRONMENT_PATH_NOT_SET + force_local: false +- uid: 1621 + appid: Splunk_SA_CIM + title: Splunk Common Information Model (CIM) + description: null + release: 5.0.2 + local_path: null + http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-common-information-model-cim_501.tgz + splunkbase_path: null + environment_path: ENVIRONMENT_PATH_NOT_SET + force_local: false diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 978cd0ff78..24368ffca5 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -30,6 +30,7 @@ tags: - Windows Registry Abuse - Azorult - NjRAT + - PlugX asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 9630cb7627..fdc915b0db 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -51,6 +51,7 @@ tags: - Data Destruction - Warzone RAT - NjRAT + - PlugX asset_type: Endpoint automated_detection_testing: passed confidence: 50 diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 5f81c219c1..da5aa83f53 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -63,6 +63,7 @@ tags: - BlackByte Ransomware - Warzone RAT - NjRAT + - PlugX asset_type: Endpoint confidence: 50 impact: 40 diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml index e8113eec50..93ab2bca51 100644 --- a/detections/endpoint/firewall_allowed_program_enable.yml +++ b/detections/endpoint/firewall_allowed_program_enable.yml @@ -39,6 +39,7 @@ tags: - Azorult - BlackByte Ransomware - NjRAT + - PlugX asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/network_connection_discovery_with_netstat.yml b/detections/endpoint/network_connection_discovery_with_netstat.yml index 953f9d241a..dc6bb6292b 100644 --- a/detections/endpoint/network_connection_discovery_with_netstat.yml +++ b/detections/endpoint/network_connection_discovery_with_netstat.yml @@ -38,6 +38,7 @@ tags: - Windows Post-Exploitation - Prestige Ransomware - Volt Typhoon + - PlugX asset_type: Endpoint confidence: 50 impact: 30 diff --git a/detections/endpoint/office_application_drop_executable.yml b/detections/endpoint/office_application_drop_executable.yml index 25a7435abd..a01bb5a5cc 100644 --- a/detections/endpoint/office_application_drop_executable.yml +++ b/detections/endpoint/office_application_drop_executable.yml @@ -40,6 +40,7 @@ tags: - AgentTesla - CVE-2023-21716 Word RTF Heap Corruption - Warzone RAT + - PlugX asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/office_document_executing_macro_code.yml b/detections/endpoint/office_document_executing_macro_code.yml index f5ec5dec14..242cc9161e 100644 --- a/detections/endpoint/office_document_executing_macro_code.yml +++ b/detections/endpoint/office_document_executing_macro_code.yml @@ -41,6 +41,7 @@ tags: - Qakbot - Azorult - Remcos + - PlugX asset_type: Endpoint confidence: 50 impact: 70 diff --git a/detections/endpoint/office_document_spawned_child_process_to_download.yml b/detections/endpoint/office_document_spawned_child_process_to_download.yml index b013a5aa71..d56f3a5a2b 100644 --- a/detections/endpoint/office_document_spawned_child_process_to_download.yml +++ b/detections/endpoint/office_document_spawned_child_process_to_download.yml @@ -37,6 +37,7 @@ tags: analytic_story: - Spearphishing Attachments - CVE-2023-36884 Office and Windows HTML RCE Vulnerability + - PlugX asset_type: Endpoint confidence: 50 impact: 70 diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml index 9e80c568bb..1c71a989a1 100644 --- a/detections/endpoint/office_product_spawn_cmd_process.yml +++ b/detections/endpoint/office_product_spawn_cmd_process.yml @@ -49,6 +49,7 @@ tags: - CVE-2023-21716 Word RTF Heap Corruption - CVE-2023-36884 Office and Windows HTML RCE Vulnerability - Warzone RAT + - PlugX asset_type: Endpoint confidence: 80 impact: 70 diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index d3748b72d3..1dadb429d4 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -71,6 +71,7 @@ tags: - Amadey - BlackByte Ransomware - Warzone RAT + - PlugX asset_type: Endpoint confidence: 50 impact: 70 diff --git a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml index ad493f126c..deee52274e 100644 --- a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml +++ b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml @@ -28,6 +28,7 @@ references: [] tags: analytic_story: - Collection and Staging + - PlugX asset_type: Windows confidence: 70 impact: 40 diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 0b6335b6eb..a83a9a9621 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -36,6 +36,7 @@ tags: analytic_story: - Brute Ratel C4 - AsyncRAT + - PlugX asset_type: Endpoint confidence: 60 impact: 60 diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml index 2403723a8e..4847749dbd 100644 --- a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml +++ b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml @@ -26,7 +26,7 @@ references: - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting tags: analytic_story: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log + - Sneaky Active Directory Persistence Tricks asset_type: endpoint confidence: 50 impact: 60 diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml index e26f7bd54f..d3d9632a15 100644 --- a/detections/endpoint/windows_replication_through_removable_media.yml +++ b/detections/endpoint/windows_replication_through_removable_media.yml @@ -42,6 +42,7 @@ tags: analytic_story: - Chaos Ransomware - NjRAT + - PlugX asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index 7831cd17b8..126b278491 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -34,6 +34,7 @@ tags: - Qakbot - Snake Malware - Flax Typhoon + - PlugX asset_type: Endpoint confidence: 80 impact: 70 diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index b760357b94..b787f8d8ad 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -30,6 +30,7 @@ tags: - Windows Persistence Techniques - Windows Registry Abuse - Brute Ratel C4 + - PlugX asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml index a43d35cf9d..3701013fe3 100644 --- a/detections/endpoint/windows_service_deletion_in_registry.yml +++ b/detections/endpoint/windows_service_deletion_in_registry.yml @@ -29,6 +29,7 @@ references: tags: analytic_story: - Brute Ratel C4 + - PlugX asset_type: Endpoint confidence: 30 impact: 60 diff --git a/detections/web/confluence_data_center_and_server_privilege_escalation.yml b/detections/web/confluence_data_center_and_server_privilege_escalation.yml index 2c8ffff181..f702d94a68 100644 --- a/detections/web/confluence_data_center_and_server_privilege_escalation.yml +++ b/detections/web/confluence_data_center_and_server_privilege_escalation.yml @@ -58,8 +58,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log source: nginx:plus:kv sourcetype: nginx:plus:kv -- name: Suricata Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_cve-2023-22515.log - source: suricata - sourcetype: suricata diff --git a/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml new file mode 100644 index 0000000000..af771a4597 --- /dev/null +++ b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml @@ -0,0 +1,57 @@ +name: Detect Prohibited Applications Spawning cmd exe browsers +id: c10a18cb-fd70-4ffa-a844-25026e0a0c94 +version: 1 +date: '2023-10-26' +author: Lou Stella, Splunk +status: validation +type: Anomaly +description: The following analytic identifies parent processes that are browsers, spawning cmd.exe. By its very nature, + many applications spawn cmd.exe natively or built into macros. Much of this will + need to be tuned to further enhance the risk. +data_source: +- Windows Security 4688 +search: + selection1: + actor.process.file.name: + - iexplore.exe + - opera.exe + - firefox.exe + selection2: + actor.process.file.name: chrome.exe + selection3: + process.cmd_line: chrome-extension + selection4: + process.file.name: cmd.exe + condition: ((selection1) or (selection2 and not selection3)) and selection4 +how_to_implement: In order to successfully implement this analytic, you will need + endpoint process data from a EDR product or Sysmon. This search has been modified + to process raw sysmon data from attack_range's nxlogs on DSP. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. +references: +- https://attack.mitre.org/techniques/T1059/ +tags: + analytic_story: + - Suspicious Command-Line Executions + - Insider Threat + asset_type: Endpoint + confidence: 50 + impact: 70 + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event + that warrants investigating. + mitre_attack_id: + - T1059 + observable: [] + product: + - Splunk Behavioral Analytics + required_fields: [] + kill_chain_phases: + - Exploitation + risk_score: 35 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ssa_validation/browsers/windows-security.log + source: WinEventLog:Security diff --git a/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml new file mode 100644 index 0000000000..c0128218a6 --- /dev/null +++ b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml @@ -0,0 +1,55 @@ +name: Detect Prohibited Applications Spawning cmd exe office +id: c10a18cb-fd70-4ffa-a844-25026e0b0c94 +version: 1 +date: '2023-10-26' +author: Lou Stella, Splunk +status: validation +type: Anomaly +description: The following analytic identifies parent processes that are office/productivity applications, spawning cmd.exe. By its very nature, + many applications spawn cmd.exe natively or built into macros. Much of this will + need to be tuned to further enhance the risk. +data_source: +- Windows Security 4688 +search: + selection1: + actor.process.file.name: + - winword.exe + - excel.exe + - outlook.exe + - acrobat.exe + - acrord32.exe + selection2: + process.file.name: cmd.exe + condition: selection1 and selection2 +how_to_implement: In order to successfully implement this analytic, you will need + endpoint process data from a EDR product or Sysmon. This search has been modified + to process raw sysmon data from attack_range's nxlogs on DSP. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. +references: +- https://attack.mitre.org/techniques/T1059/ +tags: + analytic_story: + - Suspicious Command-Line Executions + - Insider Threat + asset_type: Endpoint + confidence: 50 + impact: 70 + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event + that warrants investigating. + mitre_attack_id: + - T1059 + observable: [] + product: + - Splunk Behavioral Analytics + required_fields: [] + kill_chain_phases: + - Exploitation + risk_score: 35 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ssa_validation/office/windows-security.log + source: WinEventLog:Security diff --git a/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml new file mode 100644 index 0000000000..5761348467 --- /dev/null +++ b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml @@ -0,0 +1,51 @@ +name: Detect Prohibited Applications Spawning cmd exe powershell +id: c10a18cb-fd70-4ffa-a844-25126e0b0d94 +version: 1 +date: '2023-10-26' +author: Lou Stella, Splunk +status: validation +type: Anomaly +description: The following analytic identifies parent processes that are powershell, spawning cmd.exe. By its very nature, + many applications spawn cmd.exe natively or built into macros. Much of this will + need to be tuned to further enhance the risk. +data_source: +- Windows Security 4688 +search: + selection1: + actor.process.file.name: + - powershell.exe + selection2: + process.file.name: cmd.exe + condition: selection1 and selection2 +how_to_implement: In order to successfully implement this analytic, you will need + endpoint process data from a EDR product or Sysmon. This search has been modified + to process raw sysmon data from attack_range's nxlogs on DSP. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. +references: +- https://attack.mitre.org/techniques/T1059/ +tags: + analytic_story: + - Suspicious Command-Line Executions + - Insider Threat + asset_type: Endpoint + confidence: 50 + impact: 70 + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event + that warrants investigating. + mitre_attack_id: + - T1059 + observable: [] + product: + - Splunk Behavioral Analytics + required_fields: [] + kill_chain_phases: + - Exploitation + risk_score: 35 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-security.log + source: WinEventLog:Security \ No newline at end of file diff --git a/dist/escu/README.md b/dist/DA-ESS-ContentUpdate/README.md similarity index 100% rename from dist/escu/README.md rename to dist/DA-ESS-ContentUpdate/README.md diff --git a/dist/escu/README/essoc_story_detail.txt b/dist/DA-ESS-ContentUpdate/README/essoc_story_detail.txt similarity index 100% rename from dist/escu/README/essoc_story_detail.txt rename to dist/DA-ESS-ContentUpdate/README/essoc_story_detail.txt diff --git a/dist/escu/README/essoc_summary.txt b/dist/DA-ESS-ContentUpdate/README/essoc_summary.txt similarity index 100% rename from dist/escu/README/essoc_summary.txt rename to dist/DA-ESS-ContentUpdate/README/essoc_summary.txt diff --git a/dist/escu/README/essoc_usage_dashboard.txt b/dist/DA-ESS-ContentUpdate/README/essoc_usage_dashboard.txt similarity index 100% rename from dist/escu/README/essoc_usage_dashboard.txt rename to dist/DA-ESS-ContentUpdate/README/essoc_usage_dashboard.txt diff --git a/dist/escu/app.manifest b/dist/DA-ESS-ContentUpdate/app.manifest similarity index 89% rename from dist/escu/app.manifest rename to dist/DA-ESS-ContentUpdate/app.manifest index 3469ab9868..656ea91f68 100644 --- a/dist/escu/app.manifest +++ b/dist/DA-ESS-ContentUpdate/app.manifest @@ -1,15 +1,15 @@ { "schemaVersion": "1.0.0", "info": { - "title": "ES Content Updates", + "title": "DA-ESS-ContentUpdate", "id": { "group": null, "name": "DA-ESS-ContentUpdate", - "version": "4.13.0" + "version": "4.15.0" }, "author": [ { - "name": "Splunk Security Research Team", + "name": "Splunk Threat Research Team", "email": "research@splunk.com", "company": "Splunk" } diff --git a/dist/escu/default/analytic_stories.conf b/dist/DA-ESS-ContentUpdate/default/analytic_stories.conf similarity index 100% rename from dist/escu/default/analytic_stories.conf rename to dist/DA-ESS-ContentUpdate/default/analytic_stories.conf diff --git a/dist/escu/default/analyticstories.conf b/dist/DA-ESS-ContentUpdate/default/analyticstories.conf similarity index 95% rename from dist/escu/default/analyticstories.conf rename to dist/DA-ESS-ContentUpdate/default/analyticstories.conf index a10f73ee21..e72376a5b3 100644 --- a/dist/escu/default/analyticstories.conf +++ b/dist/DA-ESS-ContentUpdate/default/analyticstories.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-04T22:36:05 UTC -# Author: Splunk Security Research +# On Date: 2023-11-01T20:44:08 UTC +# Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# @@ -689,7 +689,7 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = This search looks for emails that have attachments with suspicious file extensions. +explanation = The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization's data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack. how_to_implement = You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \ **Splunk Phantom Playbook Integration**\ If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox. @@ -711,7 +711,7 @@ providing_technologies = null type = detection asset_type = Web Server confidence = medium -explanation = This search looks for suspicious processes on all systems labeled as web servers. +explanation = The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} known_false_positives = Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks. @@ -771,7 +771,7 @@ providing_technologies = null type = detection asset_type = Amazon EKS Kubernetes cluster Pod confidence = medium -explanation = This search provides detection information on unauthenticated requests against Kubernetes' Pods API +explanation = The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to "system:anonymous", the `verb` is set to "list", and the `objectRef.resource` is set to "pods". Additionally, the search checks if the `requestURI` is equal to "/api/v1/pods". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} known_false_positives = Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context. @@ -843,7 +843,7 @@ asset_type = AWS Account confidence = medium explanation = The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. providing_technologies = null @@ -1284,7 +1284,7 @@ asset_type = AWS Account confidence = medium explanation = The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1294,7 +1294,7 @@ asset_type = AWS Account confidence = medium explanation = This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth. how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1484,7 +1484,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may legitimately assign the Application Administrator role to a user. Filter as needed. providing_technologies = null @@ -1524,7 +1524,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may legitimately assign the Global Administrator role to a user. Filter as needed. providing_technologies = null @@ -1615,7 +1615,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed providing_technologies = null @@ -1625,7 +1625,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed providing_technologies = null @@ -1645,7 +1645,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed. providing_technologies = null @@ -1653,9 +1653,9 @@ providing_technologies = null type = detection asset_type = Azure Active Directory confidence = medium -explanation = The following analytic is geared towards detecting potential privilege escalation threats in Azure Active Directory (AD). It identifies instances where privileged roles, which hold elevated permissions, are assigned to Service Principals. These non-human entities that can access Azure resources could be exploited in an attack scenario, leading to unauthorized access or malicious activities. The analytic runs a specific search within the ingested Azure AD events, specifically leveraging the AuditLogs log category. Keep in mind, however, that there could be false positives, as administrators may legitimately assign privileged roles to Service Principals. +explanation = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed. providing_technologies = null @@ -1675,7 +1675,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} known_false_positives = Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. providing_technologies = null @@ -1685,7 +1685,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = Administrator may legitimately add new owners for Service Principals. Filter as needed. providing_technologies = null @@ -1737,7 +1737,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed. providing_technologies = null @@ -1747,7 +1747,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed. providing_technologies = null @@ -1785,7 +1785,7 @@ providing_technologies = null type = detection asset_type = CircleCI confidence = medium -explanation = This search looks for disable security job in CircleCI pipeline. +explanation = This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as "build" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection. how_to_implement = You must index CircleCI logs. annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} known_false_positives = unknown @@ -1795,7 +1795,7 @@ providing_technologies = null type = detection asset_type = CircleCI confidence = medium -explanation = This search looks for disable security step in CircleCI pipeline. +explanation = The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change. how_to_implement = You must index CircleCI logs. annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} known_false_positives = unknown @@ -1805,7 +1805,7 @@ providing_technologies = null type = detection asset_type = AWS Instance confidence = medium -explanation = This search looks for new commands from each user role. +explanation = The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes. how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter` annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = . @@ -1835,7 +1835,7 @@ providing_technologies = null type = detection asset_type = Cloud Compute Instance confidence = medium -explanation = This search looks for cloud compute instances being created with previously unseen image IDs. +explanation = The following analytic detects potential instances that are created in a cloud computing environment using new or unknown image IDs that have not been seen before. This detection is important because it helps to investigate and take appropriate action to prevent further damage or unauthorized access to the Cloud environment, which can include data breaches, unauthorized access to sensitive information, or the deployment of malicious payloads within the cloud environment. False positives might occur since legitimate instances can also have previously unseen image IDs. Next steps include conducting an extensive triage and investigation to determine the nature of the activity. During triage, review the details of the created instances, including the user responsible for the creation, the image ID used, and any associated metadata. Additionally, consider inspecting any relevant on-disk artifacts and analyzing concurrent processes to identify the source of the attack. how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro. annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} known_false_positives = After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user. @@ -1845,7 +1845,7 @@ providing_technologies = null type = detection asset_type = Cloud Compute Instance confidence = medium -explanation = Find EC2 instances being created with previously unseen instance types. +explanation = The following analytic detects the creation of EC2 instances with previously unseen instance types. The detection is made by using a Splunk query to identify the EC2 instances. First, the query searches for changes in the EC2 instance creation action and filters for instances with instance types that are not recognized or previously seen. Next, the query uses the Splunk tstats command to gather the necessary information from the Change data model. Then, it filters the instances with unknown instance types and reviews previously seen instance types to determine if they are new or not. The detection is important because it identifies attackers attempting to create instances with unknown or potentially compromised instance types, which can be an attempt to gain unauthorized access to sensitive data, compromise of systems, exfiltrate data, potential disruption of services, or launch other malicious activities within the environment. False positives might occur since there might be legitimate reasons for creating instances with previously unseen instance types. Therefore, you must carefully review and triage all alerts. how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro. annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} known_false_positives = It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type. @@ -1909,7 +1909,7 @@ providing_technologies = null type = detection asset_type = AWS Account confidence = medium -explanation = This search correlations detections by repository and risk_score +explanation = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. how_to_implement = For Dev Sec Ops POC annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} known_false_positives = unknown @@ -1919,7 +1919,7 @@ providing_technologies = null type = detection asset_type = AWS Account confidence = medium -explanation = This search correlations detections by user and risk_score +explanation = The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. how_to_implement = For Dev Sec Ops POC annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} known_false_positives = unknown @@ -2179,7 +2179,7 @@ providing_technologies = null type = detection asset_type = GitHub confidence = medium -explanation = This search looks for Dependabot Alerts in Github logs. +explanation = The following analytic is made by first searching for logs that contain the action "create" and renames certain fields for easier analysis. Then, this analytic uses the "stats" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The "phase" field is set to "code" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the "create" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps. how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} known_false_positives = unknown @@ -2189,7 +2189,7 @@ providing_technologies = null type = detection asset_type = GitHub confidence = medium -explanation = This search looks for Pull Request from unknown user. +explanation = The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request." how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} known_false_positives = unknown @@ -2379,7 +2379,7 @@ providing_technologies = null type = detection asset_type = Office 365 confidence = medium -explanation = The following search detects the addition of a new Federated domain in O365 environments. If an attacker adds an unverified domain to Office 365, they may gain unauthorized access to the organization's email and other services, potentially leading to data breaches and information theft. It can be misused to set up adversary infrastruture for phishing, spoofing emails and malware distribution. +explanation = The following analytic detects the addition of a new federated domain in an organization's Office 365 environment. Identifies instances where a new federated domain is added to the organization's Office 365 configuration and helps to take immediate action to mitigate the risks, prevent further unauthorized access, and protect the organization's data and systems. The detection is made by the Splunk query `o365_management_activity` with the parameters `Workload=Exchange` and `Operation="Add-FederatedDomain"`, which analyzes the management activity logs in Office 365 and filters for the specific operation to add a federated domain. The detection is important because identifying the addition of a new federated domain can indicate potential unauthorized access or compromise of the organization's Office 365 environment. A new Federated domain can be added by an attacker to gain unauthorized access, exfiltrate data, or carry out other malicious activity, which can lead to data breaches, unauthorized access to sensitive information, or compromise of the organization's systems and infrastructure. Next steps include viewing the details of the added federated domain, including the organization name, originating server, user ID, and user key. You must also capture and analyze any relevant on-disk artifacts. Additionally, you must identify the source of the attack by looking for concurrent processes or other indicators of compromise. how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} known_false_positives = The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider. @@ -2419,7 +2419,7 @@ providing_technologies = null type = detection asset_type = Office 365 confidence = medium -explanation = This search detects when multiple user configured a forwarding rule to the same destination. +explanation = The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organization's data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the "Identity" field as "src_user" and searches for entries where the "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules. how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} known_false_positives = unknown @@ -3315,7 +3315,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Windows confidence = medium -explanation = The following analytic is designed to detect potentially malicious activities involving the Local Security Authority Subsystem Service (LSASS) process. Specifically, it identifies when the LSASS process memory is being dumped, an action often associated with credential dumping attacks. This analytic leverages Sysmon logs, particularly those with EventCode 10 related to lsass.exe. It searches for indicators of LSASS memory dumping, such as specific call traces to dbgcore.dll and dbghelp.dll. While memory dumps can be legitimate administrative tasks, LSASS memory dumps are typically unusual and warrant investigation. To implement this analytic, ensure your Sysmon setup includes EventCode 10 logging for lsass.exe and customize the provided macros (sysmon and post-filter macro) to match your specific Splunk environment configuration. +explanation = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. @@ -3405,7 +3405,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. +explanation = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} known_false_positives = network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. @@ -3475,7 +3475,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic aims to identify the use of tools commonly exploited by cybercriminals. The use of these tools often signals nefarious activities like unauthorized access, network scanning, or data exfiltration, representing a significant threat to an organization's security infrastructure. By examining process activity on the host, particularly those processes corresponding to known attacker tool names, this analytic serves as an early warning system for potential security incidents. However, its precision must be balanced with the understanding that some administrative activities might also trigger alerts, resulting in false positives. This underlines the importance of cyber analysts having a clear understanding of typical endpoint activities and behaviors within their organization, enabling them to accurately interpret and respond to these alerts. +explanation = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Reconnaissance"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} known_false_positives = Some administrator activity can be potentially triggered, please add those users to the filter macro. @@ -3485,7 +3485,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security. +explanation = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} known_false_positives = There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems. @@ -3495,7 +3495,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This search looks for attempts to stop security-related services on the endpoint. +explanation = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = None identified. Attempts to disable security-related services should be identified and understood. @@ -3725,7 +3725,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. +explanation = The following analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} known_false_positives = Legitimate windows application that are not on the list loading this dll. Filter as needed. @@ -3746,7 +3746,7 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = The search looks for file modifications with extensions commonly used by Ransomware +explanation = The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack. how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} known_false_positives = It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions. @@ -3786,7 +3786,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This search looks for the creation of local administrator accounts using net.exe . +explanation = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} known_false_positives = Administrators often leverage net.exe to create admin accounts. @@ -3796,7 +3796,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This search looks for the creation or deletion of hidden shares using net.exe. +explanation = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"]} known_false_positives = Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate. @@ -3816,7 +3816,7 @@ providing_technologies = null type = detection asset_type = Windows confidence = medium -explanation = The following analytic developed to detect potential credential dumping attacks where a remote thread is created in the Local Security Authority Subsystem Service (LSASS). Credential dumping, a common tactic used by adversaries to steal user authentication credentials, is a significant threat to network security. The analytic leverages Sysmon Event ID 8 logs and looks for processes creating remote threads in lsass.exe, an unusual activity generally linked to credential theft. The confidence level in this alert is high, but it's worth noting that there might be cases where legitimate tools can access LSASS, generating similar logs. As an analyst, it is critical to understand the broader context of such events and differentiate between legitimate activities and possible threats. +explanation = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon Event ID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. how_to_implement = This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise. @@ -3846,7 +3846,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This search detects the use of wmic and Powershell to create a shadow copy. +explanation = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} known_false_positives = Legtimate administrator usage of wmic to create a shadow copy. @@ -3856,7 +3856,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This search detects credential dumping using copy command from a shadow copy. +explanation = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -3866,7 +3866,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This search detects the creation of a symlink to a shadow copy. +explanation = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -3946,7 +3946,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This search detects the heap-based buffer overflow of sudoedit +explanation = The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. how_to_implement = Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -3956,7 +3956,7 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = This search detects the heap-based buffer overflow of sudoedit +explanation = The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. how_to_implement = Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} known_false_positives = If sudoedit is throwing segfaults for other reasons this will pick those up too. @@ -3966,7 +3966,7 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = This search detects the heap-based buffer overflow of sudoedit +explanation = The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. how_to_implement = OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -3992,6 +3992,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Insta known_false_positives = Unknown, partial script block matches. providing_technologies = ["Microsoft Windows"] +[savedsearch://ESCU - Detect Certipy File Modifications - Rule] +type = detection +asset_type = Endpoint +confidence = medium +explanation = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. +how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} +known_false_positives = Unknown +providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] + [savedsearch://ESCU - Detect Computer Changed with Anonymous Account - Rule] type = detection asset_type = Windows @@ -4018,7 +4028,7 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Windows confidence = medium -explanation = This search looks for reading lsass memory consistent with credential dumping. +explanation = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. @@ -4156,7 +4166,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Windows confidence = medium -explanation = This search looks for newly created accounts that have been elevated to local administrators. +explanation = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. how_to_implement = You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732 annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} known_false_positives = The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives @@ -4632,7 +4642,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. +explanation = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -4937,7 +4947,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization's assets and prevent potential breaches. +explanation = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = None identified. @@ -5256,7 +5266,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The search looks for file writes with extensions consistent with a SamSam ransomware attack. +explanation = The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents. how_to_implement = You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. annotations = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} known_false_positives = Because these extensions are not typically used in normal operations, you should investigate all results. @@ -5266,7 +5276,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. +explanation = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} known_false_positives = A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed. @@ -6189,7 +6199,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies base64 being decoded and passed to a Linux shell. +explanation = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on legitimate software being utilized. Filter as needed. @@ -6634,7 +6644,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6710,7 +6720,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service. how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6843,7 +6853,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies based on process execution the modification of SSH Authorized Keys. Adversaries perform this behavior to persist on endpoints. During triage, review parallel processes and capture any additional file modifications for review. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} known_false_positives = Filtering will be required as system administrators will add and remove. One way to filter query is to add "echo". providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7795,7 +7805,7 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = This analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. +explanation = The following analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives. @@ -8154,7 +8164,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This search detects registry key license at host where Remcos RAT agent is installed. +explanation = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -8581,7 +8591,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. +explanation = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} known_false_positives = Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. @@ -8631,7 +8641,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic is designed to detect the potential misuse of Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized by adversaries to execute scripts, a method often employed for maintaining stealth while carrying out malicious activities. The process 'scrcons.exe', integral to executing WMI scripts, is primarily monitored by this analytic. The underlying threat lies in the fact that successful execution of a malicious script can lead to numerous negative outcomes, including system compromise, data exfiltration, or the establishment of persistence. It's essential for cybersecurity analysts to remain vigilant towards unexpected or isolated script executions via WMI, as such instances often signal suspicious activities or potential security breaches. Although uncommon, administrators may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning malicious activities from benign ones is crucial in this context. +explanation = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed. @@ -8671,7 +8681,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. +explanation = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -8775,7 +8785,7 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Windows confidence = medium -explanation = This search detects accounts that were created and deleted in a short time period. +explanation = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} known_false_positives = It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised. @@ -8795,7 +8805,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This search looks for process names that consist only of a single letter. +explanation = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} known_false_positives = Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process. @@ -9130,7 +9140,7 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = This analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. +explanation = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. @@ -9291,7 +9301,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Windows confidence = medium -explanation = This search detects writes to the recycle bin by a process other than explorer.exe. +explanation = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. how_to_implement = To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} known_false_positives = Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate. @@ -9478,7 +9488,7 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = Command lines that are extremely long may be indicative of malicious activity on your hosts. +explanation = The following analytic detects command lines that are extremely long, which might be indicative of malicious activity on your hosts because attackers often use obfuscated or complex command lines to hide their actions and evade detection. This helps to mitigate the risks associated with long command lines to enhance your overall security posture and reduce the impact of attacks. This detection is important because it suggests that an attacker might be attempting to execute a malicious command or payload on the host, which can lead to various damaging outcomes such as data theft, ransomware, or further compromise of the system. False positives might occur since legitimate processes or commands can sometimes result in long command lines. Next steps include conducting extensive triage and investigation to differentiate between legitimate and malicious activities. Review the source of the command line and the command itself during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} known_false_positives = Some legitimate applications start with long command lines. @@ -9618,7 +9628,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. +explanation = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command And Control"], "mitre_attack": ["T1102"], "nist": ["DE.CM"]} known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. @@ -9688,7 +9698,7 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = This analytic looks for audit policies being disabled on a domain controller. +explanation = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." how_to_implement = Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} known_false_positives = Unknown @@ -9708,7 +9718,7 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = This analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. +explanation = The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. how_to_implement = To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.CM"]} known_false_positives = When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted. @@ -9720,7 +9730,7 @@ asset_type = Endpoint confidence = medium explanation = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = Disaster recovery events. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9730,7 +9740,7 @@ asset_type = Endpoint confidence = medium explanation = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately. providing_technologies = null @@ -9790,7 +9800,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = A Service Principal Name should only be added to an account when an application requires it. While infrequent, this detection may trigger on legitimate actions. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -9800,7 +9810,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -9851,7 +9861,7 @@ confidence = medium explanation = This analytic is developed to identify suspicious file creation in the root drive (C:\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. The methodology involves an attempt to create a 'win.dat' file in the C:\ directory. If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069.001"], "nist": ["DE.AE"]} -known_false_positives = administrator is capable of dropping files in root C drive. +known_false_positives = False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] [savedsearch://ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule] @@ -10038,7 +10048,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". This analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. +explanation = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -10456,10 +10466,20 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate. how_to_implement = To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` within `Account Management` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed. providing_technologies = ["Microsoft Windows"] +[savedsearch://ESCU - Windows Domain Admin Impersonation Indicator - Rule] +type = detection +asset_type = Endpoint +confidence = medium +explanation = The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges. +how_to_implement = To successfully implement this search, you need to be ingesting Authentication events across all endpoints and ingest Event Id 4627. Specifically, the Audit Group Membership subcategory within the Logon Logooff category needs to be enabled. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +known_false_positives = False positives may trigger the detections certain scenarios like directory service delays or out of date lookups. Filter as needed. +providing_technologies = ["Microsoft Windows"] + [savedsearch://ESCU - Windows DotNet Binary in Non Standard Path - Rule] type = detection asset_type = Endpoint @@ -11472,7 +11492,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. +explanation = The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. @@ -12218,6 +12238,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitr known_false_positives = Unknown, possible custom scripting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] +[savedsearch://ESCU - Windows Registry SIP Provider Modification - Rule] +type = detection +asset_type = endpoint +confidence = medium +explanation = The following analytic detects modifications to the Windows Registry SIP Provider. It identifies this behavior by monitoring Sysmon Event ID 7, which logs registry modification events. The analytic specifically looks for changes in registry paths and values associated with Cryptography Providers and OID Encoding Types. This behavior is worth identifying as it may indicate an attempt to subvert trust controls, a technique often used by adversaries to bypass security measures and maintain persistence in an environment. If a true positive is found, it suggests an attacker is trying to manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Upon triage, review the registry paths and values modified, and look for concurrent processes to identify the attack source. Review the path of the SIP being added. This approach helps analysts detect potential threats earlier and mitigate the risks. +how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.CM"]} +known_false_positives = Be aware of potential false positives - legitimate applications may cause benign activities to be flagged. +providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] + [savedsearch://ESCU - Windows Regsvr32 Renamed Binary - Rule] type = detection asset_type = Endpoint @@ -12514,7 +12544,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath. +explanation = The following analytic detects when reg.exe modify registry keys that define Windows services and their configurations in Windows to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that searches for specific keywords in the process name, parent process name, user, and process ID. This detection is important because it suggests that an attacker has modified the registry keys that define Windows services and their configurations, which can allow them to maintain access to the system and potentially move laterally within the network. It is a common technique used by attackers to gain persistence on a compromised system and its impact can lead to data theft, ransomware, or other damaging outcomes. False positives can occur since legitimate uses of reg.exe to modify registry keys for Windows services can also trigger this alert. Next steps include reviewing the process and user context of the reg.exe activity and identify any other concurrent processes that might be associated with the attack upon triage. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011"], "nist": ["DE.CM"]} known_false_positives = Third party tools may used this technique to create services but not so common. @@ -12570,6 +12600,26 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives known_false_positives = Network administrator may disable this services as part of its audit process within the network. Filter is needed. providing_technologies = null +[savedsearch://ESCU - Windows SIP Provider Inventory - Rule] +type = detection +asset_type = endpoint +confidence = medium +explanation = The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers. +how_to_implement = To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} +known_false_positives = False positives are limited as this is a hunting query for inventory. +providing_technologies = null + +[savedsearch://ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule] +type = detection +asset_type = endpoint +confidence = medium +explanation = The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify failed trust validation. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify failed trust validation. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 81 is generated anytime a trust validation fails. The description for EventID 81 is "The digital signature of the object did not verify." STRT tested this analytic using Mimikatz binary. +how_to_implement = To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 81. Review the following gist for additional enabling information. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} +known_false_positives = False positives may be present in some instances of legitimate binaries with invalid signatures. Filter as needed. +providing_technologies = null + [savedsearch://ESCU - Windows Snake Malware File Modification Crmlog - Rule] type = detection asset_type = Endpoint @@ -12710,6 +12760,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitr known_false_positives = False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP. providing_technologies = ["Microsoft Windows"] +[savedsearch://ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule] +type = detection +asset_type = Endpoint +confidence = medium +explanation = The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1) +how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.CM"]} +known_false_positives = False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names. Sources or templates used in these processes may need to be tuned out for accurate function. +providing_technologies = ["Microsoft Windows"] + [savedsearch://ESCU - Windows Steal Authentication Certificates Export Certificate - Rule] type = detection asset_type = Endpoint @@ -13190,7 +13250,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic seeks to detect the creation of Windows Management Instrumentation (WMI) permanent event subscriptions, a technique often used by adversaries for persistence. Such a subscription allows for the execution of specified scripts or binaries in response to defined system events, potentially enabling malicious activities to persist unnoticed. The analytic uses Sysmon Event ID 5 data, specifically focusing on instances where consumers of these events are not the expected "NTEventLogEventConsumer." Although WMI event subscriptions can be used legitimately by administrators, unusual or unexpected subscription creation should be treated as suspicious. Analysts need to be cognizant of the potential for false positives in legitimate administrative activities and should understand WMI activity within the context of the monitored environment. +explanation = The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI), which is used by attackers to achieve persistence in a compromised system. By creating a permanent event subscription, an attacker can run malicious scripts or binaries in response to specific system events that enables them to maintain access to the system undetected. The detection is made by using Sysmon Event ID 5 data to detect instances where the consumers of these events are not the expected "NTEventLogEventConsumer." The detection is important because it identifies unusual or unexpected subscription creation, which suggests that an attacker is attempting to achieve persistence within the environment and might be executing malicious scripts or binaries in response to specific system events. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other damaging outcomes. False positives might occur since False positives might occur since WMI event subscriptions can be used for legitimate purposes by system administrators. You must have a thorough understanding of WMI activity within the context of the monitored environment to effectively differentiate between legitimate and malicious activity.Next steps include investigating the associated scripts or binaries and identifying the source of the attack. how_to_implement = To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, administrators may use event subscriptions for legitimate purposes. @@ -13225,7 +13285,7 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = This search looks for the creation of WMI temporary event subscriptions. +explanation = The following analytic detects the creation of WMI temporary event subscriptions. WMI (Windows Management Instrumentation) is a management technology that allows administrators to perform various tasks on Windows-based systems. Temporary event subscriptions are created to monitor specific events or changes on a system that help to detect potential threats early and take proactive measures to protect the organization's systems and data. The detection is made by using the Splunk query `wmi` EventCode=5860 Temporary to search for events with EventCode 5860, which indicates the creation of a temporary WMI event subscription. To further refine the search results, the query uses regular expressions (rex) to extract the query used in the event subscription. Then, it filters known benign queries related to system processes such as 'wsmprovhost.exe' and 'AntiVirusProduct', 'FirewallProduct', 'AntiSpywareProduct', which helps to focus on potentially malicious or suspicious queries. The detection is important because it indicates malicious activity since attackers use WMI to run commands, gather information, or maintain persistence within a compromised system. False positives might occur since legitimate uses of WMI event subscriptions in the environment might trigger benign activities to be flagged. Therefore, an extensive triage is necessary to review the specific query and assess its intent. Additionally, capturing and inspecting relevant on-disk artifacts and analyzing concurrent processes can help to identify the source of the attack. Detecting the creation of these event subscriptions to identify potential threats early and take appropriate actions to mitigate the risks. how_to_implement = To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events. @@ -13508,7 +13568,7 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic is an experimental search designed to identify SIGRed exploitation attempts. SIGRed is a severe, wormable, remote code execution vulnerability in Windows DNS servers, identified as CVE-2020-1350. This analytic specifically looks for DNS SIG and KEY records, and TCP payloads larger than 65KB - potential indicators of the SIGRed exploit. It requires ingestion of both Splunk Stream DNS and TCP data. The search does rely on macro definitions for 'stream:dns' and 'stream:tcp', which should be replaced with appropriate configurations tailored to your Splunk environment. +explanation = Ensure that the following prerequisites are met: (i) Both Splunk Stream DNS and TCP data are ingested. (ii) The macros 'stream:dns' and 'stream:tcp' are replaced with the appropriate configurations that are specific to your Splunk environment. The following analytic detects SIGRed exploitation attempts. SIGRed is a critical wormable vulnerability found in Windows DNS servers, known as CVE-2020-1350, which allows remote code execution. The detection is made by using an experimental search that focuses on identifying specific indicators that might suggest the presence of the SIGRed exploit such as DNS SIG records, KEY records, and TCP payloads greater than 65KB. This detection is important because it detects and responds to potential SIGRed exploitation attempts and minimizes the risk of a successful attack and its impact on the organization's infrastructure and data. False positives might occur due to the experimental nature of this analytic. Next steps include reviewing and investigating each case thoroughly given the potential for unauthorized Windows DNS server access, data breaches, and service disruptions. Additionally, you must stay updated with Microsoft's guidance on the SIGRed vulnerability. how_to_implement = You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment. annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -13518,7 +13578,7 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = This search detects SIGRed via Zeek DNS and Zeek Conn data. +explanation = The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. SIGRed vulnerability allows attackers to run remote code on Windows DNS servers. By detecting SIGRed early, you can prevent further damage and protect the organization's network infrastructure. The detection is made by identifying specific DNS query types (SIG and KEY) in the Zeek DNS data and checks for high data transfer in the Zeek Conn data. If multiple instances of these indicators are found within a flow, it suggests the presence of SIGRed. The detection is important because it indicates a potential compromise of Windows DNS servers that suggests that an attacker might have gained unauthorized access to the DNS server and can run arbitrary code. The impact of this attack can be severe, leading to data exfiltration, unauthorized access, or disruption of critical services. Next steps include investigating the affected flow and taking immediate action to mitigate the vulnerability. This can involve patching the affected DNS server, isolating the server from the network, or conducting a forensic analysis to determine the extent of the compromise. how_to_implement = You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -13528,7 +13588,7 @@ providing_technologies = null type = detection asset_type = Network confidence = medium -explanation = This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC +explanation = The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability through Zeek RPC. By detecting attempts to exploit the Zerologon vulnerability through Zeek RPC, SOC analysts can identify potential threats earlier and take appropriate action to mitigate the risks. This detection is made by a Splunk query that looks for specific Zeek RPC operations, including NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3, which are aggregated by source and destination IP address and time. This detection is important because it suggests that an attacker is attempting to exploit the Zerologon vulnerability to gain unauthorized access to the domain controller. Zerologon vulnerability is a critical vulnerability that allows attackers to take over domain controllers without authentication, leading to a complete takeover of an organization's IT infrastructure. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other devastating outcomes. False positives might occur since legitimate Zeek RPC activity can trigger the analytic. Next steps include reviewing the identified source and destination IP addresses and the specific RPC operations used. Capture and inspect any relevant on-disk artifacts, and review concurrent processes to identify the attack source upon triage . how_to_implement = You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field. annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -13684,7 +13744,7 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = This search looks for spikes in the number of Server Message Block (SMB) traffic connections. +explanation = The following analytic detects spikes in the number of Server Message Block (SMB) traffic connections. SMB is a network protocol used for sharing files, printers, and other resources between computers. This detection is made by a Splunk query that looks for SMB traffic connections on ports 139 and 445, as well as connections using the SMB application. The query calculates the average and standard deviation of the number of SMB connections over the past 70 minutes, and identifies any sources that exceed two standard deviations from the average. This helps to filter out false positives caused by normal fluctuations in SMB traffic. This detection is important because it identifies potential SMB-based attacks, such as ransomware or data theft, which often involve a large number of SMB connections. This suggests that an attacker is attempting to exfiltrate data or spread malware within the network. Next steps include investigating the source of the traffic and determining if it is malicious. This can involve reviewing network logs, capturing and analyzing any relevant network packets, and correlating with other security events to identify the attack source and mitigate the risk. how_to_implement = This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model. annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.002", "T1021"], "nist": ["DE.AE"]} known_false_positives = A file server may experience high-demand loads that could cause this analytic to trigger. @@ -13795,6 +13855,29 @@ annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_at known_false_positives = In the wild, we have observed three different types of attempts that could potentially trigger false positives if the HTTP status code is not in the query. Please check this github gist for the specific URIs : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . These could be legitimate requests depending on the context of your organization. Therefore, it is recommended to modify the analytic as needed to suit your specific environment. providing_technologies = null +[savedsearch://ESCU - Cisco IOS XE Implant Access - Rule] +type = detection +asset_type = Network +confidence = medium +explanation = The following analytic identifies potential exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access, granting them full control of the compromised device. The detection is based on the observation of suspicious account creation and subsequent actions, including the deployment of an implant consisting of a configuration file. The implant is saved under the file path //usr//binos//conf//nginx-conf//cisco_service.conf and is not persistent, meaning a device reboot will remove it, but the newly created local user accounts remain active even after system reboots. The new user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to the devices and subsequent creation of new users is tracked as CVE-2023-20198. +how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +known_false_positives = False positives may be present, restrict to Cisco IOS XE devices or perimeter appliances. Modify the analytic as needed based on hunting for successful exploitation of CVE-2023-20198. +providing_technologies = null + +[savedsearch://ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule] +type = detection +asset_type = Web server +confidence = medium +explanation = The following analytic detects attempts to exploit the Citrix Bleed vulnerability, which can lead to the leaking of session tokens. The vulnerability, identified as CVE-2023-4966, pertains to sensitive information disclosure in NetScaler ADC and NetScaler Gateway when set up as various server configurations. The analytic specifically searches for HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on the aforementioned criteria along with specific user agent details, HTTP method, source and destination IPs, and the sourcetype, the analytic aims to identify potentially malicious requests that fit the profile of this exploit. \ +This behavior is essential for a Security Operations Center (SOC) to identify because if successfully exploited, attackers can gain unauthorized access, leading to a potential breach or further malicious activities within the organization's network. As the Citrix Bleed vulnerability can disclose session tokens, a successful exploit can allow attackers to impersonate legitimate users, bypassing authentication mechanisms and accessing sensitive data or systems. \ +If a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information. \ +Upon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches. +how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible. +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +known_false_positives = False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only. +providing_technologies = null + [savedsearch://ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule] type = detection asset_type = Network @@ -13821,6 +13904,26 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_at known_false_positives = False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP. providing_technologies = null +[savedsearch://ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule] +type = detection +asset_type = Web server +confidence = medium +explanation = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. +how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv. +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers. +providing_technologies = null + +[savedsearch://ESCU - Confluence Data Center and Server Privilege Escalation - Rule] +type = detection +asset_type = Web server +confidence = medium +explanation = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. +how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. +providing_technologies = null + [savedsearch://ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule] type = detection asset_type = Web Server @@ -13881,6 +13984,16 @@ annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installat known_false_positives = False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source). providing_technologies = null +[savedsearch://ESCU - F5 TMUI Authentication Bypass - Rule] +type = detection +asset_type = Network +confidence = medium +explanation = The following analytic is designed to detect attempts to exploit the CVE-2023-46747 vulnerability, a critical authentication bypass flaw in F5 BIG-IP that can lead to unauthenticated remote code execution (RCE). This vulnerability specifically affects the BIG-IP Configuration utility (TMUI) and has been assigned a high severity CVSSv3 score of 9.8. The analytic identifies this behavior by monitoring for a specific URI path - "*/mgmt/tm/auth/user/*", with the PATCH method and 200 status. Additional URI's will occur around the same time include "*/mgmt/shared/authn/login*" and "*/tmui/login.jsp*", which are associated with the exploitation of this vulnerability. This behavior is significant for a Security Operations Center (SOC) as it indicates an attempt to bypass authentication mechanisms, potentially leading to unauthorized access and control over the system. If a true positive is identified, it suggests that an attacker is attempting to exploit a known vulnerability to gain unauthorized access and execute arbitrary code, which could lead to data theft, system disruption, or further malicious activities within the network. +how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relevant for traffic into the `Web` datamodel. +annotations = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} +known_false_positives = False positives should be limited to as this is strict to active exploitation. Reduce noise by filtering to F5 devices with TMUI enabled or filter data as needed. +providing_technologies = null + [savedsearch://ESCU - Fortinet Appliance Auth bypass - Rule] type = detection asset_type = Network @@ -13985,6 +14098,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installat known_false_positives = If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives. providing_technologies = null +[savedsearch://ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule] +type = detection +asset_type = Web Server +confidence = medium +explanation = The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. This vulnerability pertains to an elevation of privilege due to improper handling of authentication tokens. By monitoring for suspicious activities related to SharePoint Server, the analytic identifies attempts to exploit this vulnerability. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. +how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint. +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +known_false_positives = False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +providing_technologies = null + [savedsearch://ESCU - Monitor Web Traffic For Brand Abuse - Rule] type = detection asset_type = Endpoint @@ -14029,7 +14152,7 @@ providing_technologies = null type = detection asset_type = Database Server confidence = medium -explanation = This search looks for long URLs that have several SQL commands visible within them. +explanation = The following analytic detects long URLs that contain multiple SQL commands. A proactive approach helps to detect and respond to potential threats earlier, mitigating the risks associated with SQL injection attacks. This detection is made by a Splunk query that searches for web traffic data where the destination category is a web server and the URL length is greater than 1024 characters or the HTTP user agent length is greater than 200 characters. This detection is important because it suggests that an attacker is attempting to exploit a web application through SQL injection. SQL injection is a common technique used by attackers to exploit vulnerabilities in web applications and gain unauthorized access to databases. Attackers can insert malicious SQL commands into a URL to manipulate the application's database and retrieve sensitive information or modify data. The impact of a successful SQL injection attack can be severe, potentially leading to data breaches, unauthorized access, and even complete compromise of the affected system. False positives might occur since the legitimate use of web applications or specific URLs in your environment can trigger the detection. Therefore, you must review and validate any alerts generated by this analytic before taking any action. Next steps include reviewing the source and destination of the web traffic, as well as the specific URL and HTTP user agent. Additionally, capture and analyze any relevant on-disk artifacts and review concurrent processes to determine the source of the attack. how_to_implement = To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table. annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate. @@ -14039,7 +14162,7 @@ providing_technologies = null type = detection asset_type = Web Server confidence = medium -explanation = This search aims to detect the Supernova webshell used in the SUNBURST attack. +explanation = The following analytic detects the presence of the Supernova webshell, which was used in the SUNBURST attack. This webshell can be used by attackers to gain unauthorized access to a compromised system and run arbitrary code. This detection is made by a Splunk query that searches for specific patterns in web URLs, including "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". These patterns are commonly used by the Supernova webshell to communicate with its command and control server. This detection is important because it indicates a potential compromise and unauthorized access to the system to run arbitrary code, which can lead to data theft, ransomware, or other damaging outcomes. False positives might occur since the patterns used by the webshell can also be present in legitimate web traffic. In such cases, tune the search to the specific environment and monitor it closely for any suspicious activity. Next steps include reviewing the web URLs and inspecting any relevant on-disk artifacts. Additionally, review concurrent processes and network connections to identify the source of the attack. how_to_implement = To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model. annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1133"], "nist": ["DE.CM"]} known_false_positives = There might be false positives associted with this detection since items like args as a web argument is pretty generic. @@ -14125,7 +14248,7 @@ confidence = medium explanation = The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt. how_to_implement = The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. +known_false_positives = If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL. providing_technologies = null ### END DETECTIONS ### @@ -14184,7 +14307,7 @@ version = 1 references = ["https://en.wikipedia.org/wiki/Kerberos_(protocol)", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/", "https://attack.mitre.org/techniques/T1558/003/", "https://attack.mitre.org/techniques/T1550/003/", "https://attack.mitre.org/techniques/T1558/004/"] maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] spec_version = 3 -searches = ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"] +searches = ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"] description = Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments. narrative = Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.\ This Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks. @@ -14223,7 +14346,7 @@ version = 1 references = ["https://attack.mitre.org/tactics/TA0004/", "https://adsecurity.org/?p=3658", "https://adsecurity.org/?p=2362"] maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] spec_version = 3 -searches = ["ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"] +searches = ["ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"] description = Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments. narrative = Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.\ Active Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.\ @@ -14595,6 +14718,28 @@ searches = ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Suspici description = CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective. narrative = From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors. +[analytic_story://Cisco IOS XE Software Web Management User Interface vulnerability] +category = Adversary Tactics +last_updated = 2023-10-17 +version = 1 +references = ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/"] +maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] +spec_version = 3 +searches = ["ESCU - Cisco IOS XE Implant Access - Rule"] +description = Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity. +narrative = Cisco discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, they observed what they have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username cisco_tac_admin from a suspicious IP address. On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what they later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name cisco_support from a second suspicious IP address. Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed. + +[analytic_story://Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966] +category = Adversary Tactics +last_updated = 2023-10-24 +version = 1 +references = ["https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967", "https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966", "https://github.com/projectdiscovery/nuclei-templates/blob/b815d23b908de52996060163091395d1c89fbeea/http/cves/2023/CVE-2023-4966.yaml"] +maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] +spec_version = 3 +searches = ["ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule"] +description = A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised. +narrative = On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, a vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Although there were no known exploits at the time of disclosure, we have since received credible reports of targeted attacks exploiting this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. We strongly recommend that users of affected builds immediately install the recommended builds, as this vulnerability has been identified as critical. No workarounds are available for this vulnerability. + [analytic_story://Citrix Netscaler ADC CVE-2023-3519] category = Adversary Tactics last_updated = 2023-07-20 @@ -14752,6 +14897,20 @@ searches = ["ESCU - Office Application Drop Executable - Rule", "ESCU - Office P description = A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files. narrative = This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s "wwlib.dll" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023) +[analytic_story://CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server] +category = Adversary Tactics +last_updated = 2023-10-04 +version = 1 +references = ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/"] +maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] +spec_version = 3 +searches = ["ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule", "ESCU - Confluence Data Center and Server Privilege Escalation - Rule"] +description = On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided. +narrative = Upon Atlassian's disclosure of CVE-2023-22515, there's an immediate need to assess the threat landscape of on-premises Confluence installations. As the vulnerability affects privilege escalation and may be exploited remotely, SIEM solutions should be poised to detect potential threats.\ +By monitoring for specific indicators of compromise, security teams can get ahead of any potential breaches. Key indicators include unexpected members in the 'confluence-administrator' group, newly created user accounts, and specific HTTP requests to /setup/*.action endpoints. Any unusual spikes or patterns associated with these indicators might signify an ongoing or attempted exploitation. \ +Furthermore, an audit trail of past logs is essential. Analyzing older logs might uncover any unnoticed exploitation, allowing for a post-incident analysis and ensuring affected systems are patched or isolated. An alert mechanism should be established for any access or changes related to /setup/* endpoints. \ +In parallel, updating the affected Confluence Server and Data Center versions to the fixed releases is paramount. If immediate updates aren't feasible, interim mitigation measures, such as blocking external network access to /setup/*, should be implemented, and logs around this activity should be monitored. + [analytic_story://CVE-2023-23397 Outlook Elevation of Privilege] category = Adversary Tactics last_updated = 2023-03-15 @@ -14819,7 +14978,7 @@ version = 2 references = ["https://attack.mitre.org/tactics/TA0010/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a"] maintainers = [{"company": "Shannon Davis, Splunk", "email": "-", "name": "Bhavin Patel"}] spec_version = 3 -searches = ["ESCU - AWS AMI Atttribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Get Notable History - Response Task"] +searches = ["ESCU - AWS AMI Atttribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Get Notable History - Response Task"] description = Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets. narrative = This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.\ Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection. @@ -15136,6 +15295,19 @@ narrative = The trojan downloader known as Emotet first surfaced in 2014, when i According to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.\ The searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. +[analytic_story://F5 Authentication Bypass with TMUI] +category = Adversary Tactics +last_updated = 2023-10-30 +version = 1 +references = ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"] +maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] +spec_version = 3 +searches = ["ESCU - F5 TMUI Authentication Bypass - Rule"] +description = Research into leading software revealed vulnerabilities in both Apache Tomcat and the F5 BIG-IP suite. Apache's AJP protocol vulnerability, designated CVE-2022-26377, relates to AJP request smuggling. Successful exploitation enables unauthorized system activities. F5 BIG-IP Virtual Edition exhibited a distinct vulnerability, an authentication bypass in the Traffic Management User Interface (TMUI), resulting in system compromise. Assigned CVE-2023-46747, this vulnerability also arose from request smuggling, bearing similarity to CVE-2022-26377. Given the wide adoption of both Apache Tomcat and F5 products, these vulnerabilities present grave risks to organizations. Remediation and vulnerability detection mechanisms are essential to address these threats effectively. +narrative = Both Apache Tomcat's AJP protocol and F5's BIG-IP Virtual Edition have been exposed to critical vulnerabilities. Apache's CVE-2022-26377 pertains to request smuggling by manipulating the "Transfer-Encoding" header. If successfully exploited, this allows attackers to bypass security controls and undertake unauthorized actions. \ +Similarly, F5 BIG-IP unveiled an authentication bypass vulnerability, CVE-2023-46747. Originating from the TMUI, this vulnerability leads to full system compromise. While distinct, it shares characteristics with Apache's vulnerability, primarily rooted in request smuggling. This vulnerability drew from past F5 CVEs, particularly CVE-2020-5902 and CVE-2022-1388, both previously exploited in real-world scenarios. These highlighted vulnerabilities in Apache HTTP and Apache Tomcat services, as well as authentication flaws in the F5 BIG-IP API.\ +Nuclei detection templates offer a proactive solution for identifying and mitigating these vulnerabilities. Integrated into vulnerability management frameworks, these templates notify organizations of potential risks, forming a base for further detection strategies. For detection engineers, understanding these vulnerabilities is crucial. Recognizing the mechanisms and effects of request smuggling, especially in Apache's and F5's context, provides a roadmap to effective detection and response. Prompt detection is a linchpin, potentially stymieing further, more destructive attacks. + [analytic_story://F5 BIG-IP Vulnerability CVE-2022-1388] category = Adversary Tactics last_updated = 2022-05-10 @@ -15317,7 +15489,7 @@ version = 1 references = ["https://attack.mitre.org/techniques/T1105/"] maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] spec_version = 3 -searches = ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"] +searches = ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"] description = Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. narrative = Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors. @@ -15592,6 +15764,17 @@ description = CVE-2021-40444 is a remote code execution vulnerability in MSHTML, narrative = Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software. CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks. \ 1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed. +[analytic_story://Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357] +category = Vulnerability +last_updated = 2023-09-27 +version = 1 +references = ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/Chocapikk/CVE-2023-29357"] +maintainers = [{"company": "Gowthamaraj Rajendran, Splunk", "email": "-", "name": "Michael Haag"}] +spec_version = 3 +searches = ["ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule"] +description = This analytic story focuses on the Microsoft SharePoint Server vulnerability CVE-2023-29357, which allows for an elevation of privilege due to improper handling of authentication tokens. Exploitation of this vulnerability could lead to a serious security breach where an attacker might gain privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. This story is associated with the detection `Microsoft SharePoint Server Elevation of Privilege` which identifies attempts to exploit this vulnerability. +narrative = Microsoft SharePoint Server is a widely used web-based collaborative platform. The vulnerability CVE-2023-29357 exposes a flaw in the handling of authentication tokens, allowing an attacker to escalate privileges and gain unauthorized access to the SharePoint environment. This could potentially lead to data theft, unauthorized system modifications, or other malicious activities. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security. + [analytic_story://Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190] category = Adversary Tactics last_updated = 2022-05-31 @@ -15749,6 +15932,17 @@ searches = ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - Pet description = PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances. narrative = In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges. +[analytic_story://PlugX] +category = Malware +last_updated = 2023-10-12 +version = 2 +references = ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://attack.mitre.org/software/S0013/"] +maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] +spec_version = 3 +searches = ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"] +description = PlugX, also referred to as "PlugX RAT" or "Kaba," is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host. +narrative = PlugX, known as the "silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It's the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it's a versatile instrument for cyber espionage. This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver. + [analytic_story://Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns] category = Adversary Tactics last_updated = 2020-01-22 @@ -16092,7 +16286,7 @@ version = 1 references = ["https://adsecurity.org/?p=1929", "https://www.youtube.com/watch?v=Lz6haohGAMc\u0026feature=youtu.be", "https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf", "https://attack.mitre.org/tactics/TA0003/", "https://www.dcshadow.com", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer"] maintainers = [{"company": "Mauricio Velazco, Splunk", "email": "-", "name": "Dean Luxton"}] spec_version = 3 -searches = ["ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"] +searches = ["ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"] description = Monitor for activities and techniques associated with Windows Active Directory persistence techniques. narrative = Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.\ In 2015 Active Directory security researcher Sean Metcalf published a blog post titled `Sneaky Active Directory Persistence Tricks`. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.\ @@ -16156,6 +16350,17 @@ description = Use the searches in this Analytic Story to help you detect structu narrative = It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements.\ This Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment. +[analytic_story://Subvert Trust Controls SIP and Trust Provider Hijacking] +category = Adversary Tactics +last_updated = 2023-10-10 +version = 1 +references = ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"] +maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] +spec_version = 3 +searches = ["ESCU - Windows Registry SIP Provider Modification - Rule", "ESCU - Windows SIP Provider Inventory - Rule", "ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule"] +description = Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. +narrative = In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed. + [analytic_story://Suspicious AWS Login Activities] category = Cloud Security last_updated = 2019-05-01 @@ -16578,7 +16783,7 @@ version = 1 references = ["https://attack.mitre.org/techniques/T1649/"] maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] spec_version = 3 -searches = ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"] +searches = ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"] description = Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. narrative = The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK) diff --git a/dist/escu/default/app.conf b/dist/DA-ESS-ContentUpdate/default/app.conf similarity index 68% rename from dist/escu/default/app.conf rename to dist/DA-ESS-ContentUpdate/default/app.conf index 21287ea692..a435627981 100644 --- a/dist/escu/default/app.conf +++ b/dist/DA-ESS-ContentUpdate/default/app.conf @@ -1,10 +1,16 @@ +############# +# Automatically generated by generator.py in splunk/security_content +# On Date: 2023-11-01T20:44:08 UTC +# Author: Splunk Threat Research Team - Splunk +# Contact: research@splunk.com +############# ## Splunk app configuration file [install] is_configured = false state = enabled state_change_requires_restart = false -build = 17306 +build = 20231101204321 [triggers] reload.analytic_stories = simple @@ -20,12 +26,15 @@ reload.es_investigations = simple [launcher] author = Splunk -version = 4.13.0 +version = 4.15.0 description = Explore the Analytic Stories included with ES Content Updates. [ui] is_visible = true -label = ES Content Updates +label = DA-ESS-ContentUpdate [package] id = DA-ESS-ContentUpdate + + + diff --git a/dist/escu/default/collections.conf b/dist/DA-ESS-ContentUpdate/default/collections.conf similarity index 95% rename from dist/escu/default/collections.conf rename to dist/DA-ESS-ContentUpdate/default/collections.conf index a93daabb2a..f643b22523 100644 --- a/dist/escu/default/collections.conf +++ b/dist/DA-ESS-ContentUpdate/default/collections.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-04T22:36:05 UTC -# Author: Splunk Security Research +# On Date: 2023-11-01T20:44:08 UTC +# Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/escu/default/commands.conf b/dist/DA-ESS-ContentUpdate/default/commands.conf similarity index 100% rename from dist/escu/default/commands.conf rename to dist/DA-ESS-ContentUpdate/default/commands.conf diff --git a/dist/DA-ESS-ContentUpdate/default/content-version.conf b/dist/DA-ESS-ContentUpdate/default/content-version.conf new file mode 100644 index 0000000000..7855eac906 --- /dev/null +++ b/dist/DA-ESS-ContentUpdate/default/content-version.conf @@ -0,0 +1,8 @@ +############# +# Automatically generated by generator.py in splunk/security_content +# On Date: 2023-11-01T20:44:08 UTC +# Author: Splunk Threat Research Team - Splunk +# Contact: research@splunk.com +############# +[content-version] +version = 4.15.0 \ No newline at end of file diff --git a/dist/escu/default/data/ui/nav/default.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/nav/default.xml similarity index 100% rename from dist/escu/default/data/ui/nav/default.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/nav/default.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_process_information_for_port_activity___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_information_for_port_activity___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_process_information_for_port_activity___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_information_for_port_activity___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_process_responsible_for_the_dns_traffic___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_responsible_for_the_dns_traffic___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_process_responsible_for_the_dns_traffic___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_responsible_for_the_dns_traffic___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_sysmon_wmi_activity_for_host___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_sysmon_wmi_activity_for_host___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_sysmon_wmi_activity_for_host___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_sysmon_wmi_activity_for_host___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_get_web_session_information_via_session_id___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_web_session_information_via_session_id___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_get_web_session_information_via_session_id___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_web_session_information_via_session_id___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_investigate_aws_activities_via_region_name___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_activities_via_region_name___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_investigate_aws_activities_via_region_name___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_activities_via_region_name___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_investigate_aws_user_activities_by_user_field___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_user_activities_by_user_field___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_investigate_aws_user_activities_by_user_field___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_user_activities_by_user_field___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_investigate_network_traffic_from_src_ip___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_network_traffic_from_src_ip___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_investigate_network_traffic_from_src_ip___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_network_traffic_from_src_ip___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_investigate_okta_activity_by_app___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_okta_activity_by_app___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_investigate_okta_activity_by_app___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_okta_activity_by_app___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_investigate_pass_the_hash_attempts___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_hash_attempts___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_investigate_pass_the_hash_attempts___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_hash_attempts___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_investigate_pass_the_ticket_attempts___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_ticket_attempts___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_investigate_pass_the_ticket_attempts___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_ticket_attempts___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_investigate_previous_unseen_user___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_previous_unseen_user___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_investigate_previous_unseen_user___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_previous_unseen_user___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_investigate_successful_remote_desktop_authentications___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_successful_remote_desktop_authentications___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_investigate_successful_remote_desktop_authentications___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_successful_remote_desktop_authentications___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_investigate_suspicious_strings_in_http_header___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_suspicious_strings_in_http_header___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_investigate_suspicious_strings_in_http_header___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_suspicious_strings_in_http_header___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_investigate_user_activities_in_okta___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_user_activities_in_okta___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_investigate_user_activities_in_okta___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_user_activities_in_okta___response_task.xml diff --git a/dist/escu/default/data/ui/panels/workbench_panel_investigate_web_posts_from_src___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_web_posts_from_src___response_task.xml similarity index 100% rename from dist/escu/default/data/ui/panels/workbench_panel_investigate_web_posts_from_src___response_task.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_web_posts_from_src___response_task.xml diff --git a/dist/escu/default/data/ui/views/escu_summary.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/views/escu_summary.xml similarity index 100% rename from dist/escu/default/data/ui/views/escu_summary.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/views/escu_summary.xml diff --git a/dist/escu/default/data/ui/views/feedback.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/views/feedback.xml similarity index 100% rename from dist/escu/default/data/ui/views/feedback.xml rename to dist/DA-ESS-ContentUpdate/default/data/ui/views/feedback.xml diff --git a/dist/escu/default/distsearch.conf b/dist/DA-ESS-ContentUpdate/default/distsearch.conf similarity index 100% rename from dist/escu/default/distsearch.conf rename to dist/DA-ESS-ContentUpdate/default/distsearch.conf diff --git a/dist/escu/default/es_investigations.conf b/dist/DA-ESS-ContentUpdate/default/es_investigations.conf similarity index 99% rename from dist/escu/default/es_investigations.conf rename to dist/DA-ESS-ContentUpdate/default/es_investigations.conf index 6683819331..2476520d12 100644 --- a/dist/escu/default/es_investigations.conf +++ b/dist/DA-ESS-ContentUpdate/default/es_investigations.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-04T22:36:05 UTC -# Author: Splunk Security Research +# On Date: 2023-11-01T20:44:08 UTC +# Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/escu/default/macros.conf b/dist/DA-ESS-ContentUpdate/default/macros.conf similarity index 99% rename from dist/escu/default/macros.conf rename to dist/DA-ESS-ContentUpdate/default/macros.conf index 4bd8b84b7d..16bf1bc767 100644 --- a/dist/escu/default/macros.conf +++ b/dist/DA-ESS-ContentUpdate/default/macros.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-04T22:36:05 UTC -# Author: Splunk Security Research +# On Date: 2023-11-01T20:44:08 UTC +# Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# @@ -1573,6 +1573,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[detect_certipy_file_modifications_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [detect_computer_changed_with_anonymous_account_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -4105,6 +4109,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[windows_domain_admin_impersonation_indicator_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [windows_dotnet_binary_in_non_standard_path_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -4793,6 +4801,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[windows_registry_sip_provider_modification_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [windows_regsvr32_renamed_binary_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -4933,6 +4945,14 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[windows_sip_provider_inventory_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + +[windows_sip_winverifytrust_failed_trust_validation_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [windows_snake_malware_file_modification_crmlog_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -4989,6 +5009,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[windows_steal_authentication_certificates___esc1_abuse_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [windows_steal_authentication_certificates_export_certificate_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -5389,6 +5413,14 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[cisco_ios_xe_implant_access_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + +[citrix_adc_and_gateway_unauthorized_data_disclosure_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [citrix_adc_exploitation_cve_2023_3519_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -5397,6 +5429,14 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[confluence_cve_2023_22515_trigger_vulnerability_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + +[confluence_data_center_and_server_privilege_escalation_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -5421,6 +5461,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[f5_tmui_authentication_bypass_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [fortinet_appliance_auth_bypass_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -5457,6 +5501,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[microsoft_sharepoint_server_elevation_of_privilege_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [monitor_web_traffic_for_brand_abuse_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -6131,6 +6179,10 @@ description = customer specific splunk configurations(eg- index, source, sourcet definition = sourcetype=stream:tcp description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. +[subjectinterfacepackage] +definition = sourcetype="PwSh:SubjectInterfacePackage" +description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. + [suspicious_email_attachments] definition = lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true description = This macro limits the output to email attachments that have suspicious extensions diff --git a/dist/escu/default/savedsearches.conf b/dist/DA-ESS-ContentUpdate/default/savedsearches.conf similarity index 95% rename from dist/escu/default/savedsearches.conf rename to dist/DA-ESS-ContentUpdate/default/savedsearches.conf index 4df80c626f..c38f49a257 100644 --- a/dist/escu/default/savedsearches.conf +++ b/dist/DA-ESS-ContentUpdate/default/savedsearches.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-04T22:36:05 UTC -# Author: Splunk Security Research +# On Date: 2023-11-01T20:44:08 UTC +# Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# ### ESCU DETECTIONS ### @@ -1166,7 +1166,6 @@ realtime_schedule = 0 is_visible = false search = `splunk_python` *runshellscript* | eval log_split=split(_raw, "runshellscript: ") | eval array_raw = mvindex(log_split,1) | eval data_cleaned=replace(replace(replace(array_raw,"\[",""),"\]",""),"'","") | eval array_indices=split(data_cleaned,",") | eval runshellscript_args_count=mvcount(array_indices) | where runshellscript_args_count = 10 | eval interpreter=mvindex(array_indices,0) | eval targetScript=mvindex(array_indices,1) | eval targetScript != "*C:*" | stats count min(_time) as firstTime max(_time) as lastTime by splunk_server interpreter targetScript | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_absolute_path_traversal_using_runshellscript_filter` - [ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule] action.escu = 0 action.escu.enabled = 1 @@ -2649,10 +2648,10 @@ search = index = _internal sourcetype IN ("splunk_web_service", "splunk_python") [ESCU - Suspicious Email Attachment Extensions - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for emails that have attachments with suspicious file extensions. +description = The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization's data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} action.escu.data_models = ["Email"] -action.escu.eli5 = This search looks for emails that have attachments with suspicious file extensions. +action.escu.eli5 = The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization's data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack. action.escu.how_to_implement = You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \ **Splunk Phantom Playbook Integration**\ If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox. @@ -2731,10 +2730,10 @@ search = `stream_http` http_method=POST http_content_length>1 | regex form_data= [ESCU - Web Servers Executing Suspicious Processes - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for suspicious processes on all systems labeled as web servers. +description = The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for suspicious processes on all systems labeled as web servers. +action.escu.eli5 = The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks. action.escu.creation_date = 2019-04-01 @@ -2759,7 +2758,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Apache Struts Vulner schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for suspicious processes on all systems labeled as web servers. +action.notable.param.rule_description = The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. action.notable.param.rule_title = Web Servers Executing Suspicious Processes action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -2972,10 +2971,10 @@ search = `aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!= [ESCU - Amazon EKS Kubernetes Pod scan detection - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search provides detection information on unauthenticated requests against Kubernetes' Pods API +description = The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to "system:anonymous", the `verb` is set to "list", and the `objectRef.resource` is set to "pods". Additionally, the search checks if the `requestURI` is equal to "/api/v1/pods". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = This search provides detection information on unauthenticated requests against Kubernetes' Pods API +action.escu.eli5 = The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to "system:anonymous", the `verb` is set to "list", and the `objectRef.resource` is set to "pods". Additionally, the search checks if the `requestURI` is equal to "/api/v1/pods". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives. action.escu.known_false_positives = Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context. action.escu.creation_date = 2020-04-15 @@ -3250,7 +3249,7 @@ search = `amazon_security_lake` api.operation=Describe* OR api.operation=List* O action.escu = 0 action.escu.enabled = 1 description = The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. @@ -3268,7 +3267,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ASL AWS IAM Delete Policy - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5090,7 +5089,7 @@ search = `cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failur action.escu = 0 action.escu.enabled = 1 description = The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. @@ -5108,7 +5107,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS IAM Delete Policy - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5125,7 +5124,7 @@ search = `cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stat action.escu = 0 action.escu.enabled = 1 description = This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth. action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. @@ -5148,7 +5147,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS IAM Failure Group Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5919,7 +5918,7 @@ search = `azuread` category=UserRiskEvents properties.riskLevel=high | rename p action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. @@ -5942,7 +5941,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Application Administrator Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6103,7 +6102,7 @@ search = `azuread` "operationName"="Invite external user" | rename properties.* action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the AuditLogs log category. @@ -6126,7 +6125,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Global Administrator Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6513,7 +6512,7 @@ search = `azuread` category=AuditLogs operationName="User registered security i action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. @@ -6536,7 +6535,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD PIM Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6559,7 +6558,7 @@ search = `azuread` operationName="Add eligible member to role in PIM completed* action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. @@ -6582,7 +6581,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD PIM Role Assignment Activated - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6651,7 +6650,7 @@ search = `azuread` "operationName"="Add member to role" "properties.targetReso action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. @@ -6674,7 +6673,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Privileged Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6696,10 +6695,10 @@ search = `azuread` "operationName"="Add member to role" | rename properties.* [ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic is geared towards detecting potential privilege escalation threats in Azure Active Directory (AD). It identifies instances where privileged roles, which hold elevated permissions, are assigned to Service Principals. These non-human entities that can access Azure resources could be exploited in an attack scenario, leading to unauthorized access or malicious activities. The analytic runs a specific search within the ingested Azure AD events, specifically leveraging the AuditLogs log category. Keep in mind, however, that there could be false positives, as administrators may legitimately assign privileged roles to Service Principals. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +description = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic is geared towards detecting potential privilege escalation threats in Azure Active Directory (AD). It identifies instances where privileged roles, which hold elevated permissions, are assigned to Service Principals. These non-human entities that can access Azure resources could be exploited in an attack scenario, leading to unauthorized access or malicious activities. The analytic runs a specific search within the ingested Azure AD events, specifically leveraging the AuditLogs log category. Keep in mind, however, that there could be false positives, as administrators may legitimately assign privileged roles to Service Principals. +action.escu.eli5 = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. action.escu.known_false_positives = Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed. action.escu.creation_date = 2023-04-28 @@ -6720,11 +6719,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is geared towards detecting potential privilege escalation threats in Azure Active Directory (AD). It identifies instances where privileged roles, which hold elevated permissions, are assigned to Service Principals. These non-human entities that can access Azure resources could be exploited in an attack scenario, leading to unauthorized access or malicious activities. The analytic runs a specific search within the ingested Azure AD events, specifically leveraging the AuditLogs log category. Keep in mind, however, that there could be false positives, as administrators may legitimately assign privileged roles to Service Principals. +action.notable.param.rule_description = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. action.notable.param.rule_title = Azure AD Privileged Role Assigned to Service Principal action.notable.param.security_domain = identity action.notable.param.severity = high @@ -6789,7 +6788,7 @@ search = `azuread` operationName="Add service principal" properties.initiatedBy. action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category. @@ -6812,7 +6811,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Service Principal New Client Credentials - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6835,7 +6834,7 @@ search = `azuread` category=AuditLogs operationName="Update application*Certifi action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the AuditLogs log category. @@ -6858,7 +6857,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Service Principal Owner Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7063,7 +7062,7 @@ search = `azuread` category=SignInLogs properties.status.errorCode=50126 proper action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. @@ -7086,7 +7085,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD User Enabled And Password Reset - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7109,7 +7108,7 @@ search = `azuread` (operationName="Enable account" OR operationName="Reset pass action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. @@ -7132,7 +7131,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD User ImmutableId Attribute Updated - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7292,10 +7291,10 @@ search = `azure_audit` operationName.localizedValue="Create or Update an Azure [ESCU - Circle CI Disable Security Job - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for disable security job in CircleCI pipeline. +description = This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as "build" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = This search looks for disable security job in CircleCI pipeline. +action.escu.eli5 = This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as "build" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection. action.escu.how_to_implement = You must index CircleCI logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-02 @@ -7332,10 +7331,10 @@ search = `circleci` | rename vcs.committer_name as user vcs.subject as commit_me [ESCU - Circle CI Disable Security Step - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for disable security step in CircleCI pipeline. +description = The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = This search looks for disable security step in CircleCI pipeline. +action.escu.eli5 = The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change. action.escu.how_to_implement = You must index CircleCI logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-01 @@ -7372,10 +7371,10 @@ search = `circleci` | rename workflows.job_id AS job_id | join job_id [ | search [ESCU - Cloud API Calls From Previously Unseen User Roles - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for new commands from each user role. +description = The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] -action.escu.eli5 = This search looks for new commands from each user role. +action.escu.eli5 = The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter` action.escu.known_false_positives = . action.escu.creation_date = 2020-09-04 @@ -7492,10 +7491,10 @@ search = | tstats earliest(_time) as firstTime latest(_time) as lastTime values( [ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for cloud compute instances being created with previously unseen image IDs. +description = The following analytic detects potential instances that are created in a cloud computing environment using new or unknown image IDs that have not been seen before. This detection is important because it helps to investigate and take appropriate action to prevent further damage or unauthorized access to the Cloud environment, which can include data breaches, unauthorized access to sensitive information, or the deployment of malicious payloads within the cloud environment. False positives might occur since legitimate instances can also have previously unseen image IDs. Next steps include conducting an extensive triage and investigation to determine the nature of the activity. During triage, review the details of the created instances, including the user responsible for the creation, the image ID used, and any associated metadata. Additionally, consider inspecting any relevant on-disk artifacts and analyzing concurrent processes to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] -action.escu.eli5 = This search looks for cloud compute instances being created with previously unseen image IDs. +action.escu.eli5 = The following analytic detects potential instances that are created in a cloud computing environment using new or unknown image IDs that have not been seen before. This detection is important because it helps to investigate and take appropriate action to prevent further damage or unauthorized access to the Cloud environment, which can include data breaches, unauthorized access to sensitive information, or the deployment of malicious payloads within the cloud environment. False positives might occur since legitimate instances can also have previously unseen image IDs. Next steps include conducting an extensive triage and investigation to determine the nature of the activity. During triage, review the details of the created instances, including the user responsible for the creation, the image ID used, and any associated metadata. Additionally, consider inspecting any relevant on-disk artifacts and analyzing concurrent processes to identify the source of the attack. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro. action.escu.known_false_positives = After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user. action.escu.creation_date = 2018-10-12 @@ -7532,10 +7531,10 @@ search = | tstats count earliest(_time) as firstTime, latest(_time) as lastTime [ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule] action.escu = 0 action.escu.enabled = 1 -description = Find EC2 instances being created with previously unseen instance types. +description = The following analytic detects the creation of EC2 instances with previously unseen instance types. The detection is made by using a Splunk query to identify the EC2 instances. First, the query searches for changes in the EC2 instance creation action and filters for instances with instance types that are not recognized or previously seen. Next, the query uses the Splunk tstats command to gather the necessary information from the Change data model. Then, it filters the instances with unknown instance types and reviews previously seen instance types to determine if they are new or not. The detection is important because it identifies attackers attempting to create instances with unknown or potentially compromised instance types, which can be an attempt to gain unauthorized access to sensitive data, compromise of systems, exfiltrate data, potential disruption of services, or launch other malicious activities within the environment. False positives might occur since there might be legitimate reasons for creating instances with previously unseen instance types. Therefore, you must carefully review and triage all alerts. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] -action.escu.eli5 = Find EC2 instances being created with previously unseen instance types. +action.escu.eli5 = The following analytic detects the creation of EC2 instances with previously unseen instance types. The detection is made by using a Splunk query to identify the EC2 instances. First, the query searches for changes in the EC2 instance creation action and filters for instances with instance types that are not recognized or previously seen. Next, the query uses the Splunk tstats command to gather the necessary information from the Change data model. Then, it filters the instances with unknown instance types and reviews previously seen instance types to determine if they are new or not. The detection is important because it identifies attackers attempting to create instances with unknown or potentially compromised instance types, which can be an attempt to gain unauthorized access to sensitive data, compromise of systems, exfiltrate data, potential disruption of services, or launch other malicious activities within the environment. False positives might occur since there might be legitimate reasons for creating instances with previously unseen instance types. Therefore, you must carefully review and triage all alerts. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro. action.escu.known_false_positives = It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type. action.escu.creation_date = 2020-09-12 @@ -7776,10 +7775,10 @@ search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from d [ESCU - Correlation by Repository and Risk - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search correlations detections by repository and risk_score +description = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = This search correlations detections by repository and risk_score +action.escu.eli5 = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. action.escu.how_to_implement = For Dev Sec Ops POC action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-06 @@ -7799,7 +7798,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis2 schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search correlations detections by repository and risk_score +action.notable.param.rule_description = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. action.notable.param.rule_title = RBA: Correlation by Repository and Risk action.notable.param.security_domain = network action.notable.param.severity = high @@ -7817,10 +7816,10 @@ search = `risk_index` | fillnull | stats sum(risk_score) as risk_score values(so [ESCU - Correlation by User and Risk - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search correlations detections by user and risk_score +description = The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = This search correlations detections by user and risk_score +action.escu.eli5 = The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. action.escu.how_to_implement = For Dev Sec Ops POC action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-06 @@ -7840,7 +7839,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis2 schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search correlations detections by user and risk_score +action.notable.param.rule_description = The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. action.notable.param.rule_title = RBA: Correlation by User and Risk action.notable.param.security_domain = network action.notable.param.severity = high @@ -8876,10 +8875,10 @@ search = `github` branches{}.name = main OR branches{}.name = develop | stats c [ESCU - GitHub Dependabot Alert - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for Dependabot Alerts in Github logs. +description = The following analytic is made by first searching for logs that contain the action "create" and renames certain fields for easier analysis. Then, this analytic uses the "stats" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The "phase" field is set to "code" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the "create" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = This search looks for Dependabot Alerts in Github logs. +action.escu.eli5 = The following analytic is made by first searching for logs that contain the action "create" and renames certain fields for easier analysis. Then, this analytic uses the "stats" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The "phase" field is set to "code" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the "create" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps. action.escu.how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-01 @@ -8916,10 +8915,10 @@ search = `github` alert.id=* action=create | rename repository.full_name as repo [ESCU - GitHub Pull Request from Unknown User - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for Pull Request from unknown user. +description = The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request." action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = This search looks for Pull Request from unknown user. +action.escu.eli5 = The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request." action.escu.how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-01 @@ -9708,10 +9707,10 @@ search = `o365_management_activity` Workload=AzureActiveDirectory LogonError=*Ss [ESCU - O365 New Federated Domain Added - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following search detects the addition of a new Federated domain in O365 environments. If an attacker adds an unverified domain to Office 365, they may gain unauthorized access to the organization's email and other services, potentially leading to data breaches and information theft. It can be misused to set up adversary infrastruture for phishing, spoofing emails and malware distribution. +description = The following analytic detects the addition of a new federated domain in an organization's Office 365 environment. Identifies instances where a new federated domain is added to the organization's Office 365 configuration and helps to take immediate action to mitigate the risks, prevent further unauthorized access, and protect the organization's data and systems. The detection is made by the Splunk query `o365_management_activity` with the parameters `Workload=Exchange` and `Operation="Add-FederatedDomain"`, which analyzes the management activity logs in Office 365 and filters for the specific operation to add a federated domain. The detection is important because identifying the addition of a new federated domain can indicate potential unauthorized access or compromise of the organization's Office 365 environment. A new Federated domain can be added by an attacker to gain unauthorized access, exfiltrate data, or carry out other malicious activity, which can lead to data breaches, unauthorized access to sensitive information, or compromise of the organization's systems and infrastructure. Next steps include viewing the details of the added federated domain, including the organization name, originating server, user ID, and user key. You must also capture and analyze any relevant on-disk artifacts. Additionally, you must identify the source of the attack by looking for concurrent processes or other indicators of compromise. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following search detects the addition of a new Federated domain in O365 environments. If an attacker adds an unverified domain to Office 365, they may gain unauthorized access to the organization's email and other services, potentially leading to data breaches and information theft. It can be misused to set up adversary infrastruture for phishing, spoofing emails and malware distribution. +action.escu.eli5 = The following analytic detects the addition of a new federated domain in an organization's Office 365 environment. Identifies instances where a new federated domain is added to the organization's Office 365 configuration and helps to take immediate action to mitigate the risks, prevent further unauthorized access, and protect the organization's data and systems. The detection is made by the Splunk query `o365_management_activity` with the parameters `Workload=Exchange` and `Operation="Add-FederatedDomain"`, which analyzes the management activity logs in Office 365 and filters for the specific operation to add a federated domain. The detection is important because identifying the addition of a new federated domain can indicate potential unauthorized access or compromise of the organization's Office 365 environment. A new Federated domain can be added by an attacker to gain unauthorized access, exfiltrate data, or carry out other malicious activity, which can lead to data breaches, unauthorized access to sensitive information, or compromise of the organization's systems and infrastructure. Next steps include viewing the details of the added federated domain, including the organization name, originating server, user ID, and user key. You must also capture and analyze any relevant on-disk artifacts. Additionally, you must identify the source of the attack by looking for concurrent processes or other indicators of compromise. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity. action.escu.known_false_positives = The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider. action.escu.creation_date = 2023-08-02 @@ -9736,7 +9735,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Office 365 Detection schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following search detects the addition of a new Federated domain in O365 environments. If an attacker adds an unverified domain to Office 365, they may gain unauthorized access to the organization's email and other services, potentially leading to data breaches and information theft. It can be misused to set up adversary infrastruture for phishing, spoofing emails and malware distribution. +action.notable.param.rule_description = The following analytic detects the addition of a new federated domain in an organization's Office 365 environment. Identifies instances where a new federated domain is added to the organization's Office 365 configuration and helps to take immediate action to mitigate the risks, prevent further unauthorized access, and protect the organization's data and systems. The detection is made by the Splunk query `o365_management_activity` with the parameters `Workload=Exchange` and `Operation="Add-FederatedDomain"`, which analyzes the management activity logs in Office 365 and filters for the specific operation to add a federated domain. The detection is important because identifying the addition of a new federated domain can indicate potential unauthorized access or compromise of the organization's Office 365 environment. A new Federated domain can be added by an attacker to gain unauthorized access, exfiltrate data, or carry out other malicious activity, which can lead to data breaches, unauthorized access to sensitive information, or compromise of the organization's systems and infrastructure. Next steps include viewing the details of the added federated domain, including the organization name, originating server, user ID, and user key. You must also capture and analyze any relevant on-disk artifacts. Additionally, you must identify the source of the attack by looking for concurrent processes or other indicators of compromise. action.notable.param.rule_title = O365 New Federated Domain Added action.notable.param.security_domain = threat action.notable.param.severity = high @@ -9886,10 +9885,10 @@ search = `o365_management_activity` Operation=Add-MailboxPermission | spath inpu [ESCU - O365 Suspicious User Email Forwarding - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects when multiple user configured a forwarding rule to the same destination. +description = The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organization's data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the "Identity" field as "src_user" and searches for entries where the "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = This search detects when multiple user configured a forwarding rule to the same destination. +action.escu.eli5 = The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organization's data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the "Identity" field as "src_user" and searches for entries where the "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity action.escu.known_false_positives = unknown action.escu.creation_date = 2020-12-16 @@ -13353,10 +13352,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Access LSASS Memory for Dump Creation - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic is designed to detect potentially malicious activities involving the Local Security Authority Subsystem Service (LSASS) process. Specifically, it identifies when the LSASS process memory is being dumped, an action often associated with credential dumping attacks. This analytic leverages Sysmon logs, particularly those with EventCode 10 related to lsass.exe. It searches for indicators of LSASS memory dumping, such as specific call traces to dbgcore.dll and dbghelp.dll. While memory dumps can be legitimate administrative tasks, LSASS memory dumps are typically unusual and warrant investigation. To implement this analytic, ensure your Sysmon setup includes EventCode 10 logging for lsass.exe and customize the provided macros (sysmon and post-filter macro) to match your specific Splunk environment configuration. +description = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic is designed to detect potentially malicious activities involving the Local Security Authority Subsystem Service (LSASS) process. Specifically, it identifies when the LSASS process memory is being dumped, an action often associated with credential dumping attacks. This analytic leverages Sysmon logs, particularly those with EventCode 10 related to lsass.exe. It searches for indicators of LSASS memory dumping, such as specific call traces to dbgcore.dll and dbghelp.dll. While memory dumps can be legitimate administrative tasks, LSASS memory dumps are typically unusual and warrant investigation. To implement this analytic, ensure your Sysmon setup includes EventCode 10 logging for lsass.exe and customize the provided macros (sysmon and post-filter macro) to match your specific Splunk environment configuration. +action.escu.eli5 = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. action.escu.how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. action.escu.known_false_positives = Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. action.escu.creation_date = 2019-12-06 @@ -13381,7 +13380,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"] schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to detect potentially malicious activities involving the Local Security Authority Subsystem Service (LSASS) process. Specifically, it identifies when the LSASS process memory is being dumped, an action often associated with credential dumping attacks. This analytic leverages Sysmon logs, particularly those with EventCode 10 related to lsass.exe. It searches for indicators of LSASS memory dumping, such as specific call traces to dbgcore.dll and dbghelp.dll. While memory dumps can be legitimate administrative tasks, LSASS memory dumps are typically unusual and warrant investigation. To implement this analytic, ensure your Sysmon setup includes EventCode 10 logging for lsass.exe and customize the provided macros (sysmon and post-filter macro) to match your specific Splunk environment configuration. +action.notable.param.rule_description = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. action.notable.param.rule_title = Access LSASS Memory for Dump Creation action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -13751,10 +13750,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. +description = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. +action.escu.eli5 = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. action.escu.creation_date = 2023-03-29 @@ -13764,7 +13763,7 @@ action.escu.full_search_name = ESCU - Allow Inbound Traffic By Firewall Rule Reg action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse", "Azorult", "NjRAT"] +action.escu.analytic_story = ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse", "Azorult", "NjRAT", "PlugX"] action.risk = 1 action.risk.param._risk_message = Suspicious firewall allow rule modifications were detected via the registry on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] @@ -13775,11 +13774,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse", "Azorult", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse", "Azorult", "NjRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. +action.notable.param.rule_description = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. action.notable.param.rule_title = Allow Inbound Traffic By Firewall Rule Registry action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -14067,10 +14066,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Attacker Tools On Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic aims to identify the use of tools commonly exploited by cybercriminals. The use of these tools often signals nefarious activities like unauthorized access, network scanning, or data exfiltration, representing a significant threat to an organization's security infrastructure. By examining process activity on the host, particularly those processes corresponding to known attacker tool names, this analytic serves as an early warning system for potential security incidents. However, its precision must be balanced with the understanding that some administrative activities might also trigger alerts, resulting in false positives. This underlines the importance of cyber analysts having a clear understanding of typical endpoint activities and behaviors within their organization, enabling them to accurately interpret and respond to these alerts. +description = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Reconnaissance"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic aims to identify the use of tools commonly exploited by cybercriminals. The use of these tools often signals nefarious activities like unauthorized access, network scanning, or data exfiltration, representing a significant threat to an organization's security infrastructure. By examining process activity on the host, particularly those processes corresponding to known attacker tool names, this analytic serves as an early warning system for potential security incidents. However, its precision must be balanced with the understanding that some administrative activities might also trigger alerts, resulting in false positives. This underlines the importance of cyber analysts having a clear understanding of typical endpoint activities and behaviors within their organization, enabling them to accurately interpret and respond to these alerts. +action.escu.eli5 = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some administrator activity can be potentially triggered, please add those users to the filter macro. action.escu.creation_date = 2021-11-04 @@ -14095,7 +14094,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Monitor for Unauthor schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic aims to identify the use of tools commonly exploited by cybercriminals. The use of these tools often signals nefarious activities like unauthorized access, network scanning, or data exfiltration, representing a significant threat to an organization's security infrastructure. By examining process activity on the host, particularly those processes corresponding to known attacker tool names, this analytic serves as an early warning system for potential security incidents. However, its precision must be balanced with the understanding that some administrative activities might also trigger alerts, resulting in false positives. This underlines the importance of cyber analysts having a clear understanding of typical endpoint activities and behaviors within their organization, enabling them to accurately interpret and respond to these alerts. +action.notable.param.rule_description = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. action.notable.param.rule_title = Attacker Tools On Endpoint action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -14113,10 +14112,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Attempt To Add Certificate To Untrusted Store - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security. +description = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security. +action.escu.eli5 = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems. action.escu.creation_date = 2021-09-16 @@ -14141,7 +14140,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Disabling Security T schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security. +action.notable.param.rule_description = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. action.notable.param.rule_title = Attempt To Add Certificate To Untrusted Store action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -14159,10 +14158,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Attempt To Stop Security Service - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for attempts to stop security-related services on the endpoint. +description = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for attempts to stop security-related services on the endpoint. +action.escu.eli5 = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None identified. Attempts to disable security-related services should be identified and understood. action.escu.creation_date = 2023-06-13 @@ -14187,7 +14186,7 @@ action.correlationsearch.annotations = {"analytic_story": ["WhisperGate", "Grace schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for attempts to stop security-related services on the endpoint. +action.notable.param.rule_description = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. action.notable.param.rule_title = Attempt To Stop Security Service action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -15092,13 +15091,13 @@ action.escu.full_search_name = ESCU - CMD Carry Out String Command Parameter - R action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["ProxyNotShell", "Qakbot", "Winter Vivern", "DarkCrystal RAT", "AsyncRAT", "Log4Shell CVE-2021-44228", "Hermetic Wiper", "Chaos Ransomware", "IcedID", "WhisperGate", "Data Destruction", "Living Off The Land", "Azorult", "Data Destruction", "Warzone RAT", "NjRAT"] +action.escu.analytic_story = ["ProxyNotShell", "Qakbot", "Winter Vivern", "DarkCrystal RAT", "AsyncRAT", "Log4Shell CVE-2021-44228", "Hermetic Wiper", "Chaos Ransomware", "IcedID", "WhisperGate", "Data Destruction", "Living Off The Land", "Azorult", "Data Destruction", "Warzone RAT", "NjRAT", "PlugX"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CMD Carry Out String Command Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "Qakbot", "Winter Vivern", "DarkCrystal RAT", "AsyncRAT", "Log4Shell CVE-2021-44228", "Hermetic Wiper", "Chaos Ransomware", "IcedID", "WhisperGate", "Data Destruction", "Living Off The Land", "Azorult", "Data Destruction", "Warzone RAT", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "Qakbot", "Winter Vivern", "DarkCrystal RAT", "AsyncRAT", "Log4Shell CVE-2021-44228", "Hermetic Wiper", "Chaos Ransomware", "IcedID", "WhisperGate", "Data Destruction", "Living Off The Land", "Azorult", "Data Destruction", "Warzone RAT", "NjRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -15206,10 +15205,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. +description = The following analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. +action.escu.eli5 = The following analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = Legitimate windows application that are not on the list loading this dll. Filter as needed. action.escu.creation_date = 2021-05-13 @@ -15234,7 +15233,7 @@ action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware" schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. +action.notable.param.rule_description = The following analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. action.notable.param.rule_title = CMLUA Or CMSTPLUA UAC Bypass action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -15301,10 +15300,10 @@ search = `sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNameP [ESCU - Common Ransomware Extensions - Rule] action.escu = 0 action.escu.enabled = 1 -description = The search looks for file modifications with extensions commonly used by Ransomware +description = The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The search looks for file modifications with extensions commonly used by Ransomware +action.escu.eli5 = The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack. action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` action.escu.known_false_positives = It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions. action.escu.creation_date = 2022-11-10 @@ -15463,10 +15462,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Create local admin accounts using net exe - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for the creation of local administrator accounts using net.exe . +description = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for the creation of local administrator accounts using net.exe . +action.escu.eli5 = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators often leverage net.exe to create admin accounts. action.escu.creation_date = 2021-09-08 @@ -15491,7 +15490,7 @@ action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for the creation of local administrator accounts using net.exe . +action.notable.param.rule_description = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. action.notable.param.rule_title = Create local admin accounts using net exe action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -15509,10 +15508,10 @@ search = | tstats `security_content_summariesonly` count values(Processes.user) [ESCU - Create or delete windows shares using net exe - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for the creation or deletion of hidden shares using net.exe. +description = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for the creation or deletion of hidden shares using net.exe. +action.escu.eli5 = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate. action.escu.creation_date = 2020-09-16 @@ -15537,7 +15536,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Hidden Cobra Malware schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for the creation or deletion of hidden shares using net.exe. +action.notable.param.rule_description = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. action.notable.param.rule_title = Create or delete windows shares using net exe action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -15601,10 +15600,10 @@ search = `sysmon` EventCode=8 TargetImage IN ("*\\cmd.exe", "*\\powershell*") | [ESCU - Create Remote Thread into LSASS - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic developed to detect potential credential dumping attacks where a remote thread is created in the Local Security Authority Subsystem Service (LSASS). Credential dumping, a common tactic used by adversaries to steal user authentication credentials, is a significant threat to network security. The analytic leverages Sysmon Event ID 8 logs and looks for processes creating remote threads in lsass.exe, an unusual activity generally linked to credential theft. The confidence level in this alert is high, but it's worth noting that there might be cases where legitimate tools can access LSASS, generating similar logs. As an analyst, it is critical to understand the broader context of such events and differentiate between legitimate activities and possible threats. +description = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon Event ID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic developed to detect potential credential dumping attacks where a remote thread is created in the Local Security Authority Subsystem Service (LSASS). Credential dumping, a common tactic used by adversaries to steal user authentication credentials, is a significant threat to network security. The analytic leverages Sysmon Event ID 8 logs and looks for processes creating remote threads in lsass.exe, an unusual activity generally linked to credential theft. The confidence level in this alert is high, but it's worth noting that there might be cases where legitimate tools can access LSASS, generating similar logs. As an analyst, it is critical to understand the broader context of such events and differentiate between legitimate activities and possible threats. +action.escu.eli5 = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon Event ID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. action.escu.how_to_implement = This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. action.escu.known_false_positives = Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise. action.escu.creation_date = 2019-12-06 @@ -15629,7 +15628,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"] schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic developed to detect potential credential dumping attacks where a remote thread is created in the Local Security Authority Subsystem Service (LSASS). Credential dumping, a common tactic used by adversaries to steal user authentication credentials, is a significant threat to network security. The analytic leverages Sysmon Event ID 8 logs and looks for processes creating remote threads in lsass.exe, an unusual activity generally linked to credential theft. The confidence level in this alert is high, but it's worth noting that there might be cases where legitimate tools can access LSASS, generating similar logs. As an analyst, it is critical to understand the broader context of such events and differentiate between legitimate activities and possible threats. +action.notable.param.rule_description = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon Event ID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. action.notable.param.rule_title = Create Remote Thread into LSASS action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -15739,10 +15738,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Creation of Shadow Copy with wmic and powershell - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects the use of wmic and Powershell to create a shadow copy. +description = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search detects the use of wmic and Powershell to create a shadow copy. +action.escu.eli5 = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Legtimate administrator usage of wmic to create a shadow copy. action.escu.creation_date = 2021-09-16 @@ -15767,7 +15766,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects the use of wmic and Powershell to create a shadow copy. +action.notable.param.rule_description = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. action.notable.param.rule_title = Creation of Shadow Copy with wmic and powershell action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -15785,10 +15784,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects credential dumping using copy command from a shadow copy. +description = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search detects credential dumping using copy command from a shadow copy. +action.escu.eli5 = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-16 @@ -15813,7 +15812,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"] schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects credential dumping using copy command from a shadow copy. +action.notable.param.rule_description = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack action.notable.param.rule_title = Credential Dumping via Copy Command from Shadow Copy action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -15831,10 +15830,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Credential Dumping via Symlink to Shadow Copy - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects the creation of a symlink to a shadow copy. +description = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search detects the creation of a symlink to a shadow copy. +action.escu.eli5 = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-16 @@ -15859,7 +15858,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"] schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects the creation of a symlink to a shadow copy. +action.notable.param.rule_description = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. action.notable.param.rule_title = Credential Dumping via Symlink to Shadow Copy action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -16188,10 +16187,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Detect Baron Samedit CVE-2021-3156 - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects the heap-based buffer overflow of sudoedit +description = The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This search detects the heap-based buffer overflow of sudoedit +action.escu.eli5 = The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. action.escu.how_to_implement = Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-01-27 @@ -16216,7 +16215,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-20 schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects the heap-based buffer overflow of sudoedit +action.notable.param.rule_description = The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. action.notable.param.rule_title = Detect Baron Samedit CVE-2021-3156 action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -16234,10 +16233,10 @@ search = `linux_hosts` "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_fi [ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects the heap-based buffer overflow of sudoedit +description = The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This search detects the heap-based buffer overflow of sudoedit +action.escu.eli5 = The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. action.escu.how_to_implement = Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host action.escu.known_false_positives = If sudoedit is throwing segfaults for other reasons this will pick those up too. action.escu.creation_date = 2021-01-29 @@ -16262,7 +16261,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-20 schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects the heap-based buffer overflow of sudoedit +action.notable.param.rule_description = The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. action.notable.param.rule_title = Detect Baron Samedit CVE-2021-3156 Segfault action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -16280,10 +16279,10 @@ search = `linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as [ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects the heap-based buffer overflow of sudoedit +description = The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This search detects the heap-based buffer overflow of sudoedit +action.escu.eli5 = The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. action.escu.how_to_implement = OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-01-28 @@ -16308,7 +16307,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-20 schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects the heap-based buffer overflow of sudoedit +action.notable.param.rule_description = The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. action.notable.param.rule_title = Detect Baron Samedit CVE-2021-3156 via OSQuery action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -16415,6 +16414,52 @@ realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 (ScriptBlockText IN ("*find *") AND ScriptBlockText IN ("* /vulnerable*","* -vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*")) OR (ScriptBlockText IN (,"*auth *","*req *",) AND ScriptBlockText IN ("* -ca *","* -username *","* -u *")) OR (ScriptBlockText IN ("*request *","*download *") AND ScriptBlockText IN ("* /ca:*")) | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),"unknown") | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as signature_id | `detect_certify_with_powershell_script_block_logging_filter` +[ESCU - Detect Certipy File Modifications - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} +action.escu.data_models = ["Endpoint"] +action.escu.eli5 = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. +action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events. +action.escu.known_false_positives = Unknown +action.escu.creation_date = 2023-06-25 +action.escu.modification_date = 2023-06-25 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Detect Certipy File Modifications - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] +action.escu.analytic_story = ["Windows Certificate Services", "Data Exfiltration", "Ingress Tool Transfer"] +action.risk = 1 +action.risk.param._risk_message = Suspicious files $file_name$ related to Certipy detected on $dest$ +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"threat_object_field": "file_name", "threat_object_type": "file name"}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Detect Certipy File Modifications - Rule +action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services", "Data Exfiltration", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. +action.notable.param.rule_title = Detect Certipy File Modifications +action.notable.param.security_domain = endpoint +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime values(Processes.process_current_directory) as process_current_directory FROM datamodel=Endpoint.Processes where Processes.action="allowed" BY _time span=1h Processes.user Processes.dest Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.action |`drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*_certipy.zip", "*_certipy.txt", "*_certipy.json", "*.ccache") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` ] | fields firstTime lastTime user dest file_create_time file_name file_path parent_process_name parent_process process_name process_path process_current_directory process process_guid process_id | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_certipy_file_modifications_filter` + [ESCU - Detect Computer Changed with Anonymous Account - Rule] action.escu = 0 action.escu.enabled = 1 @@ -16505,10 +16550,10 @@ search = `powershell` EventCode=4104 Message IN ("*copy*","*[System.IO.File]::Co [ESCU - Detect Credential Dumping through LSASS access - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for reading lsass memory consistent with credential dumping. +description = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This search looks for reading lsass memory consistent with credential dumping. +action.escu.eli5 = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. action.escu.how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. action.escu.known_false_positives = The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. action.escu.creation_date = 2019-12-03 @@ -16533,7 +16578,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for reading lsass memory consistent with credential dumping. +action.notable.param.rule_description = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. action.notable.param.rule_title = Detect Credential Dumping through LSASS access action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -17085,10 +17130,10 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces [ESCU - Detect New Local Admin account - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for newly created accounts that have been elevated to local administrators. +description = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This search looks for newly created accounts that have been elevated to local administrators. +action.escu.eli5 = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. action.escu.how_to_implement = You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732 action.escu.known_false_positives = The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives action.escu.creation_date = 2020-07-08 @@ -17113,7 +17158,7 @@ action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for newly created accounts that have been elevated to local administrators. +action.notable.param.rule_description = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. action.notable.param.rule_title = Detect New Local Admin account action.notable.param.security_domain = access action.notable.param.severity = high @@ -19192,10 +19237,10 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint [ESCU - Disable Windows App Hotkeys - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. +description = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. +action.escu.eli5 = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-27 @@ -19220,7 +19265,7 @@ action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Windows Reg schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. +action.notable.param.rule_description = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. action.notable.param.rule_title = Disable Windows App Hotkeys action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -20515,10 +20560,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Dump LSASS via comsvcs DLL - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization's assets and prevent potential breaches. +description = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization's assets and prevent potential breaches. +action.escu.eli5 = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = None identified. action.escu.creation_date = 2023-04-14 @@ -20543,7 +20588,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "HAFN schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization's assets and prevent potential breaches. +action.notable.param.rule_description = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. action.notable.param.rule_title = Dump LSASS via comsvcs DLL action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -21715,7 +21760,7 @@ action.escu.full_search_name = ESCU - Executables Or Script Creation In Suspicio action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey", "BlackByte Ransomware", "Warzone RAT", "NjRAT"] +action.escu.analytic_story = ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey", "BlackByte Ransomware", "Warzone RAT", "NjRAT", "PlugX"] action.risk = 1 action.risk.param._risk_message = Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}, {"threat_object_field": "process_id", "threat_object_type": "process"}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] @@ -21726,7 +21771,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Executables Or Script Creation In Suspicious Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey", "BlackByte Ransomware", "Warzone RAT", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey", "BlackByte Ransomware", "Warzone RAT", "NjRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -21880,10 +21925,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - File with Samsam Extension - Rule] action.escu = 0 action.escu.enabled = 1 -description = The search looks for file writes with extensions consistent with a SamSam ransomware attack. +description = The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The search looks for file writes with extensions consistent with a SamSam ransomware attack. +action.escu.eli5 = The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents. action.escu.how_to_implement = You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. action.escu.known_false_positives = Because these extensions are not typically used in normal operations, you should investigate all results. action.escu.creation_date = 2018-12-14 @@ -21908,7 +21953,7 @@ action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware"], schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The search looks for file writes with extensions consistent with a SamSam ransomware attack. +action.notable.param.rule_description = The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents. action.notable.param.rule_title = File with Samsam Extension action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -21926,10 +21971,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Firewall Allowed Program Enable - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. +description = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. +action.escu.eli5 = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed. action.escu.creation_date = 2021-11-12 @@ -21939,7 +21984,7 @@ action.escu.full_search_name = ESCU - Firewall Allowed Program Enable - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Azorult", "BlackByte Ransomware", "NjRAT"] +action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Azorult", "BlackByte Ransomware", "NjRAT", "PlugX"] action.risk = 1 action.risk.param._risk_message = firewall allowed program commandline $process$ of $process_name$ on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] @@ -21950,7 +21995,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Firewall Allowed Program Enable - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Azorult", "BlackByte Ransomware", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Azorult", "BlackByte Ransomware", "NjRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24805,7 +24850,7 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = `wineventlog_security` EventCode=4768 Ticket_Encryption_Type=0x17 Account_Name!=*$ | `kerberos_tgt_request_using_rc4_encryption_filter` +search = `wineventlog_security` EventCode=4768 Ticket_Encryption_Type=0x17 Account_Name!=*$ | stats count min(_time) as firstTime max(_time) as lastTime by Account_Name Client_Address dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_tgt_request_using_rc4_encryption_filter` [ESCU - Kerberos User Enumeration - Rule] action.escu = 0 @@ -25745,10 +25790,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Linux Decode Base64 to Shell - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies base64 being decoded and passed to a Linux shell. +description = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies base64 being decoded and passed to a Linux shell. +action.escu.eli5 = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = False positives may be present based on legitimate software being utilized. Filter as needed. action.escu.creation_date = 2022-07-27 @@ -25773,7 +25818,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies base64 being decoded and passed to a Linux shell. +action.notable.param.rule_description = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. action.notable.param.rule_title = Linux Decode Base64 to Shell action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -27547,7 +27592,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -27570,7 +27615,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -27829,7 +27874,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -27852,7 +27897,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Ssh Key File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28373,7 +28418,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies based on process execution the modification of SSH Authorized Keys. Adversaries perform this behavior to persist on endpoints. During triage, review parallel processes and capture any additional file modifications for review. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies based on process execution the modification of SSH Authorized Keys. Adversaries perform this behavior to persist on endpoints. During triage, review parallel processes and capture any additional file modifications for review. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28396,7 +28441,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux SSH Authorized Keys Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30227,13 +30272,13 @@ action.escu.full_search_name = ESCU - Network Connection Discovery With Netstat action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Qakbot", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon"] +action.escu.analytic_story = ["Active Directory Discovery", "Qakbot", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon", "PlugX"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Network Connection Discovery With Netstat - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Qakbot", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Qakbot", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30602,7 +30647,7 @@ action.escu.full_search_name = ESCU - Office Application Drop Executable - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["FIN7", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "Warzone RAT"] +action.escu.analytic_story = ["FIN7", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "Warzone RAT", "PlugX"] action.risk = 1 action.risk.param._risk_message = process $process_name$ drops a file $file_name$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] @@ -30613,7 +30658,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Application Drop Executable - Rule -action.correlationsearch.annotations = {"analytic_story": ["FIN7", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["FIN7", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "Warzone RAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -30786,7 +30831,7 @@ action.escu.full_search_name = ESCU - Office Document Executing Macro Code - Rul action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Spearphishing Attachments", "Trickbot", "IcedID", "DarkCrystal RAT", "AgentTesla", "Qakbot", "Azorult", "Remcos"] +action.escu.analytic_story = ["Spearphishing Attachments", "Trickbot", "IcedID", "DarkCrystal RAT", "AgentTesla", "Qakbot", "Azorult", "Remcos", "PlugX"] action.risk = 1 action.risk.param._risk_message = Office document executing a macro on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] @@ -30797,7 +30842,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Document Executing Macro Code - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Trickbot", "IcedID", "DarkCrystal RAT", "AgentTesla", "Qakbot", "Azorult", "Remcos"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Trickbot", "IcedID", "DarkCrystal RAT", "AgentTesla", "Qakbot", "Azorult", "Remcos", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -30832,7 +30877,7 @@ action.escu.full_search_name = ESCU - Office Document Spawned Child Process To D action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"] +action.escu.analytic_story = ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "PlugX"] action.risk = 1 action.risk.param._risk_message = Office document spawning suspicious child process on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] @@ -30843,7 +30888,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Document Spawned Child Process To Download - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -30878,7 +30923,7 @@ action.escu.full_search_name = ESCU - Office Product Spawn CMD Process - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Trickbot", "DarkCrystal RAT", "Azorult", "Remcos", "Qakbot", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Warzone RAT"] +action.escu.analytic_story = ["Trickbot", "DarkCrystal RAT", "Azorult", "Remcos", "Qakbot", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Warzone RAT", "PlugX"] action.risk = 1 action.risk.param._risk_message = an office product parent process $parent_process_name$ spawn child process $process_name$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] @@ -30889,7 +30934,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawn CMD Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "DarkCrystal RAT", "Azorult", "Remcos", "Qakbot", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "DarkCrystal RAT", "Azorult", "Remcos", "Qakbot", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Warzone RAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32403,10 +32448,10 @@ search = `powershell` EventCode=4104 ScriptBlockText IN ("*invoke-CIMMethod*", " [ESCU - PowerShell Invoke WmiExec Usage - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. +description = The following analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. +action.escu.eli5 = The following analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives. action.escu.creation_date = 2023-03-22 @@ -32431,7 +32476,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"] schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. +action.notable.param.rule_description = The following analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. action.notable.param.rule_title = PowerShell Invoke WmiExec Usage action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -33971,10 +34016,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Remcos client registry install entry - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects registry key license at host where Remcos RAT agent is installed. +description = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search detects registry key license at host where Remcos RAT agent is installed. +action.escu.eli5 = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-11-14 @@ -33999,7 +34044,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Remcos", "Windows Re schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects registry key license at host where Remcos RAT agent is installed. +action.notable.param.rule_description = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. action.notable.param.rule_title = Remcos client registry install entry action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -35127,7 +35172,7 @@ action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splun action.escu.providing_technologies = null action.escu.analytic_story = ["IcedID", "Living Off The Land"] action.risk = 1 -action.risk.param._risk_message = rundll32 process $process_name$ having a dns query to $QueryName$ in host $dest$ +action.risk.param._risk_message = rundll32 process $process_name$ made a DNS query for $query$ from host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 @@ -35846,10 +35891,10 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces [ESCU - Scheduled Task Initiation on Remote Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. +description = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. +action.escu.eli5 = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. action.escu.creation_date = 2021-11-11 @@ -35874,7 +35919,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lat schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. +action.notable.param.rule_description = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. action.notable.param.rule_title = Scheduled Task Initiation on Remote Endpoint action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -36076,10 +36121,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTim [ESCU - Script Execution via WMI - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic is designed to detect the potential misuse of Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized by adversaries to execute scripts, a method often employed for maintaining stealth while carrying out malicious activities. The process 'scrcons.exe', integral to executing WMI scripts, is primarily monitored by this analytic. The underlying threat lies in the fact that successful execution of a malicious script can lead to numerous negative outcomes, including system compromise, data exfiltration, or the establishment of persistence. It's essential for cybersecurity analysts to remain vigilant towards unexpected or isolated script executions via WMI, as such instances often signal suspicious activities or potential security breaches. Although uncommon, administrators may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning malicious activities from benign ones is crucial in this context. +description = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is designed to detect the potential misuse of Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized by adversaries to execute scripts, a method often employed for maintaining stealth while carrying out malicious activities. The process 'scrcons.exe', integral to executing WMI scripts, is primarily monitored by this analytic. The underlying threat lies in the fact that successful execution of a malicious script can lead to numerous negative outcomes, including system compromise, data exfiltration, or the establishment of persistence. It's essential for cybersecurity analysts to remain vigilant towards unexpected or isolated script executions via WMI, as such instances often signal suspicious activities or potential security breaches. Although uncommon, administrators may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning malicious activities from benign ones is crucial in this context. +action.escu.eli5 = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed. action.escu.creation_date = 2020-03-16 @@ -36104,7 +36149,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"] schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to detect the potential misuse of Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized by adversaries to execute scripts, a method often employed for maintaining stealth while carrying out malicious activities. The process 'scrcons.exe', integral to executing WMI scripts, is primarily monitored by this analytic. The underlying threat lies in the fact that successful execution of a malicious script can lead to numerous negative outcomes, including system compromise, data exfiltration, or the establishment of persistence. It's essential for cybersecurity analysts to remain vigilant towards unexpected or isolated script executions via WMI, as such instances often signal suspicious activities or potential security breaches. Although uncommon, administrators may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning malicious activities from benign ones is crucial in this context. +action.notable.param.rule_description = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. action.notable.param.rule_title = Script Execution via WMI action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -36260,10 +36305,10 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint [ESCU - SecretDumps Offline NTDS Dumping Tool - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. +description = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. +action.escu.eli5 = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-06-13 @@ -36288,7 +36333,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. +action.notable.param.rule_description = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. action.notable.param.rule_title = SecretDumps Offline NTDS Dumping Tool action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -36716,10 +36761,10 @@ search = `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Messag [ESCU - Short Lived Windows Accounts - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects accounts that were created and deleted in a short time period. +description = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] -action.escu.eli5 = This search detects accounts that were created and deleted in a short time period. +action.escu.eli5 = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. action.escu.how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/ action.escu.known_false_positives = It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised. action.escu.creation_date = 2020-07-06 @@ -36744,7 +36789,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring a schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects accounts that were created and deleted in a short time period. +action.notable.param.rule_description = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. action.notable.param.rule_title = Short Lived Windows Accounts action.notable.param.security_domain = access action.notable.param.severity = high @@ -36808,10 +36853,10 @@ search = | tstats `security_content_summariesonly` count min(_time) AS firstTime [ESCU - Single Letter Process On Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for process names that consist only of a single letter. +description = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for process names that consist only of a single letter. +action.escu.eli5 = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process. action.escu.creation_date = 2020-12-08 @@ -36836,7 +36881,7 @@ action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for process names that consist only of a single letter. +action.notable.param.rule_description = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. action.notable.param.rule_title = Single Letter Process On Endpoint action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -38292,10 +38337,10 @@ search = `osquery_process` "columns.cmdline"="*LaunchAgents*" OR "columns.cmdlin [ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. +description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. +action.escu.eli5 = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.escu.how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. action.escu.known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. action.escu.creation_date = 2023-04-14 @@ -38320,7 +38365,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", " schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. +action.notable.param.rule_description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.notable.param.rule_title = Suspicious Process DNS Query Known Abuse Web Services action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -38397,7 +38442,7 @@ action.escu.full_search_name = ESCU - Suspicious Process File Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "Prestige Ransomware", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey", "BlackByte Ransomware", "Warzone RAT"] +action.escu.analytic_story = ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "Prestige Ransomware", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey", "BlackByte Ransomware", "Warzone RAT", "PlugX"] action.risk = 1 action.risk.param._risk_message = Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"threat_object_field": "process_path", "threat_object_type": "process name"}] @@ -38408,7 +38453,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Process File Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "Prestige Ransomware", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey", "BlackByte Ransomware", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "Prestige Ransomware", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey", "BlackByte Ransomware", "Warzone RAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39001,10 +39046,10 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as [ESCU - Suspicious writes to windows Recycle Bin - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects writes to the recycle bin by a process other than explorer.exe. +description = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search detects writes to the recycle bin by a process other than explorer.exe. +action.escu.eli5 = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes. action.escu.known_false_positives = Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate. action.escu.creation_date = 2020-07-22 @@ -39014,7 +39059,7 @@ action.escu.full_search_name = ESCU - Suspicious writes to windows Recycle Bin - action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Collection and Staging"] +action.escu.analytic_story = ["Collection and Staging", "PlugX"] action.risk = 1 action.risk.param._risk_message = Suspicious writes to windows Recycle Bin process $Processes.process_name$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"threat_object_field": "Processes.process_name", "threat_object_type": "process"}] @@ -39025,11 +39070,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious writes to windows Recycle Bin - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging", "PlugX"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects writes to the recycle bin by a process other than explorer.exe. +action.notable.param.rule_description = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. action.notable.param.rule_title = Suspicious writes to windows Recycle Bin action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -39778,10 +39823,10 @@ search = `wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!="*$" [ESCU - Unusually Long Command Line - Rule] action.escu = 0 action.escu.enabled = 1 -description = Command lines that are extremely long may be indicative of malicious activity on your hosts. +description = The following analytic detects command lines that are extremely long, which might be indicative of malicious activity on your hosts because attackers often use obfuscated or complex command lines to hide their actions and evade detection. This helps to mitigate the risks associated with long command lines to enhance your overall security posture and reduce the impact of attacks. This detection is important because it suggests that an attacker might be attempting to execute a malicious command or payload on the host, which can lead to various damaging outcomes such as data theft, ransomware, or further compromise of the system. False positives might occur since legitimate processes or commands can sometimes result in long command lines. Next steps include conducting extensive triage and investigation to differentiate between legitimate and malicious activities. Review the source of the command line and the command itself during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Command lines that are extremely long may be indicative of malicious activity on your hosts. +action.escu.eli5 = The following analytic detects command lines that are extremely long, which might be indicative of malicious activity on your hosts because attackers often use obfuscated or complex command lines to hide their actions and evade detection. This helps to mitigate the risks associated with long command lines to enhance your overall security posture and reduce the impact of attacks. This detection is important because it suggests that an attacker might be attempting to execute a malicious command or payload on the host, which can lead to various damaging outcomes such as data theft, ransomware, or further compromise of the system. False positives might occur since legitimate processes or commands can sometimes result in long command lines. Next steps include conducting extensive triage and investigation to differentiate between legitimate and malicious activities. Review the source of the command line and the command itself during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = Some legitimate applications start with long command lines. action.escu.creation_date = 2020-12-08 @@ -40377,10 +40422,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Windows Abused Web Services - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. +description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command And Control"], "mitre_attack": ["T1102"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. +action.escu.eli5 = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.escu.how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. action.escu.known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. action.escu.creation_date = 2023-09-20 @@ -40405,7 +40450,7 @@ action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": [" schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. +action.notable.param.rule_description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.notable.param.rule_title = Windows Abused Web Services action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -40436,7 +40481,7 @@ action.escu.full_search_name = ESCU - Windows Access Token Manipulation SeDebugP action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Brute Ratel C4", "AsyncRAT"] +action.escu.analytic_story = ["Brute Ratel C4", "AsyncRAT", "PlugX"] action.risk = 1 action.risk.param._risk_message = A process $ProcessName$ adjust its privileges with SeDebugPrivilege on $Computer$. action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 36}] @@ -40447,7 +40492,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4", "AsyncRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4", "AsyncRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -40670,10 +40715,10 @@ search = `wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistor [ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic looks for audit policies being disabled on a domain controller. +description = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] -action.escu.eli5 = This analytic looks for audit policies being disabled on a domain controller. +action.escu.eli5 = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." action.escu.how_to_implement = Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search. action.escu.known_false_positives = Unknown action.escu.creation_date = 2023-01-26 @@ -40698,7 +40743,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Direct schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for audit policies being disabled on a domain controller. +action.notable.param.rule_description = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." action.notable.param.rule_title = Windows AD Domain Controller Audit Policy Disabled action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -40762,10 +40807,10 @@ search = `wineventlog_security` EventCode=4742 ServicePrincipalNames IN ("*E3514 [ESCU - Windows AD Domain Replication ACL Addition - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. +description = The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] -action.escu.eli5 = This analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. +action.escu.eli5 = The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects. action.escu.known_false_positives = When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted. action.escu.creation_date = 2022-11-18 @@ -40790,7 +40835,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Direct schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. +action.notable.param.rule_description = The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. action.notable.param.rule_title = Windows AD Domain Replication ACL Addition action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -40809,7 +40854,7 @@ search = `wineventlog_security` | rex field=AttributeValue max_match=10000 \"OA action.escu = 0 action.escu.enabled = 1 description = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -40832,7 +40877,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD DSRM Account Changes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Registry Abuse", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Registry Abuse", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40855,7 +40900,7 @@ search = | tstats `security_content_summariesonly` min(_time) as _time from data action.escu = 0 action.escu.enabled = 1 description = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled. @@ -40878,7 +40923,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD DSRM Password Reset - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41131,7 +41176,7 @@ search = `wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistor action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. @@ -41143,7 +41188,7 @@ action.escu.full_search_name = ESCU - Windows AD ServicePrincipalName Added To D action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log"] +action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = A Servince Principal Name for $ObjectDN$ was set by $SubjectUserName$ action.risk.param._risk = [{"risk_object_field": "SubjectUserName", "risk_object_type": "user", "risk_score": 30}, {"risk_object_field": "ObjectDN", "risk_object_type": "user", "risk_score": 30}] @@ -41154,7 +41199,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41177,7 +41222,7 @@ search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=service action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. @@ -41200,7 +41245,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41411,7 +41456,7 @@ action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is developed to identify suspicious file creation in the root drive (C:\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. The methodology involves an attempt to create a 'win.dat' file in the C:\ directory. If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -action.escu.known_false_positives = administrator is capable of dropping files in root C drive. +action.escu.known_false_positives = False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved. action.escu.creation_date = 2023-09-19 action.escu.modification_date = 2023-09-19 action.escu.confidence = high @@ -41441,7 +41486,7 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guiid Filesystem.file_name Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "C:") AND dropped_file_path_split_count = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admin_permission_discovery_filter` +search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "C:") AND dropped_file_path_split_count = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admin_permission_discovery_filter` [ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule] action.escu = 0 @@ -42210,10 +42255,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". This analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. +description = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". This analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. +action.escu.eli5 = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = unknown action.escu.creation_date = 2022-07-28 @@ -42238,7 +42283,7 @@ action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT"], " schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". This analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. +action.notable.param.rule_description = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. action.notable.param.rule_title = Windows Command Shell DCRat ForkBomb Payload action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -43969,7 +44014,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate. action.escu.how_to_implement = To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` within `Account Management` needs to be enabled. @@ -43992,7 +44037,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows DnsAdmins New Member Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44011,6 +44056,52 @@ realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) as firstTime max(_time) as lastTime values(SubjectUserName) values(Computer) by MemberSid, TargetUserName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dnsadmins_new_member_added_filter` +[ESCU - Windows Domain Admin Impersonation Indicator - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +action.escu.data_models = [] +action.escu.eli5 = The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges. +action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Authentication events across all endpoints and ingest Event Id 4627. Specifically, the Audit Group Membership subcategory within the Logon Logooff category needs to be enabled. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. +action.escu.known_false_positives = False positives may trigger the detections certain scenarios like directory service delays or out of date lookups. Filter as needed. +action.escu.creation_date = 2023-10-06 +action.escu.modification_date = 2023-10-06 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Windows Domain Admin Impersonation Indicator - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = ["Microsoft Windows"] +action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"] +action.risk = 1 +action.risk.param._risk_message = $TargetUserName$ may be impersonating a Domain Administrator through a forged Kerberos ticket. +action.risk.param._risk = [{"risk_object_field": "TargetUserName", "risk_object_type": "user", "risk_score": 80}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Windows Domain Admin Impersonation Indicator - Rule +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges. +action.notable.param.rule_title = Windows Domain Admin Impersonation Indicator +action.notable.param.security_domain = endpoint +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `wineventlog_security` EventCode=4627 LogonType=3 NOT TargetUserName IN ("*$", "SYSTEM", "DWM-*","LOCAL SERVICE","NETWORK SERVICE", "ANONYMOUS LOGON", "UMFD-*") | where match(GroupMembership, "Domain Admins") | lookup domain_admins username as TargetUserName OUTPUT username | fillnull value=NotDA username | search username = "NotDA" | stats count by _time, TargetUserName, GroupMembership, host | `windows_domain_admin_impersonation_indicator_filter` + [ESCU - Windows DotNet Binary in Non Standard Path - Rule] action.escu = 0 action.escu.enabled = 1 @@ -48226,10 +48317,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Windows MOVEit Transfer Writing ASPX - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. +description = The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. +action.escu.eli5 = The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. action.escu.known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. action.escu.creation_date = 2023-06-01 @@ -48254,7 +48345,7 @@ action.correlationsearch.annotations = {"analytic_story": ["MOVEit Transfer Crit schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. +action.notable.param.rule_description = The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. action.notable.param.rule_title = Windows MOVEit Transfer Writing ASPX action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -51426,6 +51517,52 @@ realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval reg_data_len = len(registry_value_data) | where reg_data_len > 512] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter` +[ESCU - Windows Registry SIP Provider Modification - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic detects modifications to the Windows Registry SIP Provider. It identifies this behavior by monitoring Sysmon Event ID 7, which logs registry modification events. The analytic specifically looks for changes in registry paths and values associated with Cryptography Providers and OID Encoding Types. This behavior is worth identifying as it may indicate an attempt to subvert trust controls, a technique often used by adversaries to bypass security measures and maintain persistence in an environment. If a true positive is found, it suggests an attacker is trying to manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Upon triage, review the registry paths and values modified, and look for concurrent processes to identify the attack source. Review the path of the SIP being added. This approach helps analysts detect potential threats earlier and mitigate the risks. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.CM"]} +action.escu.data_models = ["Endpoint"] +action.escu.eli5 = The following analytic detects modifications to the Windows Registry SIP Provider. It identifies this behavior by monitoring Sysmon Event ID 7, which logs registry modification events. The analytic specifically looks for changes in registry paths and values associated with Cryptography Providers and OID Encoding Types. This behavior is worth identifying as it may indicate an attempt to subvert trust controls, a technique often used by adversaries to bypass security measures and maintain persistence in an environment. If a true positive is found, it suggests an attacker is trying to manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Upon triage, review the registry paths and values modified, and look for concurrent processes to identify the attack source. Review the path of the SIP being added. This approach helps analysts detect potential threats earlier and mitigate the risks. +action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +action.escu.known_false_positives = Be aware of potential false positives - legitimate applications may cause benign activities to be flagged. +action.escu.creation_date = 2023-10-10 +action.escu.modification_date = 2023-10-10 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Windows Registry SIP Provider Modification - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] +action.escu.analytic_story = ["Subvert Trust Controls SIP and Trust Provider Hijacking"] +action.risk = 1 +action.risk.param._risk_message = Windows Registry SIP Provider Modification detected on $dest$. +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Windows Registry SIP Provider Modification - Rule +action.correlationsearch.annotations = {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic detects modifications to the Windows Registry SIP Provider. It identifies this behavior by monitoring Sysmon Event ID 7, which logs registry modification events. The analytic specifically looks for changes in registry paths and values associated with Cryptography Providers and OID Encoding Types. This behavior is worth identifying as it may indicate an attempt to subvert trust controls, a technique often used by adversaries to bypass security measures and maintain persistence in an environment. If a true positive is found, it suggests an attacker is trying to manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Upon triage, review the registry paths and values modified, and look for concurrent processes to identify the attack source. Review the path of the SIP being added. This approach helps analysts detect potential threats earlier and mitigate the risks. +action.notable.param.rule_title = Windows Registry SIP Provider Modification +action.notable.param.security_domain = endpoint +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = | tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType*") Registry.registry_value_name IN ("Dll","$DLL") by Registry.dest , Registry.user Registry.registry_value_name, Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)`| `windows_registry_sip_provider_modification_filter` + [ESCU - Windows Regsvr32 Renamed Binary - Rule] action.escu = 0 action.escu.enabled = 1 @@ -51867,7 +52004,7 @@ action.escu.full_search_name = ESCU - Windows Replication Through Removable Medi action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Chaos Ransomware", "NjRAT"] +action.escu.analytic_story = ["Chaos Ransomware", "NjRAT", "PlugX"] action.risk = 1 action.risk.param._risk_message = executable or script $file_path$ was dropped in root drive $root_drive$ in $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "process_id", "threat_object_type": "process"}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] @@ -51878,7 +52015,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Replication Through Removable Media - Rule -action.correlationsearch.annotations = {"analytic_story": ["Chaos Ransomware", "NjRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Exploitation"], "mitre_attack": ["T1091"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Chaos Ransomware", "NjRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Exploitation"], "mitre_attack": ["T1091"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -52591,7 +52728,7 @@ action.escu.full_search_name = ESCU - Windows Service Created with Suspicious Se action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Clop Ransomware", "Active Directory Lateral Movement", "Brute Ratel C4", "Qakbot", "Snake Malware", "Flax Typhoon"] +action.escu.analytic_story = ["Clop Ransomware", "Active Directory Lateral Movement", "Brute Ratel C4", "Qakbot", "Snake Malware", "Flax Typhoon", "PlugX"] action.risk = 1 action.risk.param._risk_message = A service $Service_File_Name$ was created from a non-standard path using $Service_Name$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "Service_File_Name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "Service_Name", "risk_object_type": "other", "risk_score": 56}] @@ -52602,7 +52739,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Service Created with Suspicious Service Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "Active Directory Lateral Movement", "Brute Ratel C4", "Qakbot", "Snake Malware", "Flax Typhoon"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "Active Directory Lateral Movement", "Brute Ratel C4", "Qakbot", "Snake Malware", "Flax Typhoon", "PlugX"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -52716,10 +52853,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Windows Service Creation Using Registry Entry - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath. +description = The following analytic detects when reg.exe modify registry keys that define Windows services and their configurations in Windows to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that searches for specific keywords in the process name, parent process name, user, and process ID. This detection is important because it suggests that an attacker has modified the registry keys that define Windows services and their configurations, which can allow them to maintain access to the system and potentially move laterally within the network. It is a common technique used by attackers to gain persistence on a compromised system and its impact can lead to data theft, ransomware, or other damaging outcomes. False positives can occur since legitimate uses of reg.exe to modify registry keys for Windows services can also trigger this alert. Next steps include reviewing the process and user context of the reg.exe activity and identify any other concurrent processes that might be associated with the attack upon triage. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath. +action.escu.eli5 = The following analytic detects when reg.exe modify registry keys that define Windows services and their configurations in Windows to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that searches for specific keywords in the process name, parent process name, user, and process ID. This detection is important because it suggests that an attacker has modified the registry keys that define Windows services and their configurations, which can allow them to maintain access to the system and potentially move laterally within the network. It is a common technique used by attackers to gain persistence on a compromised system and its impact can lead to data theft, ransomware, or other damaging outcomes. False positives can occur since legitimate uses of reg.exe to modify registry keys for Windows services can also trigger this alert. Next steps include reviewing the process and user context of the reg.exe activity and identify any other concurrent processes that might be associated with the attack upon triage. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = Third party tools may used this technique to create services but not so common. action.escu.creation_date = 2023-04-27 @@ -52729,7 +52866,7 @@ action.escu.full_search_name = ESCU - Windows Service Creation Using Registry En action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse", "Brute Ratel C4"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse", "Brute Ratel C4", "PlugX"] action.risk = 1 action.risk.param._risk_message = A Windows Service was created on a endpoint from $dest$ using a registry entry action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] @@ -52740,11 +52877,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Service Creation Using Registry Entry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse", "Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse", "Brute Ratel C4", "PlugX"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath. +action.notable.param.rule_description = The following analytic detects when reg.exe modify registry keys that define Windows services and their configurations in Windows to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that searches for specific keywords in the process name, parent process name, user, and process ID. This detection is important because it suggests that an attacker has modified the registry keys that define Windows services and their configurations, which can allow them to maintain access to the system and potentially move laterally within the network. It is a common technique used by attackers to gain persistence on a compromised system and its impact can lead to data theft, ransomware, or other damaging outcomes. False positives can occur since legitimate uses of reg.exe to modify registry keys for Windows services can also trigger this alert. Next steps include reviewing the process and user context of the reg.exe activity and identify any other concurrent processes that might be associated with the attack upon triage. action.notable.param.rule_title = Windows Service Creation Using Registry Entry action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -52775,7 +52912,7 @@ action.escu.full_search_name = ESCU - Windows Service Deletion In Registry - Rul action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Brute Ratel C4"] +action.escu.analytic_story = ["Brute Ratel C4", "PlugX"] action.risk = 1 action.risk.param._risk_message = A service was deleted on $dest$ within the Windows registry. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}] @@ -52786,7 +52923,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Service Deletion In Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 30, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4", "PlugX"], "cis20": ["CIS 10"], "confidence": 30, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -52971,6 +53108,81 @@ realtime_schedule = 0 is_visible = false search = `wineventlog_system` EventCode=7040 (service_name IN ("Update Orchestrator Service for Windows Update", "WaaSMedicSvc", "Windows Update") OR param1 IN ("UsoSvc", "WaaSMedicSvc", "wuauserv")) AND (param3=disabled OR start_mode = disabled) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4 | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_win_updates_filter` +[ESCU - Windows SIP Provider Inventory - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} +action.escu.data_models = [] +action.escu.eli5 = The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers. +action.escu.how_to_implement = To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 +action.escu.known_false_positives = False positives are limited as this is a hunting query for inventory. +action.escu.creation_date = 2023-10-10 +action.escu.modification_date = 2023-10-10 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Windows SIP Provider Inventory - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Subvert Trust Controls SIP and Trust Provider Hijacking"] +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Windows SIP Provider Inventory - Rule +action.correlationsearch.annotations = {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} +schedule_window = auto +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter` + +[ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify failed trust validation. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify failed trust validation. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 81 is generated anytime a trust validation fails. The description for EventID 81 is "The digital signature of the object did not verify." STRT tested this analytic using Mimikatz binary. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} +action.escu.data_models = [] +action.escu.eli5 = The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify failed trust validation. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify failed trust validation. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 81 is generated anytime a trust validation fails. The description for EventID 81 is "The digital signature of the object did not verify." STRT tested this analytic using Mimikatz binary. +action.escu.how_to_implement = To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 81. Review the following gist for additional enabling information. +action.escu.known_false_positives = False positives may be present in some instances of legitimate binaries with invalid signatures. Filter as needed. +action.escu.creation_date = 2023-10-10 +action.escu.modification_date = 2023-10-10 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Subvert Trust Controls SIP and Trust Provider Hijacking"] +action.risk = 1 +action.risk.param._risk_message = Failed trust validation via the CryptoAPI 2 on $dest$ for a binary. +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule +action.correlationsearch.annotations = {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} +schedule_window = auto +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `capi2_operational` EventID=81 "The digital signature of the object did not verify." | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `windows_sip_winverifytrust_failed_trust_validation_filter` + [ESCU - Windows Snake Malware File Modification Crmlog - Rule] action.escu = 0 action.escu.enabled = 1 @@ -53574,6 +53786,52 @@ realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=4876| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cs_backup_filter` +[ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1) +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.CM"]} +action.escu.data_models = [] +action.escu.eli5 = The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1) +action.escu.how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. +action.escu.known_false_positives = False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names. Sources or templates used in these processes may need to be tuned out for accurate function. +action.escu.creation_date = 2023-05-25 +action.escu.modification_date = 2023-05-25 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = ["Microsoft Windows"] +action.escu.analytic_story = ["Windows Certificate Services"] +action.risk = 1 +action.risk.param._risk_message = Possible AD CS ESC1 activity by $src_user$ - $flavor_text$ +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 60}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}, {"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 60}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 60}, {"threat_object_field": "ssl_hash", "threat_object_type": "other"}, {"threat_object_field": "ssl_serial", "threat_object_type": "other"}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule +action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1) +action.notable.param.rule_title = Windows Steal Authentication Certificates - ESC1 Abuse +action.notable.param.security_domain = endpoint +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `wineventlog_security` EventCode IN (4886,4887) Attributes="*SAN:*upn*" Attributes="*CertificateTemplate:*" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=Attributes "(?i)CertificateTemplate:(?[^\r\n]+)" | rex field=Attributes "(?i)ccm:(?[^\r\n]+)" | rex max_match=10 field=Attributes "(?i)(upn=(?[^\r\n&]+))" | rex max_match=10 field=Attributes "(?i)(dns=(?[^\r\n&]+))" | rex field=Requester "(.+\\\\)?(?[^\r\n]+)" | eval flavor_text = case(EventCode=="4886","A suspicious certificate was requested using request ID: ".'RequestId',EventCode=="4887", "A suspicious certificate was issued using request ID: ".'RequestId'.". To revoke this certifacte use this request ID or the SSL fingerprint [".'ssl_hash'."]"), dest = upper(coalesce(req_dest_1,req_dest_2)), src = upper(coalesce(req_src,Computer)) | fields - req_* | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name| `windows_steal_authentication_certificates___esc1_abuse_filter` + [ESCU - Windows Steal Authentication Certificates Export Certificate - Rule] action.escu = 0 action.escu.enabled = 1 @@ -55459,10 +55717,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - WMI Permanent Event Subscription - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic seeks to detect the creation of Windows Management Instrumentation (WMI) permanent event subscriptions, a technique often used by adversaries for persistence. Such a subscription allows for the execution of specified scripts or binaries in response to defined system events, potentially enabling malicious activities to persist unnoticed. The analytic uses Sysmon Event ID 5 data, specifically focusing on instances where consumers of these events are not the expected "NTEventLogEventConsumer." Although WMI event subscriptions can be used legitimately by administrators, unusual or unexpected subscription creation should be treated as suspicious. Analysts need to be cognizant of the potential for false positives in legitimate administrative activities and should understand WMI activity within the context of the monitored environment. +description = The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI), which is used by attackers to achieve persistence in a compromised system. By creating a permanent event subscription, an attacker can run malicious scripts or binaries in response to specific system events that enables them to maintain access to the system undetected. The detection is made by using Sysmon Event ID 5 data to detect instances where the consumers of these events are not the expected "NTEventLogEventConsumer." The detection is important because it identifies unusual or unexpected subscription creation, which suggests that an attacker is attempting to achieve persistence within the environment and might be executing malicious scripts or binaries in response to specific system events. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other damaging outcomes. False positives might occur since False positives might occur since WMI event subscriptions can be used for legitimate purposes by system administrators. You must have a thorough understanding of WMI activity within the context of the monitored environment to effectively differentiate between legitimate and malicious activity.Next steps include investigating the associated scripts or binaries and identifying the source of the attack. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic seeks to detect the creation of Windows Management Instrumentation (WMI) permanent event subscriptions, a technique often used by adversaries for persistence. Such a subscription allows for the execution of specified scripts or binaries in response to defined system events, potentially enabling malicious activities to persist unnoticed. The analytic uses Sysmon Event ID 5 data, specifically focusing on instances where consumers of these events are not the expected "NTEventLogEventConsumer." Although WMI event subscriptions can be used legitimately by administrators, unusual or unexpected subscription creation should be treated as suspicious. Analysts need to be cognizant of the potential for false positives in legitimate administrative activities and should understand WMI activity within the context of the monitored environment. +action.escu.eli5 = The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI), which is used by attackers to achieve persistence in a compromised system. By creating a permanent event subscription, an attacker can run malicious scripts or binaries in response to specific system events that enables them to maintain access to the system undetected. The detection is made by using Sysmon Event ID 5 data to detect instances where the consumers of these events are not the expected "NTEventLogEventConsumer." The detection is important because it identifies unusual or unexpected subscription creation, which suggests that an attacker is attempting to achieve persistence within the environment and might be executing malicious scripts or binaries in response to specific system events. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other damaging outcomes. False positives might occur since False positives might occur since WMI event subscriptions can be used for legitimate purposes by system administrators. You must have a thorough understanding of WMI activity within the context of the monitored environment to effectively differentiate between legitimate and malicious activity.Next steps include investigating the associated scripts or binaries and identifying the source of the attack. action.escu.how_to_implement = To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. action.escu.known_false_positives = Although unlikely, administrators may use event subscriptions for legitimate purposes. action.escu.creation_date = 2018-10-23 @@ -55487,7 +55745,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"] schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic seeks to detect the creation of Windows Management Instrumentation (WMI) permanent event subscriptions, a technique often used by adversaries for persistence. Such a subscription allows for the execution of specified scripts or binaries in response to defined system events, potentially enabling malicious activities to persist unnoticed. The analytic uses Sysmon Event ID 5 data, specifically focusing on instances where consumers of these events are not the expected "NTEventLogEventConsumer." Although WMI event subscriptions can be used legitimately by administrators, unusual or unexpected subscription creation should be treated as suspicious. Analysts need to be cognizant of the potential for false positives in legitimate administrative activities and should understand WMI activity within the context of the monitored environment. +action.notable.param.rule_description = The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI), which is used by attackers to achieve persistence in a compromised system. By creating a permanent event subscription, an attacker can run malicious scripts or binaries in response to specific system events that enables them to maintain access to the system undetected. The detection is made by using Sysmon Event ID 5 data to detect instances where the consumers of these events are not the expected "NTEventLogEventConsumer." The detection is important because it identifies unusual or unexpected subscription creation, which suggests that an attacker is attempting to achieve persistence within the environment and might be executing malicious scripts or binaries in response to specific system events. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other damaging outcomes. False positives might occur since False positives might occur since WMI event subscriptions can be used for legitimate purposes by system administrators. You must have a thorough understanding of WMI activity within the context of the monitored environment to effectively differentiate between legitimate and malicious activity.Next steps include investigating the associated scripts or binaries and identifying the source of the attack. action.notable.param.rule_title = WMI Permanent Event Subscription action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -55606,10 +55864,10 @@ search = `powershell` EventCode=4104 ScriptBlockText= "*SELECT*" AND (ScriptBloc [ESCU - WMI Temporary Event Subscription - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for the creation of WMI temporary event subscriptions. +description = The following analytic detects the creation of WMI temporary event subscriptions. WMI (Windows Management Instrumentation) is a management technology that allows administrators to perform various tasks on Windows-based systems. Temporary event subscriptions are created to monitor specific events or changes on a system that help to detect potential threats early and take proactive measures to protect the organization's systems and data. The detection is made by using the Splunk query `wmi` EventCode=5860 Temporary to search for events with EventCode 5860, which indicates the creation of a temporary WMI event subscription. To further refine the search results, the query uses regular expressions (rex) to extract the query used in the event subscription. Then, it filters known benign queries related to system processes such as 'wsmprovhost.exe' and 'AntiVirusProduct', 'FirewallProduct', 'AntiSpywareProduct', which helps to focus on potentially malicious or suspicious queries. The detection is important because it indicates malicious activity since attackers use WMI to run commands, gather information, or maintain persistence within a compromised system. False positives might occur since legitimate uses of WMI event subscriptions in the environment might trigger benign activities to be flagged. Therefore, an extensive triage is necessary to review the specific query and assess its intent. Additionally, capturing and inspecting relevant on-disk artifacts and analyzing concurrent processes can help to identify the source of the attack. Detecting the creation of these event subscriptions to identify potential threats early and take appropriate actions to mitigate the risks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This search looks for the creation of WMI temporary event subscriptions. +action.escu.eli5 = The following analytic detects the creation of WMI temporary event subscriptions. WMI (Windows Management Instrumentation) is a management technology that allows administrators to perform various tasks on Windows-based systems. Temporary event subscriptions are created to monitor specific events or changes on a system that help to detect potential threats early and take proactive measures to protect the organization's systems and data. The detection is made by using the Splunk query `wmi` EventCode=5860 Temporary to search for events with EventCode 5860, which indicates the creation of a temporary WMI event subscription. To further refine the search results, the query uses regular expressions (rex) to extract the query used in the event subscription. Then, it filters known benign queries related to system processes such as 'wsmprovhost.exe' and 'AntiVirusProduct', 'FirewallProduct', 'AntiSpywareProduct', which helps to focus on potentially malicious or suspicious queries. The detection is important because it indicates malicious activity since attackers use WMI to run commands, gather information, or maintain persistence within a compromised system. False positives might occur since legitimate uses of WMI event subscriptions in the environment might trigger benign activities to be flagged. Therefore, an extensive triage is necessary to review the specific query and assess its intent. Additionally, capturing and inspecting relevant on-disk artifacts and analyzing concurrent processes can help to identify the source of the attack. Detecting the creation of these event subscriptions to identify potential threats early and take appropriate actions to mitigate the risks. action.escu.how_to_implement = To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. action.escu.known_false_positives = Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events. action.escu.creation_date = 2018-10-23 @@ -55634,7 +55892,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"] schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for the creation of WMI temporary event subscriptions. +action.notable.param.rule_description = The following analytic detects the creation of WMI temporary event subscriptions. WMI (Windows Management Instrumentation) is a management technology that allows administrators to perform various tasks on Windows-based systems. Temporary event subscriptions are created to monitor specific events or changes on a system that help to detect potential threats early and take proactive measures to protect the organization's systems and data. The detection is made by using the Splunk query `wmi` EventCode=5860 Temporary to search for events with EventCode 5860, which indicates the creation of a temporary WMI event subscription. To further refine the search results, the query uses regular expressions (rex) to extract the query used in the event subscription. Then, it filters known benign queries related to system processes such as 'wsmprovhost.exe' and 'AntiVirusProduct', 'FirewallProduct', 'AntiSpywareProduct', which helps to focus on potentially malicious or suspicious queries. The detection is important because it indicates malicious activity since attackers use WMI to run commands, gather information, or maintain persistence within a compromised system. False positives might occur since legitimate uses of WMI event subscriptions in the environment might trigger benign activities to be flagged. Therefore, an extensive triage is necessary to review the specific query and assess its intent. Additionally, capturing and inspecting relevant on-disk artifacts and analyzing concurrent processes can help to identify the source of the attack. Detecting the creation of these event subscriptions to identify potential threats early and take appropriate actions to mitigate the risks. action.notable.param.rule_title = WMI Temporary Event Subscription action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -56740,10 +56998,10 @@ search = | tstats `security_content_summariesonly` count from datamodel=Network_ [ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic is an experimental search designed to identify SIGRed exploitation attempts. SIGRed is a severe, wormable, remote code execution vulnerability in Windows DNS servers, identified as CVE-2020-1350. This analytic specifically looks for DNS SIG and KEY records, and TCP payloads larger than 65KB - potential indicators of the SIGRed exploit. It requires ingestion of both Splunk Stream DNS and TCP data. The search does rely on macro definitions for 'stream:dns' and 'stream:tcp', which should be replaced with appropriate configurations tailored to your Splunk environment. +description = Ensure that the following prerequisites are met: (i) Both Splunk Stream DNS and TCP data are ingested. (ii) The macros 'stream:dns' and 'stream:tcp' are replaced with the appropriate configurations that are specific to your Splunk environment. The following analytic detects SIGRed exploitation attempts. SIGRed is a critical wormable vulnerability found in Windows DNS servers, known as CVE-2020-1350, which allows remote code execution. The detection is made by using an experimental search that focuses on identifying specific indicators that might suggest the presence of the SIGRed exploit such as DNS SIG records, KEY records, and TCP payloads greater than 65KB. This detection is important because it detects and responds to potential SIGRed exploitation attempts and minimizes the risk of a successful attack and its impact on the organization's infrastructure and data. False positives might occur due to the experimental nature of this analytic. Next steps include reviewing and investigating each case thoroughly given the potential for unauthorized Windows DNS server access, data breaches, and service disruptions. Additionally, you must stay updated with Microsoft's guidance on the SIGRed vulnerability. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic is an experimental search designed to identify SIGRed exploitation attempts. SIGRed is a severe, wormable, remote code execution vulnerability in Windows DNS servers, identified as CVE-2020-1350. This analytic specifically looks for DNS SIG and KEY records, and TCP payloads larger than 65KB - potential indicators of the SIGRed exploit. It requires ingestion of both Splunk Stream DNS and TCP data. The search does rely on macro definitions for 'stream:dns' and 'stream:tcp', which should be replaced with appropriate configurations tailored to your Splunk environment. +action.escu.eli5 = Ensure that the following prerequisites are met: (i) Both Splunk Stream DNS and TCP data are ingested. (ii) The macros 'stream:dns' and 'stream:tcp' are replaced with the appropriate configurations that are specific to your Splunk environment. The following analytic detects SIGRed exploitation attempts. SIGRed is a critical wormable vulnerability found in Windows DNS servers, known as CVE-2020-1350, which allows remote code execution. The detection is made by using an experimental search that focuses on identifying specific indicators that might suggest the presence of the SIGRed exploit such as DNS SIG records, KEY records, and TCP payloads greater than 65KB. This detection is important because it detects and responds to potential SIGRed exploitation attempts and minimizes the risk of a successful attack and its impact on the organization's infrastructure and data. False positives might occur due to the experimental nature of this analytic. Next steps include reviewing and investigating each case thoroughly given the potential for unauthorized Windows DNS server access, data breaches, and service disruptions. Additionally, you must stay updated with Microsoft's guidance on the SIGRed vulnerability. action.escu.how_to_implement = You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment. action.escu.known_false_positives = unknown action.escu.creation_date = 2020-07-28 @@ -56768,7 +57026,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Windows DNS SIGRed C schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is an experimental search designed to identify SIGRed exploitation attempts. SIGRed is a severe, wormable, remote code execution vulnerability in Windows DNS servers, identified as CVE-2020-1350. This analytic specifically looks for DNS SIG and KEY records, and TCP payloads larger than 65KB - potential indicators of the SIGRed exploit. It requires ingestion of both Splunk Stream DNS and TCP data. The search does rely on macro definitions for 'stream:dns' and 'stream:tcp', which should be replaced with appropriate configurations tailored to your Splunk environment. +action.notable.param.rule_description = Ensure that the following prerequisites are met: (i) Both Splunk Stream DNS and TCP data are ingested. (ii) The macros 'stream:dns' and 'stream:tcp' are replaced with the appropriate configurations that are specific to your Splunk environment. The following analytic detects SIGRed exploitation attempts. SIGRed is a critical wormable vulnerability found in Windows DNS servers, known as CVE-2020-1350, which allows remote code execution. The detection is made by using an experimental search that focuses on identifying specific indicators that might suggest the presence of the SIGRed exploit such as DNS SIG records, KEY records, and TCP payloads greater than 65KB. This detection is important because it detects and responds to potential SIGRed exploitation attempts and minimizes the risk of a successful attack and its impact on the organization's infrastructure and data. False positives might occur due to the experimental nature of this analytic. Next steps include reviewing and investigating each case thoroughly given the potential for unauthorized Windows DNS server access, data breaches, and service disruptions. Additionally, you must stay updated with Microsoft's guidance on the SIGRed vulnerability. action.notable.param.rule_title = Detect Windows DNS SIGRed via Splunk Stream action.notable.param.security_domain = network action.notable.param.severity = high @@ -56786,10 +57044,10 @@ search = `stream_dns` | spath "query_type{}" | search "query_type{}" IN (SIG,KEY [ESCU - Detect Windows DNS SIGRed via Zeek - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects SIGRed via Zeek DNS and Zeek Conn data. +description = The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. SIGRed vulnerability allows attackers to run remote code on Windows DNS servers. By detecting SIGRed early, you can prevent further damage and protect the organization's network infrastructure. The detection is made by identifying specific DNS query types (SIG and KEY) in the Zeek DNS data and checks for high data transfer in the Zeek Conn data. If multiple instances of these indicators are found within a flow, it suggests the presence of SIGRed. The detection is important because it indicates a potential compromise of Windows DNS servers that suggests that an attacker might have gained unauthorized access to the DNS server and can run arbitrary code. The impact of this attack can be severe, leading to data exfiltration, unauthorized access, or disruption of critical services. Next steps include investigating the affected flow and taking immediate action to mitigate the vulnerability. This can involve patching the affected DNS server, isolating the server from the network, or conducting a forensic analysis to determine the extent of the compromise. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution", "Network_Traffic"] -action.escu.eli5 = This search detects SIGRed via Zeek DNS and Zeek Conn data. +action.escu.eli5 = The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. SIGRed vulnerability allows attackers to run remote code on Windows DNS servers. By detecting SIGRed early, you can prevent further damage and protect the organization's network infrastructure. The detection is made by identifying specific DNS query types (SIG and KEY) in the Zeek DNS data and checks for high data transfer in the Zeek Conn data. If multiple instances of these indicators are found within a flow, it suggests the presence of SIGRed. The detection is important because it indicates a potential compromise of Windows DNS servers that suggests that an attacker might have gained unauthorized access to the DNS server and can run arbitrary code. The impact of this attack can be severe, leading to data exfiltration, unauthorized access, or disruption of critical services. Next steps include investigating the affected flow and taking immediate action to mitigate the vulnerability. This can involve patching the affected DNS server, isolating the server from the network, or conducting a forensic analysis to determine the extent of the compromise. action.escu.how_to_implement = You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search. action.escu.known_false_positives = unknown action.escu.creation_date = 2020-07-28 @@ -56814,7 +57072,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Windows DNS SIGRed C schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects SIGRed via Zeek DNS and Zeek Conn data. +action.notable.param.rule_description = The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. SIGRed vulnerability allows attackers to run remote code on Windows DNS servers. By detecting SIGRed early, you can prevent further damage and protect the organization's network infrastructure. The detection is made by identifying specific DNS query types (SIG and KEY) in the Zeek DNS data and checks for high data transfer in the Zeek Conn data. If multiple instances of these indicators are found within a flow, it suggests the presence of SIGRed. The detection is important because it indicates a potential compromise of Windows DNS servers that suggests that an attacker might have gained unauthorized access to the DNS server and can run arbitrary code. The impact of this attack can be severe, leading to data exfiltration, unauthorized access, or disruption of critical services. Next steps include investigating the affected flow and taking immediate action to mitigate the vulnerability. This can involve patching the affected DNS server, isolating the server from the network, or conducting a forensic analysis to determine the extent of the compromise. action.notable.param.rule_title = Detect Windows DNS SIGRed via Zeek action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -56832,10 +57090,10 @@ search = | tstats `security_content_summariesonly` count from datamodel=Network_ [ESCU - Detect Zerologon via Zeek - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC +description = The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability through Zeek RPC. By detecting attempts to exploit the Zerologon vulnerability through Zeek RPC, SOC analysts can identify potential threats earlier and take appropriate action to mitigate the risks. This detection is made by a Splunk query that looks for specific Zeek RPC operations, including NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3, which are aggregated by source and destination IP address and time. This detection is important because it suggests that an attacker is attempting to exploit the Zerologon vulnerability to gain unauthorized access to the domain controller. Zerologon vulnerability is a critical vulnerability that allows attackers to take over domain controllers without authentication, leading to a complete takeover of an organization's IT infrastructure. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other devastating outcomes. False positives might occur since legitimate Zeek RPC activity can trigger the analytic. Next steps include reviewing the identified source and destination IP addresses and the specific RPC operations used. Capture and inspect any relevant on-disk artifacts, and review concurrent processes to identify the attack source upon triage . action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC +action.escu.eli5 = The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability through Zeek RPC. By detecting attempts to exploit the Zerologon vulnerability through Zeek RPC, SOC analysts can identify potential threats earlier and take appropriate action to mitigate the risks. This detection is made by a Splunk query that looks for specific Zeek RPC operations, including NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3, which are aggregated by source and destination IP address and time. This detection is important because it suggests that an attacker is attempting to exploit the Zerologon vulnerability to gain unauthorized access to the domain controller. Zerologon vulnerability is a critical vulnerability that allows attackers to take over domain controllers without authentication, leading to a complete takeover of an organization's IT infrastructure. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other devastating outcomes. False positives might occur since legitimate Zeek RPC activity can trigger the analytic. Next steps include reviewing the identified source and destination IP addresses and the specific RPC operations used. Capture and inspect any relevant on-disk artifacts, and review concurrent processes to identify the attack source upon triage . action.escu.how_to_implement = You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field. action.escu.known_false_positives = unknown action.escu.creation_date = 2020-09-15 @@ -56860,7 +57118,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Detect Zerologon Att schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC +action.notable.param.rule_description = The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability through Zeek RPC. By detecting attempts to exploit the Zerologon vulnerability through Zeek RPC, SOC analysts can identify potential threats earlier and take appropriate action to mitigate the risks. This detection is made by a Splunk query that looks for specific Zeek RPC operations, including NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3, which are aggregated by source and destination IP address and time. This detection is important because it suggests that an attacker is attempting to exploit the Zerologon vulnerability to gain unauthorized access to the domain controller. Zerologon vulnerability is a critical vulnerability that allows attackers to take over domain controllers without authentication, leading to a complete takeover of an organization's IT infrastructure. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other devastating outcomes. False positives might occur since legitimate Zeek RPC activity can trigger the analytic. Next steps include reviewing the identified source and destination IP addresses and the specific RPC operations used. Capture and inspect any relevant on-disk artifacts, and review concurrent processes to identify the attack source upon triage . action.notable.param.rule_title = Detect Zerologon via Zeek action.notable.param.security_domain = network action.notable.param.severity = high @@ -57480,10 +57738,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - SMB Traffic Spike - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for spikes in the number of Server Message Block (SMB) traffic connections. +description = The following analytic detects spikes in the number of Server Message Block (SMB) traffic connections. SMB is a network protocol used for sharing files, printers, and other resources between computers. This detection is made by a Splunk query that looks for SMB traffic connections on ports 139 and 445, as well as connections using the SMB application. The query calculates the average and standard deviation of the number of SMB connections over the past 70 minutes, and identifies any sources that exceed two standard deviations from the average. This helps to filter out false positives caused by normal fluctuations in SMB traffic. This detection is important because it identifies potential SMB-based attacks, such as ransomware or data theft, which often involve a large number of SMB connections. This suggests that an attacker is attempting to exfiltrate data or spread malware within the network. Next steps include investigating the source of the traffic and determining if it is malicious. This can involve reviewing network logs, capturing and analyzing any relevant network packets, and correlating with other security events to identify the attack source and mitigate the risk. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.002", "T1021"], "nist": ["DE.AE"]} action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = This search looks for spikes in the number of Server Message Block (SMB) traffic connections. +action.escu.eli5 = The following analytic detects spikes in the number of Server Message Block (SMB) traffic connections. SMB is a network protocol used for sharing files, printers, and other resources between computers. This detection is made by a Splunk query that looks for SMB traffic connections on ports 139 and 445, as well as connections using the SMB application. The query calculates the average and standard deviation of the number of SMB connections over the past 70 minutes, and identifies any sources that exceed two standard deviations from the average. This helps to filter out false positives caused by normal fluctuations in SMB traffic. This detection is important because it identifies potential SMB-based attacks, such as ransomware or data theft, which often involve a large number of SMB connections. This suggests that an attacker is attempting to exfiltrate data or spread malware within the network. Next steps include investigating the source of the traffic and determining if it is malicious. This can involve reviewing network logs, capturing and analyzing any relevant network packets, and correlating with other security events to identify the attack source and mitigate the risk. action.escu.how_to_implement = This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model. action.escu.known_false_positives = A file server may experience high-demand loads that could cause this analytic to trigger. action.escu.creation_date = 2020-07-22 @@ -57941,6 +58199,107 @@ realtime_schedule = 0 is_visible = false search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/cf_scripts/scripts/ajax/ckeditor/*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_unauthenticated_arbitrary_file_read_filter` +[ESCU - Cisco IOS XE Implant Access - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic identifies potential exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access, granting them full control of the compromised device. The detection is based on the observation of suspicious account creation and subsequent actions, including the deployment of an implant consisting of a configuration file. The implant is saved under the file path //usr//binos//conf//nginx-conf//cisco_service.conf and is not persistent, meaning a device reboot will remove it, but the newly created local user accounts remain active even after system reboots. The new user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to the devices and subsequent creation of new users is tracked as CVE-2023-20198. +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.data_models = ["Web"] +action.escu.eli5 = The following analytic identifies potential exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access, granting them full control of the compromised device. The detection is based on the observation of suspicious account creation and subsequent actions, including the deployment of an implant consisting of a configuration file. The implant is saved under the file path //usr//binos//conf//nginx-conf//cisco_service.conf and is not persistent, meaning a device reboot will remove it, but the newly created local user accounts remain active even after system reboots. The new user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to the devices and subsequent creation of new users is tracked as CVE-2023-20198. +action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. +action.escu.known_false_positives = False positives may be present, restrict to Cisco IOS XE devices or perimeter appliances. Modify the analytic as needed based on hunting for successful exploitation of CVE-2023-20198. +action.escu.creation_date = 2023-10-17 +action.escu.modification_date = 2023-10-17 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Cisco IOS XE Implant Access - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Cisco IOS XE Software Web Management User Interface vulnerability"] +action.risk = 1 +action.risk.param._risk_message = Possible exploitation of CVE-2023-20198 against $dest$ by $src$. +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 81}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Cisco IOS XE Implant Access - Rule +action.correlationsearch.annotations = {"analytic_story": ["Cisco IOS XE Software Web Management User Interface vulnerability"], "cis20": ["CIS 13"], "confidence": 90, "cve": ["CVE-2023-20198"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic identifies potential exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access, granting them full control of the compromised device. The detection is based on the observation of suspicious account creation and subsequent actions, including the deployment of an implant consisting of a configuration file. The implant is saved under the file path //usr//binos//conf//nginx-conf//cisco_service.conf and is not persistent, meaning a device reboot will remove it, but the newly created local user accounts remain active even after system reboots. The new user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to the devices and subsequent creation of new users is tracked as CVE-2023-20198. +action.notable.param.rule_title = Cisco IOS XE Implant Access +action.notable.param.security_domain = network +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/webui/logoutconfirm.html?logon_hash=*") Web.http_method=POST Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cisco_ios_xe_implant_access_filter` + +[ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic detects attempts to exploit the Citrix Bleed vulnerability, which can lead to the leaking of session tokens. The vulnerability, identified as CVE-2023-4966, pertains to sensitive information disclosure in NetScaler ADC and NetScaler Gateway when set up as various server configurations. The analytic specifically searches for HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on the aforementioned criteria along with specific user agent details, HTTP method, source and destination IPs, and the sourcetype, the analytic aims to identify potentially malicious requests that fit the profile of this exploit. \ +This behavior is essential for a Security Operations Center (SOC) to identify because if successfully exploited, attackers can gain unauthorized access, leading to a potential breach or further malicious activities within the organization's network. As the Citrix Bleed vulnerability can disclose session tokens, a successful exploit can allow attackers to impersonate legitimate users, bypassing authentication mechanisms and accessing sensitive data or systems. \ +If a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information. \ +Upon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches. +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.data_models = ["Web"] +action.escu.eli5 = The following analytic detects attempts to exploit the Citrix Bleed vulnerability, which can lead to the leaking of session tokens. The vulnerability, identified as CVE-2023-4966, pertains to sensitive information disclosure in NetScaler ADC and NetScaler Gateway when set up as various server configurations. The analytic specifically searches for HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on the aforementioned criteria along with specific user agent details, HTTP method, source and destination IPs, and the sourcetype, the analytic aims to identify potentially malicious requests that fit the profile of this exploit. \ +This behavior is essential for a Security Operations Center (SOC) to identify because if successfully exploited, attackers can gain unauthorized access, leading to a potential breach or further malicious activities within the organization's network. As the Citrix Bleed vulnerability can disclose session tokens, a successful exploit can allow attackers to impersonate legitimate users, bypassing authentication mechanisms and accessing sensitive data or systems. \ +If a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information. \ +Upon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches. +action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible. +action.escu.known_false_positives = False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only. +action.escu.creation_date = 2023-10-24 +action.escu.modification_date = 2023-10-24 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966"] +action.risk = 1 +action.risk.param._risk_message = Possible exploitation of Citrix Bleed vulnerability against $dest$ fron $src$. +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 90}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule +action.correlationsearch.annotations = {"analytic_story": ["Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966"], "cis20": ["CIS 13"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic detects attempts to exploit the Citrix Bleed vulnerability, which can lead to the leaking of session tokens. The vulnerability, identified as CVE-2023-4966, pertains to sensitive information disclosure in NetScaler ADC and NetScaler Gateway when set up as various server configurations. The analytic specifically searches for HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on the aforementioned criteria along with specific user agent details, HTTP method, source and destination IPs, and the sourcetype, the analytic aims to identify potentially malicious requests that fit the profile of this exploit. \ +This behavior is essential for a Security Operations Center (SOC) to identify because if successfully exploited, attackers can gain unauthorized access, leading to a potential breach or further malicious activities within the organization's network. As the Citrix Bleed vulnerability can disclose session tokens, a successful exploit can allow attackers to impersonate legitimate users, bypassing authentication mechanisms and accessing sensitive data or systems. \ +If a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information. \ +Upon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches. +action.notable.param.rule_title = Citrix ADC and Gateway Unauthorized Data Disclosure +action.notable.param.security_domain = network +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/oauth/idp/.well-known/openid-configuration*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_and_gateway_unauthorized_data_disclosure_filter` + [ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule] action.escu = 0 action.escu.enabled = 1 @@ -57980,7 +58339,7 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/saml/login","/cgi/samlauth","*/saml/activelogin","/cgi/samlart?samlart=*","*/cgi/logout") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter` +search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/saml/login","/cgi/samlauth","*/saml/activelogin","/cgi/samlart?samlart=*","*/cgi/logout","/gwtest/formssso?event=start&target=*","/netscaler/ns_gui/vpn/*") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter` [ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule] action.escu = 0 @@ -58023,6 +58382,98 @@ realtime_schedule = 0 is_visible = false search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="/documentum/upload.aspx?*" AND Web.url IN ("*parentid=*","*filename=*","*uploadId=*") AND Web.url IN ("*unzip=*", "*raw=*") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `citrix_sharefile_exploitation_cve_2023_24489_filter` +[ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.data_models = ["Web"] +action.escu.eli5 = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. +action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv. +action.escu.known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers. +action.escu.creation_date = 2023-10-23 +action.escu.modification_date = 2023-10-23 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"] +action.risk = 1 +action.risk.param._risk_message = Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$. +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 72}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule +action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"], "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. +action.notable.param.rule_title = Confluence CVE-2023-22515 Trigger Vulnerability +action.notable.param.security_domain = network +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter` + +[ESCU - Confluence Data Center and Server Privilege Escalation - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.data_models = ["Web"] +action.escu.eli5 = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. +action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. +action.escu.known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. +action.escu.creation_date = 2023-10-18 +action.escu.modification_date = 2023-10-18 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Confluence Data Center and Server Privilege Escalation - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"] +action.risk = 1 +action.risk.param._risk_message = Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$. +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 72}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Confluence Data Center and Server Privilege Escalation - Rule +action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"], "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. +action.notable.param.rule_title = Confluence Data Center and Server Privilege Escalation +action.notable.param.security_domain = network +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/setup/setupadministrator.action*", "*/setup/finishsetup.action*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter` + [ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule] action.escu = 0 action.escu.enabled = 1 @@ -58293,6 +58744,52 @@ realtime_schedule = 0 is_visible = false search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*configWizard/keyUpload.jsp*") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter` +[ESCU - F5 TMUI Authentication Bypass - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic is designed to detect attempts to exploit the CVE-2023-46747 vulnerability, a critical authentication bypass flaw in F5 BIG-IP that can lead to unauthenticated remote code execution (RCE). This vulnerability specifically affects the BIG-IP Configuration utility (TMUI) and has been assigned a high severity CVSSv3 score of 9.8. The analytic identifies this behavior by monitoring for a specific URI path - "*/mgmt/tm/auth/user/*", with the PATCH method and 200 status. Additional URI's will occur around the same time include "*/mgmt/shared/authn/login*" and "*/tmui/login.jsp*", which are associated with the exploitation of this vulnerability. This behavior is significant for a Security Operations Center (SOC) as it indicates an attempt to bypass authentication mechanisms, potentially leading to unauthorized access and control over the system. If a true positive is identified, it suggests that an attacker is attempting to exploit a known vulnerability to gain unauthorized access and execute arbitrary code, which could lead to data theft, system disruption, or further malicious activities within the network. +action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} +action.escu.data_models = ["Web"] +action.escu.eli5 = The following analytic is designed to detect attempts to exploit the CVE-2023-46747 vulnerability, a critical authentication bypass flaw in F5 BIG-IP that can lead to unauthenticated remote code execution (RCE). This vulnerability specifically affects the BIG-IP Configuration utility (TMUI) and has been assigned a high severity CVSSv3 score of 9.8. The analytic identifies this behavior by monitoring for a specific URI path - "*/mgmt/tm/auth/user/*", with the PATCH method and 200 status. Additional URI's will occur around the same time include "*/mgmt/shared/authn/login*" and "*/tmui/login.jsp*", which are associated with the exploitation of this vulnerability. This behavior is significant for a Security Operations Center (SOC) as it indicates an attempt to bypass authentication mechanisms, potentially leading to unauthorized access and control over the system. If a true positive is identified, it suggests that an attacker is attempting to exploit a known vulnerability to gain unauthorized access and execute arbitrary code, which could lead to data theft, system disruption, or further malicious activities within the network. +action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relevant for traffic into the `Web` datamodel. +action.escu.known_false_positives = False positives should be limited to as this is strict to active exploitation. Reduce noise by filtering to F5 devices with TMUI enabled or filter data as needed. +action.escu.creation_date = 2023-10-30 +action.escu.modification_date = 2023-10-30 +action.escu.confidence = high +action.escu.full_search_name = ESCU - F5 TMUI Authentication Bypass - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["F5 Authentication Bypass with TMUI"] +action.risk = 1 +action.risk.param._risk_message = Potential CVE-2023-46747 F5 TMUI Authentication Bypass may be occurring against $dest$ from $src$. +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 90}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - F5 TMUI Authentication Bypass - Rule +action.correlationsearch.annotations = {"analytic_story": ["F5 Authentication Bypass with TMUI"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2023-46747"], "impact": 100, "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic is designed to detect attempts to exploit the CVE-2023-46747 vulnerability, a critical authentication bypass flaw in F5 BIG-IP that can lead to unauthenticated remote code execution (RCE). This vulnerability specifically affects the BIG-IP Configuration utility (TMUI) and has been assigned a high severity CVSSv3 score of 9.8. The analytic identifies this behavior by monitoring for a specific URI path - "*/mgmt/tm/auth/user/*", with the PATCH method and 200 status. Additional URI's will occur around the same time include "*/mgmt/shared/authn/login*" and "*/tmui/login.jsp*", which are associated with the exploitation of this vulnerability. This behavior is significant for a Security Operations Center (SOC) as it indicates an attempt to bypass authentication mechanisms, potentially leading to unauthorized access and control over the system. If a true positive is identified, it suggests that an attacker is attempting to exploit a known vulnerability to gain unauthorized access and execute arbitrary code, which could lead to data theft, system disruption, or further malicious activities within the network. +action.notable.param.rule_title = F5 TMUI Authentication Bypass +action.notable.param.security_domain = endpoint +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/mgmt/tm/auth/user/*") Web.http_method=PATCH Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `f5_tmui_authentication_bypass_filter` + [ESCU - Fortinet Appliance Auth bypass - Rule] action.escu = 0 action.escu.enabled = 1 @@ -58404,7 +58901,7 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = | from datamodel Web.Web | eval jndi=if(match(_raw, "(\{|%7B)[jJnNdDiI]{4}:"),4,0) | eval jndi_fastmatch=if(match(_raw, "[jJnNdDiI]{4}"),2,0) | eval jndi_proto=if(match(_raw,"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):"),5,0) | eval all_match = if(match(_raw, "(?i)(%(25){0,}20|\s)*(%(25){0,}24|\$)(%(25){0,}20|\s)*(%(25){0,}7B|{)(%(25){0,}20|\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\s)*(%(25){0,}3A|:)[\w\%]+(%(25){1,}3A|:)(%(25){1,}2F|\/)[^\n]+"),5,0) | eval env_var = if(match(_raw, "env:") OR match(_raw, "env:AWS_ACCESS_KEY_ID") OR match(_raw, "env:AWS_SECRET_ACCESS_KEY"),5,0) | eval uridetect = if(match(_raw, "(?i)Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass"),4,0) | eval keywords = if(match(_raw,"(?i)\$\{ctx\:loginId\}|\$\{map\:type\}|\$\{filename\}|\$\{date\:MM-dd-yyyy\}|\$\{docker\:containerId\}|\$\{docker\:containerName\}|\$\{docker\:imageName\}|\$\{env\:USER\}|\$\{event\:Marker\}|\$\{mdc\:UserId\}|\$\{java\:runtime\}|\$\{java\:vm\}|\$\{java\:os\}|\$\{jndi\:logging/context-name\}|\$\{hostName\}|\$\{docker\:containerId\}|\$\{k8s\:accountName\}|\$\{k8s\:clusterName\}|\$\{k8s\:containerId\}|\$\{k8s\:containerName\}|\$\{k8s\:host\}|\$\{k8s\:labels.app\}|\$\{k8s\:labels.podTemplateHash\}|\$\{k8s\:masterUrl\}|\$\{k8s\:namespaceId\}|\$\{k8s\:namespaceName\}|\$\{k8s\:podId\}|\$\{k8s\:podIp\}|\$\{k8s\:podName\}|\$\{k8s\:imageId\}|\$\{k8s\:imageName\}|\$\{log4j\:configLocation\}|\$\{log4j\:configParentLocation\}|\$\{spring\:spring.application.name\}|\$\{main\:myString\}|\$\{main\:0\}|\$\{main\:1\}|\$\{main\:2\}|\$\{main\:3\}|\$\{main\:4\}|\$\{main\:bar\}|\$\{name\}|\$\{marker\}|\$\{marker\:name\}|\$\{spring\:profiles.active[0]|\$\{sys\:logPath\}|\$\{web\:rootDir\}|\$\{sys\:user.name\}"),4,0) | eval obf = if(match(_raw, "(\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)"),5,0) | eval lookups = if(match(_raw, "(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, _raw | `hunting_for_log4shell_filter` +search = | from datamodel Web.Web | eval jndi=if(match(_raw, "(\{|%7B)[jJnNdDiI]{4}:"),4,0) | eval jndi_fastmatch=if(match(_raw, "[jJnNdDiI]{4}"),2,0) | eval jndi_proto=if(match(_raw,"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):"),5,0) | eval all_match = if(match(_raw, "(?i)(%(25){0,}20|\s)*(%(25){0,}24|\$)(%(25){0,}20|\s)*(%(25){0,}7B|{)(%(25){0,}20|\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\s)*(%(25){0,}3A|:)[\w\%]+(%(25){1,}3A|:)(%(25){1,}2F|\/)[^\n]+"),5,0) | eval env_var = if(match(_raw, "env:") OR match(_raw, "env:AWS_ACCESS_KEY_ID") OR match(_raw, "env:AWS_SECRET_ACCESS_KEY"),5,0) | eval uridetect = if(match(_raw, "(?i)Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass"),4,0) | eval keywords = if(match(_raw,"(?i)\$\{ctx\:loginId\}|\$\{map\:type\}|\$\{filename\}|\$\{date\:MM-dd-yyyy\}|\$\{docker\:containerId\}|\$\{docker\:containerName\}|\$\{docker\:imageName\}|\$\{env\:USER\}|\$\{event\:Marker\}|\$\{mdc\:UserId\}|\$\{java\:runtime\}|\$\{java\:vm\}|\$\{java\:os\}|\$\{jndi\:logging/context-name\}|\$\{hostName\}|\$\{docker\:containerId\}|\$\{k8s\:accountName\}|\$\{k8s\:clusterName\}|\$\{k8s\:containerId\}|\$\{k8s\:containerName\}|\$\{k8s\:host\}|\$\{k8s\:labels.app\}|\$\{k8s\:labels.podTemplateHash\}|\$\{k8s\:masterUrl\}|\$\{k8s\:namespaceId\}|\$\{k8s\:namespaceName\}|\$\{k8s\:podId\}|\$\{k8s\:podIp\}|\$\{k8s\:podName\}|\$\{k8s\:imageId\}|\$\{k8s\:imageName\}|\$\{log4j\:configLocation\}|\$\{log4j\:configParentLocation\}|\$\{spring\:spring.application.name\}|\$\{main\:myString\}|\$\{main\:0\}|\$\{main\:1\}|\$\{main\:2\}|\$\{main\:3\}|\$\{main\:4\}|\$\{main\:bar\}|\$\{name\}|\$\{marker\}|\$\{marker\:name\}|\$\{spring\:profiles.active[0]|\$\{sys\:logPath\}|\$\{web\:rootDir\}|\$\{sys\:user.name\}"),4,0) | eval obf = if(match(_raw, "(\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)"),5,0) | eval lookups = if(match(_raw, "(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw | `hunting_for_log4shell_filter` [ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule] action.escu = 0 @@ -58716,6 +59213,52 @@ realtime_schedule = 0 is_visible = false search = | from datamodel Web.Web | rex field=_raw max_match=0 "[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)(?\w+)(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?(?[a-zA-Z0-9\.\-\_\$]+)" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter` +[ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. This vulnerability pertains to an elevation of privilege due to improper handling of authentication tokens. By monitoring for suspicious activities related to SharePoint Server, the analytic identifies attempts to exploit this vulnerability. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.escu.data_models = ["Web"] +action.escu.eli5 = The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. This vulnerability pertains to an elevation of privilege due to improper handling of authentication tokens. By monitoring for suspicious activities related to SharePoint Server, the analytic identifies attempts to exploit this vulnerability. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. +action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint. +action.escu.known_false_positives = False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +action.escu.creation_date = 2023-09-27 +action.escu.modification_date = 2023-09-27 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357"] +action.risk = 1 +action.risk.param._risk_message = Possible exploitation of CVE-2023-29357 against $dest$ from $src$. +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 45}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule +action.correlationsearch.annotations = {"analytic_story": ["Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2023-29357"], "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. This vulnerability pertains to an elevation of privilege due to improper handling of authentication tokens. By monitoring for suspicious activities related to SharePoint Server, the analytic identifies attempts to exploit this vulnerability. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. +action.notable.param.rule_title = Microsoft SharePoint Server Elevation of Privilege +action.notable.param.security_domain = network +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/_api/web/siteusers*","/_api/web/currentuser*") Web.status=200 Web.http_method=GET by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `microsoft_sharepoint_server_elevation_of_privilege_filter` + [ESCU - Monitor Web Traffic For Brand Abuse - Rule] action.escu = 0 action.escu.enabled = 1 @@ -58898,10 +59441,10 @@ search = | tstats count from datamodel=Web where Web.http_method IN ("GET") Web. [ESCU - SQL Injection with Long URLs - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for long URLs that have several SQL commands visible within them. +description = The following analytic detects long URLs that contain multiple SQL commands. A proactive approach helps to detect and respond to potential threats earlier, mitigating the risks associated with SQL injection attacks. This detection is made by a Splunk query that searches for web traffic data where the destination category is a web server and the URL length is greater than 1024 characters or the HTTP user agent length is greater than 200 characters. This detection is important because it suggests that an attacker is attempting to exploit a web application through SQL injection. SQL injection is a common technique used by attackers to exploit vulnerabilities in web applications and gain unauthorized access to databases. Attackers can insert malicious SQL commands into a URL to manipulate the application's database and retrieve sensitive information or modify data. The impact of a successful SQL injection attack can be severe, potentially leading to data breaches, unauthorized access, and even complete compromise of the affected system. False positives might occur since the legitimate use of web applications or specific URLs in your environment can trigger the detection. Therefore, you must review and validate any alerts generated by this analytic before taking any action. Next steps include reviewing the source and destination of the web traffic, as well as the specific URL and HTTP user agent. Additionally, capture and analyze any relevant on-disk artifacts and review concurrent processes to determine the source of the attack. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] -action.escu.eli5 = This search looks for long URLs that have several SQL commands visible within them. +action.escu.eli5 = The following analytic detects long URLs that contain multiple SQL commands. A proactive approach helps to detect and respond to potential threats earlier, mitigating the risks associated with SQL injection attacks. This detection is made by a Splunk query that searches for web traffic data where the destination category is a web server and the URL length is greater than 1024 characters or the HTTP user agent length is greater than 200 characters. This detection is important because it suggests that an attacker is attempting to exploit a web application through SQL injection. SQL injection is a common technique used by attackers to exploit vulnerabilities in web applications and gain unauthorized access to databases. Attackers can insert malicious SQL commands into a URL to manipulate the application's database and retrieve sensitive information or modify data. The impact of a successful SQL injection attack can be severe, potentially leading to data breaches, unauthorized access, and even complete compromise of the affected system. False positives might occur since the legitimate use of web applications or specific URLs in your environment can trigger the detection. Therefore, you must review and validate any alerts generated by this analytic before taking any action. Next steps include reviewing the source and destination of the web traffic, as well as the specific URL and HTTP user agent. Additionally, capture and analyze any relevant on-disk artifacts and review concurrent processes to determine the source of the attack. action.escu.how_to_implement = To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table. action.escu.known_false_positives = It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate. action.escu.creation_date = 2022-03-28 @@ -58926,7 +59469,7 @@ action.correlationsearch.annotations = {"analytic_story": ["SQL Injection"], "ci schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for long URLs that have several SQL commands visible within them. +action.notable.param.rule_description = The following analytic detects long URLs that contain multiple SQL commands. A proactive approach helps to detect and respond to potential threats earlier, mitigating the risks associated with SQL injection attacks. This detection is made by a Splunk query that searches for web traffic data where the destination category is a web server and the URL length is greater than 1024 characters or the HTTP user agent length is greater than 200 characters. This detection is important because it suggests that an attacker is attempting to exploit a web application through SQL injection. SQL injection is a common technique used by attackers to exploit vulnerabilities in web applications and gain unauthorized access to databases. Attackers can insert malicious SQL commands into a URL to manipulate the application's database and retrieve sensitive information or modify data. The impact of a successful SQL injection attack can be severe, potentially leading to data breaches, unauthorized access, and even complete compromise of the affected system. False positives might occur since the legitimate use of web applications or specific URLs in your environment can trigger the detection. Therefore, you must review and validate any alerts generated by this analytic before taking any action. Next steps include reviewing the source and destination of the web traffic, as well as the specific URL and HTTP user agent. Additionally, capture and analyze any relevant on-disk artifacts and review concurrent processes to determine the source of the attack. action.notable.param.rule_title = SQL Injection with Long URLs action.notable.param.security_domain = network action.notable.param.severity = high @@ -58944,10 +59487,10 @@ search = | tstats `security_content_summariesonly` count from datamodel=Web wher [ESCU - Supernova Webshell - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search aims to detect the Supernova webshell used in the SUNBURST attack. +description = The following analytic detects the presence of the Supernova webshell, which was used in the SUNBURST attack. This webshell can be used by attackers to gain unauthorized access to a compromised system and run arbitrary code. This detection is made by a Splunk query that searches for specific patterns in web URLs, including "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". These patterns are commonly used by the Supernova webshell to communicate with its command and control server. This detection is important because it indicates a potential compromise and unauthorized access to the system to run arbitrary code, which can lead to data theft, ransomware, or other damaging outcomes. False positives might occur since the patterns used by the webshell can also be present in legitimate web traffic. In such cases, tune the search to the specific environment and monitor it closely for any suspicious activity. Next steps include reviewing the web URLs and inspecting any relevant on-disk artifacts. Additionally, review concurrent processes and network connections to identify the source of the attack. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] -action.escu.eli5 = This search aims to detect the Supernova webshell used in the SUNBURST attack. +action.escu.eli5 = The following analytic detects the presence of the Supernova webshell, which was used in the SUNBURST attack. This webshell can be used by attackers to gain unauthorized access to a compromised system and run arbitrary code. This detection is made by a Splunk query that searches for specific patterns in web URLs, including "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". These patterns are commonly used by the Supernova webshell to communicate with its command and control server. This detection is important because it indicates a potential compromise and unauthorized access to the system to run arbitrary code, which can lead to data theft, ransomware, or other damaging outcomes. False positives might occur since the patterns used by the webshell can also be present in legitimate web traffic. In such cases, tune the search to the specific environment and monitor it closely for any suspicious activity. Next steps include reviewing the web URLs and inspecting any relevant on-disk artifacts. Additionally, review concurrent processes and network connections to identify the source of the attack. action.escu.how_to_implement = To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model. action.escu.known_false_positives = There might be false positives associted with this detection since items like args as a web argument is pretty generic. action.escu.creation_date = 2021-01-06 @@ -58972,7 +59515,7 @@ action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group"], "c schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search aims to detect the Supernova webshell used in the SUNBURST attack. +action.notable.param.rule_description = The following analytic detects the presence of the Supernova webshell, which was used in the SUNBURST attack. This webshell can be used by attackers to gain unauthorized access to a compromised system and run arbitrary code. This detection is made by a Splunk query that searches for specific patterns in web URLs, including "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". These patterns are commonly used by the Supernova webshell to communicate with its command and control server. This detection is important because it indicates a potential compromise and unauthorized access to the system to run arbitrary code, which can lead to data theft, ransomware, or other damaging outcomes. False positives might occur since the patterns used by the webshell can also be present in legitimate web traffic. In such cases, tune the search to the specific environment and monitor it closely for any suspicious activity. Next steps include reviewing the web URLs and inspecting any relevant on-disk artifacts. Additionally, review concurrent processes and network connections to identify the source of the attack. action.notable.param.rule_title = Supernova Webshell action.notable.param.security_domain = network action.notable.param.severity = high @@ -59309,7 +59852,7 @@ action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt. action.escu.how_to_implement = The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. -action.escu.known_false_positives = If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. +action.escu.known_false_positives = If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL. action.escu.creation_date = 2023-10-01 action.escu.modification_date = 2023-10-01 action.escu.confidence = high diff --git a/dist/escu/default/transforms.conf b/dist/DA-ESS-ContentUpdate/default/transforms.conf similarity index 98% rename from dist/escu/default/transforms.conf rename to dist/DA-ESS-ContentUpdate/default/transforms.conf index 7d5e608323..0a2ceca735 100644 --- a/dist/escu/default/transforms.conf +++ b/dist/DA-ESS-ContentUpdate/default/transforms.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-04T22:36:05 UTC -# Author: Splunk Security Research +# On Date: 2023-11-01T20:44:08 UTC +# Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# @@ -98,6 +98,11 @@ default_match = false # description = A placeholder for a list of discovered DNS records generated by the baseline discover_dns_records min_matches = 1 +[domain_admins] +filename = domain_admins.csv +case_sensitive_match = false +# description = List of domain admins + [domains] filename = domains.csv # description = A list of domains that can be ignored diff --git a/dist/escu/default/usage_searches.conf b/dist/DA-ESS-ContentUpdate/default/usage_searches.conf similarity index 100% rename from dist/escu/default/usage_searches.conf rename to dist/DA-ESS-ContentUpdate/default/usage_searches.conf diff --git a/dist/escu/default/use_case_library.conf b/dist/DA-ESS-ContentUpdate/default/use_case_library.conf similarity index 100% rename from dist/escu/default/use_case_library.conf rename to dist/DA-ESS-ContentUpdate/default/use_case_library.conf diff --git a/dist/escu/default/workflow_actions.conf b/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf similarity index 99% rename from dist/escu/default/workflow_actions.conf rename to dist/DA-ESS-ContentUpdate/default/workflow_actions.conf index cb21b0f004..50a6a256f9 100644 --- a/dist/escu/default/workflow_actions.conf +++ b/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-04T22:36:05 UTC -# Author: Splunk Security Research +# On Date: 2023-11-01T20:44:08 UTC +# Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/escu/lookups/3cx_ioc_domains.csv b/dist/DA-ESS-ContentUpdate/lookups/3cx_ioc_domains.csv similarity index 100% rename from dist/escu/lookups/3cx_ioc_domains.csv rename to dist/DA-ESS-ContentUpdate/lookups/3cx_ioc_domains.csv diff --git a/dist/escu/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel b/dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel similarity index 100% rename from dist/escu/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel rename to dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel diff --git a/dist/escu/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel b/dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel similarity index 100% rename from dist/escu/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel rename to dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel diff --git a/dist/escu/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel b/dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel similarity index 100% rename from dist/escu/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel rename to dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel diff --git a/dist/escu/lookups/__mlspl_pretrained_dga_model_dsdl.mlmodel b/dist/DA-ESS-ContentUpdate/lookups/__mlspl_pretrained_dga_model_dsdl.mlmodel similarity index 100% rename from dist/escu/lookups/__mlspl_pretrained_dga_model_dsdl.mlmodel rename to dist/DA-ESS-ContentUpdate/lookups/__mlspl_pretrained_dga_model_dsdl.mlmodel diff --git a/dist/escu/lookups/__mlspl_risky_spl_pre_trained_model.mlmodel b/dist/DA-ESS-ContentUpdate/lookups/__mlspl_risky_spl_pre_trained_model.mlmodel similarity index 100% rename from dist/escu/lookups/__mlspl_risky_spl_pre_trained_model.mlmodel rename to dist/DA-ESS-ContentUpdate/lookups/__mlspl_risky_spl_pre_trained_model.mlmodel diff --git a/dist/escu/lookups/__mlspl_unusual_commandline_detection.mlmodel b/dist/DA-ESS-ContentUpdate/lookups/__mlspl_unusual_commandline_detection.mlmodel similarity index 100% rename from dist/escu/lookups/__mlspl_unusual_commandline_detection.mlmodel rename to dist/DA-ESS-ContentUpdate/lookups/__mlspl_unusual_commandline_detection.mlmodel diff --git a/dist/escu/lookups/advanced_audit_policy_guids.csv b/dist/DA-ESS-ContentUpdate/lookups/advanced_audit_policy_guids.csv similarity index 100% rename from dist/escu/lookups/advanced_audit_policy_guids.csv rename to dist/DA-ESS-ContentUpdate/lookups/advanced_audit_policy_guids.csv diff --git a/dist/escu/lookups/attacker_tools.csv b/dist/DA-ESS-ContentUpdate/lookups/attacker_tools.csv similarity index 100% rename from dist/escu/lookups/attacker_tools.csv rename to dist/DA-ESS-ContentUpdate/lookups/attacker_tools.csv diff --git a/dist/escu/lookups/aws_service_accounts.csv b/dist/DA-ESS-ContentUpdate/lookups/aws_service_accounts.csv similarity index 100% rename from dist/escu/lookups/aws_service_accounts.csv rename to dist/DA-ESS-ContentUpdate/lookups/aws_service_accounts.csv diff --git a/dist/escu/lookups/baseline_blocked_outbound_connections.csv b/dist/DA-ESS-ContentUpdate/lookups/baseline_blocked_outbound_connections.csv similarity index 100% rename from dist/escu/lookups/baseline_blocked_outbound_connections.csv rename to dist/DA-ESS-ContentUpdate/lookups/baseline_blocked_outbound_connections.csv diff --git a/dist/escu/lookups/brand_monitoring.csv b/dist/DA-ESS-ContentUpdate/lookups/brand_monitoring.csv similarity index 100% rename from dist/escu/lookups/brand_monitoring.csv rename to dist/DA-ESS-ContentUpdate/lookups/brand_monitoring.csv diff --git a/dist/escu/lookups/discovered_dns_records.csv b/dist/DA-ESS-ContentUpdate/lookups/discovered_dns_records.csv similarity index 100% rename from dist/escu/lookups/discovered_dns_records.csv rename to dist/DA-ESS-ContentUpdate/lookups/discovered_dns_records.csv diff --git a/dist/DA-ESS-ContentUpdate/lookups/domain_admins.csv b/dist/DA-ESS-ContentUpdate/lookups/domain_admins.csv new file mode 100644 index 0000000000..2f9ee7111c --- /dev/null +++ b/dist/DA-ESS-ContentUpdate/lookups/domain_admins.csv @@ -0,0 +1,2 @@ +username +Administrator \ No newline at end of file diff --git a/dist/escu/lookups/domains.csv b/dist/DA-ESS-ContentUpdate/lookups/domains.csv similarity index 100% rename from dist/escu/lookups/domains.csv rename to dist/DA-ESS-ContentUpdate/lookups/domains.csv diff --git a/dist/escu/lookups/dynamic_dns_providers_default.csv b/dist/DA-ESS-ContentUpdate/lookups/dynamic_dns_providers_default.csv similarity index 100% rename from dist/escu/lookups/dynamic_dns_providers_default.csv rename to dist/DA-ESS-ContentUpdate/lookups/dynamic_dns_providers_default.csv diff --git a/dist/escu/lookups/dynamic_dns_providers_local.csv b/dist/DA-ESS-ContentUpdate/lookups/dynamic_dns_providers_local.csv similarity index 100% rename from dist/escu/lookups/dynamic_dns_providers_local.csv rename to dist/DA-ESS-ContentUpdate/lookups/dynamic_dns_providers_local.csv diff --git a/dist/escu/lookups/hijacklibs.csv b/dist/DA-ESS-ContentUpdate/lookups/hijacklibs.csv similarity index 100% rename from dist/escu/lookups/hijacklibs.csv rename to dist/DA-ESS-ContentUpdate/lookups/hijacklibs.csv diff --git a/dist/escu/lookups/images_to_repository.csv b/dist/DA-ESS-ContentUpdate/lookups/images_to_repository.csv similarity index 100% rename from dist/escu/lookups/images_to_repository.csv rename to dist/DA-ESS-ContentUpdate/lookups/images_to_repository.csv diff --git a/dist/escu/lookups/is_net_windows_file.csv b/dist/DA-ESS-ContentUpdate/lookups/is_net_windows_file.csv similarity index 100% rename from dist/escu/lookups/is_net_windows_file.csv rename to dist/DA-ESS-ContentUpdate/lookups/is_net_windows_file.csv diff --git a/dist/escu/lookups/is_nirsoft_software.csv b/dist/DA-ESS-ContentUpdate/lookups/is_nirsoft_software.csv similarity index 100% rename from dist/escu/lookups/is_nirsoft_software.csv rename to dist/DA-ESS-ContentUpdate/lookups/is_nirsoft_software.csv diff --git a/dist/escu/lookups/is_suspicious_file_extension_lookup.csv b/dist/DA-ESS-ContentUpdate/lookups/is_suspicious_file_extension_lookup.csv similarity index 100% rename from dist/escu/lookups/is_suspicious_file_extension_lookup.csv rename to dist/DA-ESS-ContentUpdate/lookups/is_suspicious_file_extension_lookup.csv diff --git a/dist/escu/lookups/is_windows_system_file.csv b/dist/DA-ESS-ContentUpdate/lookups/is_windows_system_file.csv similarity index 100% rename from dist/escu/lookups/is_windows_system_file.csv rename to dist/DA-ESS-ContentUpdate/lookups/is_windows_system_file.csv diff --git a/dist/escu/lookups/legit_domains.csv b/dist/DA-ESS-ContentUpdate/lookups/legit_domains.csv similarity index 100% rename from dist/escu/lookups/legit_domains.csv rename to dist/DA-ESS-ContentUpdate/lookups/legit_domains.csv diff --git a/dist/escu/lookups/linux_tool_discovery_process.csv b/dist/DA-ESS-ContentUpdate/lookups/linux_tool_discovery_process.csv similarity index 100% rename from dist/escu/lookups/linux_tool_discovery_process.csv rename to dist/DA-ESS-ContentUpdate/lookups/linux_tool_discovery_process.csv diff --git a/dist/escu/lookups/local_file_inclusion_paths.csv b/dist/DA-ESS-ContentUpdate/lookups/local_file_inclusion_paths.csv similarity index 100% rename from dist/escu/lookups/local_file_inclusion_paths.csv rename to dist/DA-ESS-ContentUpdate/lookups/local_file_inclusion_paths.csv diff --git a/dist/escu/lookups/lolbas_file_path.csv b/dist/DA-ESS-ContentUpdate/lookups/lolbas_file_path.csv similarity index 100% rename from dist/escu/lookups/lolbas_file_path.csv rename to dist/DA-ESS-ContentUpdate/lookups/lolbas_file_path.csv diff --git a/dist/escu/lookups/loldrivers.csv b/dist/DA-ESS-ContentUpdate/lookups/loldrivers.csv similarity index 100% rename from dist/escu/lookups/loldrivers.csv rename to dist/DA-ESS-ContentUpdate/lookups/loldrivers.csv diff --git a/dist/escu/lookups/mandatory_job_for_workflow.csv b/dist/DA-ESS-ContentUpdate/lookups/mandatory_job_for_workflow.csv similarity index 100% rename from dist/escu/lookups/mandatory_job_for_workflow.csv rename to dist/DA-ESS-ContentUpdate/lookups/mandatory_job_for_workflow.csv diff --git a/dist/escu/lookups/mandatory_step_for_job.csv b/dist/DA-ESS-ContentUpdate/lookups/mandatory_step_for_job.csv similarity index 100% rename from dist/escu/lookups/mandatory_step_for_job.csv rename to dist/DA-ESS-ContentUpdate/lookups/mandatory_step_for_job.csv diff --git a/dist/DA-ESS-ContentUpdate/lookups/mitre_enrichment.csv b/dist/DA-ESS-ContentUpdate/lookups/mitre_enrichment.csv new file mode 100644 index 0000000000..ba76164483 --- /dev/null +++ b/dist/DA-ESS-ContentUpdate/lookups/mitre_enrichment.csv @@ -0,0 +1,626 @@ +mitre_id,technique,tactics,groups +T1568.001,Fast Flux DNS,Command And Control,menuPass|TA505 +T1218.010,Regsvr32,Defense Evasion,Deep Panda|APT32|Inception|Kimsuky|Cobalt Group|WIRTE|Leviathan|TA551|APT19|Blue Mockingbird +T1608.001,Upload Malware,Resource Development,Threat Group-3390|Mustang Panda|APT32|Earth Lusca|LuminousMoth|BITTER|EXOTIC LILY|FIN7|LazyScripter|SideCopy|Kimsuky|TA2541|TeamTNT|TA505|Gamaredon Group|HEXANE +T1213,Data from Information Repositories,Collection,FIN6|Fox Kitten|Turla|APT28|LAPSUS$ +T1021.002,SMB/Windows Admin Shares,Lateral Movement,Orangeworm|FIN8|Chimera|Moses Staff|APT3|Wizard Spider|APT39|Ke3chang|Fox Kitten|FIN13|APT32|Blue Mockingbird|APT28|Sandworm Team|Deep Panda|Lazarus Group|APT41|Threat Group-1314|Turla +T1027.002,Software Packing,Defense Evasion,TA505|The White Company|APT38|Dark Caracal|MoustachedBouncer|APT39|APT29|Ember Bear|Aoqin Dragon|Kimsuky|Rocke|TA2541|Threat Group-3390|Elderwood|TeamTNT|Patchwork|APT3|ZIRCONIUM|GALLIUM +T1595.003,Wordlist Scanning,Reconnaissance,Volatile Cedar +T1559.003,XPC Services,Execution,no +T1020,Automated Exfiltration,Exfiltration,Gamaredon Group|Ke3chang|Sidewinder|Tropic Trooper +T1003.003,NTDS,Credential Access,Sandworm Team|HAFNIUM|Volt Typhoon|Mustang Panda|Dragonfly|menuPass|Fox Kitten|FIN13|Ke3chang|APT28|Chimera|Wizard Spider|FIN6|LAPSUS$ +T1201,Password Policy Discovery,Discovery,Chimera|Turla|OilRig +T1578.003,Delete Cloud Instance,Defense Evasion,LAPSUS$ +T1049,System Network Connections Discovery,Discovery,Andariel|APT1|FIN13|Poseidon Group|Chimera|Sandworm Team|Earth Lusca|APT41|Ke3chang|Magic Hound|Tropic Trooper|BackdoorDiplomacy|APT3|HEXANE|admin@338|Volt Typhoon|TeamTNT|APT38|Turla|MuddyWater|APT32|OilRig|Mustang Panda|Lazarus Group|menuPass|Threat Group-3390|GALLIUM +T1185,Browser Session Hijacking,Collection,no +T1564.005,Hidden File System,Defense Evasion,Equation|Strider +T1647,Plist File Modification,Defense Evasion,no +T1119,Automated Collection,Collection,menuPass|Mustang Panda|Chimera|Patchwork|Threat Group-3390|FIN5|APT1|Sidewinder|Ke3chang|Tropic Trooper|FIN6|APT28|Confucius|OilRig|Gamaredon Group +T1037,Boot or Logon Initialization Scripts,Persistence|Privilege Escalation,Rocke|APT29 +T1055.005,Thread Local Storage,Defense Evasion|Privilege Escalation,no +T1199,Trusted Relationship,Initial Access,APT28|Sandworm Team|APT29|GOLD SOUTHFIELD|menuPass|POLONIUM|LAPSUS$|Threat Group-3390 +T1547.003,Time Providers,Persistence|Privilege Escalation,no +T1069.003,Cloud Groups,Discovery,no +T1537,Transfer Data to Cloud Account,Exfiltration,no +T1599.001,Network Address Translation Traversal,Defense Evasion,no +T1136.001,Local Account,Persistence,Leafminer|Kimsuky|FIN13|Dragonfly|APT3|APT39|Magic Hound|Fox Kitten|Wizard Spider|TeamTNT|APT41 +T1098.005,Device Registration,Persistence|Privilege Escalation,APT29 +T1069,Permission Groups Discovery,Discovery,APT3|FIN13|TA505 +T1552.008,Chat Messages,Credential Access,LAPSUS$ +T1589.003,Employee Names,Reconnaissance,Kimsuky|Silent Librarian|Sandworm Team +T1505,Server Software Component,Persistence,no +T1505.005,Terminal Services DLL,Persistence,no +T1114.002,Remote Email Collection,Collection,Chimera|FIN4|Kimsuky|HAFNIUM|APT28|Magic Hound|Dragonfly|APT1|Ke3chang|APT29|Leafminer +T1542.001,System Firmware,Persistence|Defense Evasion,no +T1586.003,Cloud Accounts,Resource Development,APT29 +T1552,Unsecured Credentials,Credential Access,no +T1052,Exfiltration Over Physical Medium,Exfiltration,no +T1583.004,Server,Resource Development,GALLIUM|Earth Lusca|Kimsuky|Sandworm Team +T1556.003,Pluggable Authentication Modules,Credential Access|Defense Evasion|Persistence,no +T1563.001,SSH Hijacking,Lateral Movement,no +T1499.002,Service Exhaustion Flood,Impact,no +T1574,Hijack Execution Flow,Persistence|Privilege Escalation|Defense Evasion,no +T1563,Remote Service Session Hijacking,Lateral Movement,no +T1055.014,VDSO Hijacking,Defense Evasion|Privilege Escalation,no +T1134.005,SID-History Injection,Defense Evasion|Privilege Escalation,no +T1593.003,Code Repositories,Reconnaissance,LAPSUS$ +T1558,Steal or Forge Kerberos Tickets,Credential Access,no +T1587.004,Exploits,Resource Development,no +T1542.002,Component Firmware,Persistence|Defense Evasion,Equation +T1059.006,Python,Execution,ZIRCONIUM|Turla|Kimsuky|MuddyWater|Machete|Tonto Team|APT37|APT39|BRONZE BUTLER|Rocke|Dragonfly|Earth Lusca|APT29 +T1597,Search Closed Sources,Reconnaissance,EXOTIC LILY +T1048.003,Exfiltration Over Unencrypted Non-C2 Protocol,Exfiltration,APT32|OilRig|Wizard Spider|APT33|FIN6|FIN8|Lazarus Group|Thrip +T1620,Reflective Code Loading,Defense Evasion,Lazarus Group +T1547.015,Login Items,Persistence|Privilege Escalation,no +T1574.002,DLL Side-Loading,Persistence|Privilege Escalation|Defense Evasion,BlackTech|Lazarus Group|Earth Lusca|menuPass|APT3|Chimera|APT41|GALLIUM|Naikon|SideCopy|BRONZE BUTLER|Threat Group-3390|Patchwork|Mustang Panda|APT32|LuminousMoth|APT19|MuddyWater|Higaisa|Tropic Trooper|FIN13|Sidewinder +T1053.007,Container Orchestration Job,Execution|Persistence|Privilege Escalation,no +T1587.003,Digital Certificates,Resource Development,APT29|PROMETHIUM +T1601,Modify System Image,Defense Evasion,no +T1213.001,Confluence,Collection,LAPSUS$ +T1090.001,Internal Proxy,Command And Control,Volt Typhoon|FIN13|APT39|Higaisa|Strider|Turla|Lazarus Group +T1083,File and Directory Discovery,Discovery,Ke3chang|Dragonfly|Winnti Group|Sandworm Team|Aoqin Dragon|Leafminer|Darkhotel|Tropic Trooper|Magic Hound|Fox Kitten|Windigo|TeamTNT|admin@338|BRONZE BUTLER|Kimsuky|Chimera|APT41|MuddyWater|Gamaredon Group|APT18|Inception|menuPass|Lazarus Group|HAFNIUM|FIN13|Sowbug|APT38|Patchwork|Dark Caracal|LuminousMoth|Mustang Panda|Turla|Sidewinder|Confucius|APT28|APT32|APT39|APT3 +T1611,Escape to Host,Privilege Escalation,TeamTNT +T1583.008,Malvertising,Resource Development,no +T1552.001,Credentials In Files,Credential Access,APT3|Kimsuky|MuddyWater|Leafminer|FIN13|APT33|Fox Kitten|TA505|TeamTNT|OilRig +T1134,Access Token Manipulation,Defense Evasion|Privilege Escalation,Blue Mockingbird|FIN6 +T1078.003,Local Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Kimsuky|PROMETHIUM|Tropic Trooper|Turla|APT32|FIN10|HAFNIUM +T1530,Data from Cloud Storage,Collection,Fox Kitten +T1657,Financial Theft,Impact,SilverTerrier|FIN13 +T1546.016,Installer Packages,Privilege Escalation|Persistence,no +T1120,Peripheral Device Discovery,Discovery,Gamaredon Group|Turla|BackdoorDiplomacy|TeamTNT|APT28|Equation|OilRig|APT37 +T1112,Modify Registry,Defense Evasion,Wizard Spider|Magic Hound|Kimsuky|Dragonfly|APT32|Earth Lusca|Patchwork|TA505|Turla|APT19|FIN8|Gamaredon Group|Gorgon Group|Blue Mockingbird|Silence|LuminousMoth|Ember Bear|APT41|Threat Group-3390|APT38 +T1546.011,Application Shimming,Privilege Escalation|Persistence,FIN7 +T1590.002,DNS,Reconnaissance,no +T1550,Use Alternate Authentication Material,Defense Evasion|Lateral Movement,no +T1547.004,Winlogon Helper DLL,Persistence|Privilege Escalation,Tropic Trooper|Wizard Spider|Turla +T1596.001,DNS/Passive DNS,Reconnaissance,no +T1218.003,CMSTP,Defense Evasion,Cobalt Group|MuddyWater +T1068,Exploitation for Privilege Escalation,Privilege Escalation,APT28|Scattered Spider|Turla|APT32|Cobalt Group|APT33|ZIRCONIUM|LAPSUS$|FIN6|Tonto Team|BITTER|MoustachedBouncer|FIN8|PLATINUM|Threat Group-3390|Whitefly|APT29 +T1059.004,Unix Shell,Execution,APT41|TeamTNT|Rocke +T1590.003,Network Trust Dependencies,Reconnaissance,no +T1011.001,Exfiltration Over Bluetooth,Exfiltration,no +T1204.003,Malicious Image,Execution,TeamTNT +T1021,Remote Services,Lateral Movement,Wizard Spider +T1564,Hide Artifacts,Defense Evasion,no +T1547.009,Shortcut Modification,Persistence|Privilege Escalation,APT39|Leviathan|Lazarus Group|Gorgon Group +T1584.007,Serverless,Resource Development,no +T1102.001,Dead Drop Resolver,Command And Control,APT41|Rocke|BRONZE BUTLER|Patchwork|RTM +T1105,Ingress Tool Transfer,Command And Control,APT29|Magic Hound|Threat Group-3390|APT41|Moses Staff|Fox Kitten|LazyScripter|Leviathan|FIN13|Winnti Group|FIN8|Volatile Cedar|Nomadic Octopus|LuminousMoth|Turla|APT3|APT-C-36|Mustang Panda|Metador|APT38|APT37|TA551|TA2541|MuddyWater|WIRTE|Aquatic Panda|Windshift|SideCopy|TA505|Cobalt Group|Tropic Trooper|Andariel|Chimera|HAFNIUM|Dragonfly|Darkhotel|Ajax Security Team|Rocke|Evilnum|Molerats|IndigoZebra|APT28|menuPass|Whitefly|Wizard Spider|Lazarus Group|Ke3chang|ZIRCONIUM|Rancor|BITTER|TeamTNT|APT33|Confucius|APT39|Ember Bear|OilRig|Elderwood|HEXANE|Sandworm Team|Sidewinder|Indrik Spider|BackdoorDiplomacy|Kimsuky|Tonto Team|Gamaredon Group|Gorgon Group|PLATINUM|APT32|GALLIUM|BRONZE BUTLER|APT18|FIN7|Silence|Patchwork +T1585.002,Email Accounts,Resource Development,Kimsuky|Indrik Spider|Wizard Spider|Magic Hound|Leviathan|APT1|Sandworm Team|HEXANE|EXOTIC LILY|Silent Librarian|Lazarus Group|Mustang Panda +T1559.001,Component Object Model,Execution,MuddyWater|Gamaredon Group +T1036.001,Invalid Code Signature,Defense Evasion,APT37|Windshift +T1070.004,File Deletion,Defense Evasion,Rocke|Tropic Trooper|APT38|FIN5|Sandworm Team|APT39|Magic Hound|Patchwork|Mustang Panda|Chimera|Group5|APT32|menuPass|APT29|Evilnum|FIN8|Aquatic Panda|APT28|APT18|APT3|Silence|Volt Typhoon|Kimsuky|TEMP.Veles|Threat Group-3390|TeamTNT|The White Company|FIN6|Gamaredon Group|Lazarus Group|Wizard Spider|Cobalt Group|APT41|Metador|Dragonfly|BRONZE BUTLER|FIN10|OilRig +T1578.004,Revert Cloud Instance,Defense Evasion,no +T1572,Protocol Tunneling,Command And Control,OilRig|FIN13|Leviathan|Fox Kitten|Chimera|FIN6|Cobalt Group|Magic Hound +T1562.008,Disable or Modify Cloud Logs,Defense Evasion,no +T1546.009,AppCert DLLs,Privilege Escalation|Persistence,no +T1518,Software Discovery,Discovery,Mustang Panda|MuddyWater|Wizard Spider|Sidewinder|Volt Typhoon|SideCopy|HEXANE|Windigo|Inception|Windshift|BRONZE BUTLER|Tropic Trooper +T1598,Phishing for Information,Reconnaissance,ZIRCONIUM|Scattered Spider|APT28 +T1053.002,At,Execution|Persistence|Privilege Escalation,Threat Group-3390|BRONZE BUTLER|APT18 +T1548.002,Bypass User Account Control,Privilege Escalation|Defense Evasion,Evilnum|Threat Group-3390|APT37|BRONZE BUTLER|APT29|Patchwork|MuddyWater|Earth Lusca|Cobalt Group +T1585.001,Social Media Accounts,Resource Development,EXOTIC LILY|Magic Hound|Fox Kitten|APT32|Lazarus Group|Leviathan|Kimsuky|Cleaver|Sandworm Team|HEXANE|CURIUM +T1212,Exploitation for Credential Access,Credential Access,no +T1218.013,Mavinject,Defense Evasion,no +T1546.003,Windows Management Instrumentation Event Subscription,Privilege Escalation|Persistence,Mustang Panda|APT29|Leviathan|Metador|APT33|Blue Mockingbird|FIN8|Turla +T1552.004,Private Keys,Credential Access,TeamTNT|Rocke +T1574.008,Path Interception by Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,no +T1027.007,Dynamic API Resolution,Defense Evasion,Lazarus Group +T1654,Log Enumeration,Discovery,Volt Typhoon +T1016.001,Internet Connection Discovery,Discovery,Magic Hound|HAFNIUM|HEXANE|APT29|Turla|Gamaredon Group|TA2541|FIN13|FIN8 +T1567.002,Exfiltration to Cloud Storage,Exfiltration,Kimsuky|HEXANE|Earth Lusca|Leviathan|ZIRCONIUM|HAFNIUM|Turla|LuminousMoth|Chimera|Threat Group-3390|Confucius|Wizard Spider|POLONIUM|FIN7 +T1218.002,Control Panel,Defense Evasion,Ember Bear +T1583.007,Serverless,Resource Development,no +T1608,Stage Capabilities,Resource Development,Mustang Panda +T1484.001,Group Policy Modification,Defense Evasion|Privilege Escalation,Indrik Spider +T1125,Video Capture,Collection,Silence|FIN7 +T1615,Group Policy Discovery,Discovery,Turla +T1200,Hardware Additions,Initial Access,DarkVishnya +T1564.009,Resource Forking,Defense Evasion,no +T1589.002,Email Addresses,Reconnaissance,Magic Hound|Sandworm Team|TA551|Lazarus Group|HAFNIUM|Silent Librarian|Kimsuky|MuddyWater|HEXANE|APT32|EXOTIC LILY|LAPSUS$ +T1608.003,Install Digital Certificate,Resource Development,no +T1578.001,Create Snapshot,Defense Evasion,no +T1614.001,System Language Discovery,Discovery,Ke3chang +T1136,Create Account,Persistence,Indrik Spider +T1573.002,Asymmetric Cryptography,Command And Control,TA2541|Cobalt Group|FIN6|Tropic Trooper|OilRig|FIN8 +T1059.003,Windows Command Shell,Execution,Gorgon Group|menuPass|APT18|Mustang Panda|TA551|Rancor|TA505|Wizard Spider|APT1|Aquatic Panda|HAFNIUM|Fox Kitten|FIN13|APT37|TeamTNT|Blue Mockingbird|GALLIUM|Gamaredon Group|FIN8|FIN6|Patchwork|Threat Group-3390|Suckfly|Chimera|Dark Caracal|LazyScripter|Metador|APT32|Sowbug|Lazarus Group|Tropic Trooper|Machete|Cobalt Group|ZIRCONIUM|Nomadic Octopus|Higaisa|Turla|BRONZE BUTLER|FIN7|FIN10|Dragonfly|APT28|Magic Hound|Volt Typhoon|Kimsuky|Darkhotel|Ember Bear|APT3|Indrik Spider|APT38|admin@338|Silence|Threat Group-1314|MuddyWater|Ke3chang|APT41|OilRig +T1552.007,Container API,Credential Access,no +T1205,Traffic Signaling,Defense Evasion|Persistence|Command And Control,no +T1552.006,Group Policy Preferences,Credential Access,APT33|Wizard Spider +T1104,Multi-Stage Channels,Command And Control,APT41|Lazarus Group|MuddyWater|APT3 +T1562.001,Disable or Modify Tools,Defense Evasion,Indrik Spider|Rocke|Gorgon Group|TeamTNT|Wizard Spider|Ember Bear|Aquatic Panda|Turla|Magic Hound|BRONZE BUTLER|TA505|Kimsuky|Putter Panda|TA2541|FIN6|MuddyWater|Gamaredon Group|Lazarus Group|APT29 +T1056,Input Capture,Collection|Credential Access,APT39 +T1585.003,Cloud Accounts,Resource Development,no +T1219,Remote Access Software,Command And Control,DarkVishnya|Cobalt Group|FIN7|RTM|Mustang Panda|Carbanak|Kimsuky|MuddyWater|GOLD SOUTHFIELD|Thrip|Sandworm Team|Evilnum|TeamTNT +T1567.001,Exfiltration to Code Repository,Exfiltration,no +T1566.002,Spearphishing Link,Initial Access,Mofang|Lazarus Group|TA505|Sidewinder|Evilnum|ZIRCONIUM|EXOTIC LILY|APT28|Confucius|Magic Hound|APT3|Mustang Panda|APT1|OilRig|Cobalt Group|MuddyWater|Turla|LazyScripter|Elderwood|Wizard Spider|Kimsuky|FIN7|Ember Bear|Transparent Tribe|Sandworm Team|Molerats|FIN8|APT29|APT39|Machete|Leviathan|APT33|LuminousMoth|FIN4|Windshift|APT32|Earth Lusca|BlackTech|Patchwork|TA2541 +T1036.002,Right-to-Left Override,Defense Evasion,Scarlet Mimic|Ke3chang|BRONZE BUTLER|BlackTech|Ferocious Kitten +T1598.004,Spearphishing Voice,Reconnaissance,LAPSUS$ +T1046,Network Service Discovery,Discovery,FIN13|Suckfly|Leafminer|menuPass|FIN6|APT32|Chimera|Naikon|OilRig|Cobalt Group|BlackTech|Threat Group-3390|Magic Hound|DarkVishnya|Rocke|TeamTNT|Fox Kitten|APT41|Lazarus Group|Tropic Trooper|APT39|BackdoorDiplomacy +T1564.011,Ignore Process Interrupts,Defense Evasion,no +T1098.006,Additional Container Cluster Roles,Persistence|Privilege Escalation,no +T1115,Clipboard Data,Collection,APT38|APT39 +T1554,Compromise Client Software Binary,Persistence,no +T1542.005,TFTP Boot,Defense Evasion|Persistence,no +T1546.002,Screensaver,Privilege Escalation|Persistence,no +T1565.001,Stored Data Manipulation,Impact,APT38 +T1592.002,Software,Reconnaissance,Andariel|Sandworm Team|Magic Hound +T1580,Cloud Infrastructure Discovery,Discovery,no +T1211,Exploitation for Defense Evasion,Defense Evasion,APT28 +T1072,Software Deployment Tools,Execution|Lateral Movement,APT32|Sandworm Team|Silence|Threat Group-1314 +T1080,Taint Shared Content,Lateral Movement,BRONZE BUTLER|Darkhotel|Gamaredon Group +T1560.003,Archive via Custom Method,Collection,CopyKittens|Mustang Panda|FIN6|Kimsuky|Lazarus Group +T1070.005,Network Share Connection Removal,Defense Evasion,Threat Group-3390 +T1600.002,Disable Crypto Hardware,Defense Evasion,no +T1542.003,Bootkit,Persistence|Defense Evasion,Lazarus Group|APT41|APT28 +T1555.001,Keychain,Credential Access,no +T1052.001,Exfiltration over USB,Exfiltration,Tropic Trooper|Mustang Panda +T1564.008,Email Hiding Rules,Defense Evasion,FIN4 +T1056.004,Credential API Hooking,Collection|Credential Access,PLATINUM +T1001.003,Protocol Impersonation,Command And Control,Higaisa|Lazarus Group +T1218.007,Msiexec,Defense Evasion,Machete|ZIRCONIUM|Rancor|Molerats|TA505 +T1036.007,Double File Extension,Defense Evasion,Mustang Panda +T1140,Deobfuscate/Decode Files or Information,Defense Evasion,Darkhotel|Sandworm Team|APT39|BRONZE BUTLER|Gorgon Group|APT28|WIRTE|OilRig|FIN13|Kimsuky|menuPass|APT19|Leviathan|TeamTNT|Rocke|Turla|Threat Group-3390|Molerats|TA505|Ke3chang|Higaisa|Lazarus Group|Earth Lusca|ZIRCONIUM|Tropic Trooper|Gamaredon Group|MuddyWater +T1025,Data from Removable Media,Collection,APT28|Gamaredon Group|Turla +T1136.003,Cloud Account,Persistence,APT29|LAPSUS$ +T1547.007,Re-opened Applications,Persistence|Privilege Escalation,no +T1566.004,Spearphishing Voice,Initial Access,no +T1070.007,Clear Network Connection History and Configurations,Defense Evasion,Volt Typhoon +T1552.003,Bash History,Credential Access,no +T1602,Data from Configuration Repository,Collection,no +T1213.002,Sharepoint,Collection,LAPSUS$|Chimera|Ke3chang|APT28 +T1001.001,Junk Data,Command And Control,APT28 +T1594,Search Victim-Owned Websites,Reconnaissance,Sandworm Team|Kimsuky|EXOTIC LILY|Silent Librarian +T1195.002,Compromise Software Supply Chain,Initial Access,Dragonfly|FIN7|Sandworm Team|Cobalt Group|GOLD SOUTHFIELD|Threat Group-3390|APT41 +T1053,Scheduled Task/Job,Execution|Persistence|Privilege Escalation,Earth Lusca +T1588.005,Exploits,Resource Development,Kimsuky +T1069.001,Local Groups,Discovery,HEXANE|admin@338|Chimera|Turla|Tonto Team|Volt Typhoon|OilRig +T1612,Build Image on Host,Defense Evasion,no +T1556.005,Reversible Encryption,Credential Access|Defense Evasion|Persistence,no +T1591.003,Identify Business Tempo,Reconnaissance,no +T1586.001,Social Media Accounts,Resource Development,Leviathan +T1098.003,Additional Cloud Roles,Persistence|Privilege Escalation,LAPSUS$ +T1505.002,Transport Agent,Persistence,no +T1059.002,AppleScript,Execution,no +T1078.001,Default Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Magic Hound|FIN13 +T1562.004,Disable or Modify System Firewall,Defense Evasion,Rocke|Kimsuky|Magic Hound|TeamTNT|Carbanak|Dragonfly|Lazarus Group|APT38|Moses Staff +T1563.002,RDP Hijacking,Lateral Movement,Axiom +T1558.003,Kerberoasting,Credential Access,FIN7|Wizard Spider +T1059.001,PowerShell,Execution,Gorgon Group|APT33|TA505|Volt Typhoon|Chimera|LazyScripter|BRONZE BUTLER|APT19|Lazarus Group|Threat Group-3390|Confucius|TeamTNT|HEXANE|OilRig|Silence|FIN6|GALLIUM|Cobalt Group|Leviathan|HAFNIUM|APT41|Patchwork|APT29|Aquatic Panda|FIN13|Poseidon Group|Sandworm Team|GOLD SOUTHFIELD|APT32|CopyKittens|Tonto Team|APT39|MoustachedBouncer|MuddyWater|FIN8|Sidewinder|menuPass|Kimsuky|Dragonfly|Indrik Spider|Magic Hound|WIRTE|Thrip|TA459|DarkHydrus|Ember Bear|DarkVishnya|Mustang Panda|Fox Kitten|Deep Panda|Gamaredon Group|TA2541|Earth Lusca|Gallmaker|APT3|Nomadic Octopus|Molerats|Blue Mockingbird|Wizard Spider|Turla|APT28|FIN10|Stealth Falcon|Inception|FIN7|APT38|TEMP.Veles +T1195.001,Compromise Software Dependencies and Development Tools,Initial Access,no +T1497.001,System Checks,Defense Evasion|Discovery,Evilnum|OilRig|Volt Typhoon|Darkhotel +T1005,Data from Local System,Collection,FIN13|Threat Group-3390|LAPSUS$|Sandworm Team|Dragonfly|LuminousMoth|menuPass|APT3|Axiom|APT38|APT39|BRONZE BUTLER|Gamaredon Group|Wizard Spider|Windigo|GALLIUM|APT41|CURIUM|Kimsuky|Volt Typhoon|FIN6|APT1|Ke3chang|Patchwork|Stealth Falcon|Inception|APT28|FIN7|Dark Caracal|APT37|APT29|Fox Kitten|HAFNIUM|Lazarus Group|Turla|Magic Hound|Andariel +T1552.002,Credentials in Registry,Credential Access,APT32 +T1218.005,Mshta,Defense Evasion,APT32|Confucius|APT29|Gamaredon Group|Inception|Lazarus Group|TA2541|TA551|Sidewinder|Mustang Panda|FIN7|Kimsuky|MuddyWater|Earth Lusca|LazyScripter|SideCopy +T1547.014,Active Setup,Persistence|Privilege Escalation,no +T1486,Data Encrypted for Impact,Impact,Indrik Spider|TA505|APT41|Magic Hound|Sandworm Team|APT38|FIN7|FIN8 +T1003.008,/etc/passwd and /etc/shadow,Credential Access,no +T1078,Valid Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Silent Librarian|FIN6|APT39|Silence|Fox Kitten|GALLIUM|APT41|APT18|FIN10|POLONIUM|menuPass|Axiom|TEMP.Veles|FIN8|Wizard Spider|Leviathan|Sandworm Team|Dragonfly|OilRig|PittyTiger|Chimera|FIN4|LAPSUS$|Suckfly|Carbanak|Lazarus Group|Ke3chang|Threat Group-3390|APT28|APT29|FIN7|FIN5|APT33 +T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,Credential Access|Collection,Wizard Spider|Lazarus Group +T1606.002,SAML Tokens,Credential Access,no +T1498.001,Direct Network Flood,Impact,no +T1210,Exploitation of Remote Services,Lateral Movement,Threat Group-3390|APT28|menuPass|Earth Lusca|FIN7|Tonto Team|MuddyWater|Dragonfly|Wizard Spider|Fox Kitten +T1074.002,Remote Data Staging,Collection,MoustachedBouncer|menuPass|Leviathan|FIN8|APT28|Chimera|Threat Group-3390|FIN6 +T1202,Indirect Command Execution,Defense Evasion,Lazarus Group +T1495,Firmware Corruption,Impact,no +T1555.004,Windows Credential Manager,Credential Access,Turla|Stealth Falcon|Wizard Spider|OilRig +T1561.002,Disk Structure Wipe,Impact,Lazarus Group|APT37|Sandworm Team|APT38 +T1102.003,One-Way Communication,Command And Control,Leviathan +T1574.009,Path Interception by Unquoted Path,Persistence|Privilege Escalation|Defense Evasion,no +T1190,Exploit Public-Facing Application,Initial Access,GOLD SOUTHFIELD|Volatile Cedar|BackdoorDiplomacy|Dragonfly|APT41|Rocke|Axiom|Magic Hound|MuddyWater|Kimsuky|Volt Typhoon|FIN13|GALLIUM|APT28|menuPass|HAFNIUM|Ke3chang|Moses Staff|Blue Mockingbird|Earth Lusca|Threat Group-3390|Fox Kitten|APT39|APT29|BlackTech +T1648,Serverless Execution,Execution,no +T1595.002,Vulnerability Scanning,Reconnaissance,Magic Hound|Aquatic Panda|Volatile Cedar|TeamTNT|Earth Lusca|Sandworm Team|Dragonfly|APT28|APT29 +T1095,Non-Application Layer Protocol,Command And Control,Metador|PLATINUM|BackdoorDiplomacy|APT3|BITTER|FIN6|HAFNIUM +T1087.001,Local Account,Discovery,Moses Staff|APT3|APT1|OilRig|Fox Kitten|APT32|Chimera|Threat Group-3390|Turla|Poseidon Group|Ke3chang|admin@338 +T1218.008,Odbcconf,Defense Evasion,Cobalt Group +T1547.005,Security Support Provider,Persistence|Privilege Escalation,no +T1598.003,Spearphishing Link,Reconnaissance,Sandworm Team|Mustang Panda|Sidewinder|Dragonfly|Patchwork|APT32|ZIRCONIUM|Silent Librarian|Kimsuky|Magic Hound|APT28 +T1040,Network Sniffing,Credential Access|Discovery,DarkVishnya|Kimsuky|Sandworm Team|APT28|APT33 +T1087.003,Email Account,Discovery,Magic Hound|TA505|Sandworm Team +T1071,Application Layer Protocol,Command And Control,Rocke|Magic Hound|TeamTNT +T1129,Shared Modules,Execution,no +T1204.002,Malicious File,Execution,FIN6|Darkhotel|TA551|Indrik Spider|Transparent Tribe|Naikon|Inception|Mofang|Higaisa|Wizard Spider|SideCopy|Leviathan|APT29|Tonto Team|APT38|PLATINUM|Tropic Trooper|Cobalt Group|APT33|BRONZE BUTLER|APT30|Sandworm Team|Windshift|Ember Bear|Ferocious Kitten|APT32|APT37|OilRig|FIN4|APT-C-36|Threat Group-3390|CURIUM|Whitefly|BlackTech|Earth Lusca|Andariel|APT39|Aoqin Dragon|The White Company|WIRTE|RTM|HEXANE|Gallmaker|Kimsuky|Gorgon Group|APT28|PROMETHIUM|Mustang Panda|Elderwood|Gamaredon Group|admin@338|LazyScripter|Sidewinder|Patchwork|Silence|BITTER|TA2541|DarkHydrus|Machete|Dark Caracal|Rancor|FIN7|FIN8|MuddyWater|IndigoZebra|TA459|menuPass|Nomadic Octopus|APT19|Magic Hound|Molerats|Confucius|Dragonfly|TA505|APT12|EXOTIC LILY|Lazarus Group|Ajax Security Team +T1070.009,Clear Persistence,Defense Evasion,no +T1021.004,SSH,Lateral Movement,BlackTech|Fox Kitten|TEMP.Veles|OilRig|Rocke|Lazarus Group|FIN7|GCMAN|FIN13|Leviathan|menuPass|TeamTNT|APT39 +T1583.002,DNS Server,Resource Development,Axiom|HEXANE +T1090.003,Multi-hop Proxy,Command And Control,Inception|Leviathan|APT29|FIN4|APT28 +T1134.004,Parent PID Spoofing,Defense Evasion|Privilege Escalation,no +T1221,Template Injection,Defense Evasion,Gamaredon Group|Dragonfly|Tropic Trooper|APT28|DarkHydrus|Inception|Confucius +T1584.005,Botnet,Resource Development,Axiom|Volt Typhoon|Sandworm Team +T1557,Adversary-in-the-Middle,Credential Access|Collection,Kimsuky +T1602.001,SNMP (MIB Dump),Collection,no +T1553.006,Code Signing Policy Modification,Defense Evasion,Turla|APT39 +T1055.015,ListPlanting,Defense Evasion|Privilege Escalation,no +T1003.007,Proc Filesystem,Credential Access,no +T1584.001,Domains,Resource Development,APT1|Kimsuky|SideCopy|Magic Hound|Transparent Tribe +T1070.001,Clear Windows Event Logs,Defense Evasion,FIN8|APT28|Indrik Spider|Dragonfly|FIN5|Chimera|APT41|APT38|APT32 +T1205.002,Socket Filters,Defense Evasion|Persistence|Command And Control,no +T1555.003,Credentials from Web Browsers,Credential Access,OilRig|APT37|Inception|TA505|Patchwork|FIN6|APT33|LAPSUS$|Molerats|APT3|ZIRCONIUM|MuddyWater|HEXANE|Sandworm Team|Ajax Security Team|Leafminer|Stealth Falcon|Kimsuky +T1132.002,Non-Standard Encoding,Command And Control,no +T1070.008,Clear Mailbox Data,Defense Evasion,no +T1583,Acquire Infrastructure,Resource Development,no +T1113,Screen Capture,Collection,Dragonfly|Gamaredon Group|FIN7|Magic Hound|MoustachedBouncer|BRONZE BUTLER|Dark Caracal|Silence|APT39|MuddyWater|OilRig|Group5|APT28|GOLD SOUTHFIELD +T1082,System Information Discovery,Discovery,APT3|Sidewinder|APT32|Inception|Windigo|Confucius|Chimera|APT18|Turla|Ke3chang|Higaisa|ZIRCONIUM|APT19|TA2541|Patchwork|Lazarus Group|Mustang Panda|admin@338|SideCopy|Kimsuky|OilRig|Blue Mockingbird|Darkhotel|FIN13|Rocke|Stealth Falcon|MuddyWater|APT37|Magic Hound|APT38|Volt Typhoon|TeamTNT|Aquatic Panda|Tropic Trooper|Sowbug|FIN8|Windshift|Wizard Spider|Moses Staff|HEXANE|Sandworm Team|Gamaredon Group +T1546.008,Accessibility Features,Privilege Escalation|Persistence,APT29|Fox Kitten|APT41|Deep Panda|Axiom|APT3 +T1499,Endpoint Denial of Service,Impact,Sandworm Team +T1561,Disk Wipe,Impact,no +T1590.005,IP Addresses,Reconnaissance,Andariel|HAFNIUM|Magic Hound +T1614,System Location Discovery,Discovery,SideCopy +T1497.003,Time Based Evasion,Defense Evasion|Discovery,no +T1496,Resource Hijacking,Impact,Rocke|TeamTNT|Blue Mockingbird|APT41 +T1216.001,PubPrn,Defense Evasion,APT32 +T1588.002,Tool,Resource Development,Ember Bear|Whitefly|CopyKittens|Metador|Aquatic Panda|BlackTech|APT28|LuminousMoth|APT38|Threat Group-3390|Lazarus Group|Dragonfly|BackdoorDiplomacy|Sandworm Team|APT41|POLONIUM|Blue Mockingbird|BITTER|DarkVishnya|Leafminer|FIN13|GALLIUM|FIN7|Ferocious Kitten|Silent Librarian|Ke3chang|APT-C-36|Cobalt Group|MuddyWater|TA2541|APT32|Earth Lusca|FIN6|Cleaver|Volt Typhoon|Silence|Kimsuky|Thrip|FIN8|PittyTiger|APT1|TA505|APT19|Turla|LAPSUS$|Wizard Spider|IndigoZebra|TEMP.Veles|Patchwork|WIRTE|FIN5|Moses Staff|BRONZE BUTLER|Gorgon Group|Carbanak|menuPass|HEXANE|Chimera|Inception|APT39|APT33|Aoqin Dragon|Magic Hound|FIN10|DarkHydrus|APT29 +T1591.001,Determine Physical Locations,Reconnaissance,Magic Hound +T1011,Exfiltration Over Other Network Medium,Exfiltration,no +T1613,Container and Resource Discovery,Discovery,TeamTNT +T1548.004,Elevated Execution with Prompt,Privilege Escalation|Defense Evasion,no +T1127,Trusted Developer Utilities Proxy Execution,Defense Evasion,no +T1562.006,Indicator Blocking,Defense Evasion,no +T1124,System Time Discovery,Discovery,Sidewinder|Lazarus Group|Darkhotel|BRONZE BUTLER|Turla|The White Company|Chimera|ZIRCONIUM|Higaisa +T1055.004,Asynchronous Procedure Call,Defense Evasion|Privilege Escalation,FIN8 +T1651,Cloud Administration Command,Execution,APT29 +T1098.002,Additional Email Delegate Permissions,Persistence|Privilege Escalation,APT28|APT29|Magic Hound +T1591.002,Business Relationships,Reconnaissance,LAPSUS$|Dragonfly|Sandworm Team +T1505.003,Web Shell,Persistence,Tonto Team|Sandworm Team|APT29|Volatile Cedar|GALLIUM|Tropic Trooper|Leviathan|Threat Group-3390|Volt Typhoon|Deep Panda|BackdoorDiplomacy|APT38|APT39|TEMP.Veles|APT32|Magic Hound|OilRig|Dragonfly|APT28|Moses Staff|Kimsuky|HAFNIUM|Fox Kitten|FIN13 +T1574.007,Path Interception by PATH Environment Variable,Persistence|Privilege Escalation|Defense Evasion,no +T1137.002,Office Test,Persistence,APT28 +T1491.002,External Defacement,Impact,Sandworm Team +T1555.006,Cloud Secrets Management Stores,Credential Access,no +T1548.003,Sudo and Sudo Caching,Privilege Escalation|Defense Evasion,no +T1071.004,DNS,Command And Control,Chimera|FIN7|APT39|LazyScripter|Tropic Trooper|APT41|APT18|Cobalt Group|Ke3chang|OilRig +T1021.003,Distributed Component Object Model,Lateral Movement,no +T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,Exfiltration,APT28 +T1071.001,Web Protocols,Command And Control,Inception|Rancor|Lazarus Group|Threat Group-3390|FIN13|BRONZE BUTLER|TA505|Windshift|Dark Caracal|Gamaredon Group|Magic Hound|APT33|Chimera|Tropic Trooper|APT37|TA551|FIN8|Orangeworm|OilRig|FIN4|APT39|Wizard Spider|APT41|APT19|Sidewinder|Cobalt Group|Mustang Panda|TeamTNT|APT18|LuminousMoth|Ke3chang|WIRTE|SilverTerrier|Higaisa|Confucius|Metador|Stealth Falcon|Kimsuky|Sandworm Team|APT28|APT32|APT38|Rocke|BITTER|HAFNIUM|Turla|MuddyWater +T1587.002,Code Signing Certificates,Resource Development,PROMETHIUM|Patchwork +T1548.001,Setuid and Setgid,Privilege Escalation|Defense Evasion,no +T1543,Create or Modify System Process,Persistence|Privilege Escalation,no +T1498.002,Reflection Amplification,Impact,no +T1547,Boot or Logon Autostart Execution,Persistence|Privilege Escalation,no +T1059,Command and Scripting Interpreter,Execution,Dragonfly|Fox Kitten|APT37|APT39|Ke3chang|Whitefly|FIN6|FIN5|APT19|OilRig|FIN7|APT32|Windigo|Stealth Falcon +T1574.013,KernelCallbackTable,Persistence|Privilege Escalation|Defense Evasion,Lazarus Group +T1553.004,Install Root Certificate,Defense Evasion,no +T1653,Power Settings,Persistence,no +T1037.002,Login Hook,Persistence|Privilege Escalation,no +T1098,Account Manipulation,Persistence|Privilege Escalation,APT3|HAFNIUM|Kimsuky|Dragonfly|APT41|FIN13|Lazarus Group|Magic Hound +T1598.002,Spearphishing Attachment,Reconnaissance,Dragonfly|Sidewinder|SideCopy +T1220,XSL Script Processing,Defense Evasion,Cobalt Group|Higaisa +T1557.003,DHCP Spoofing,Credential Access|Collection,no +T1562.011,Spoof Security Alerting,Defense Evasion,no +T1003.005,Cached Domain Credentials,Credential Access,MuddyWater|OilRig|Leafminer|APT33 +T1041,Exfiltration Over C2 Channel,Exfiltration,Chimera|Lazarus Group|LuminousMoth|Confucius|Gamaredon Group|MuddyWater|Stealth Falcon|Sandworm Team|Ke3chang|APT32|Leviathan|Wizard Spider|APT39|Higaisa|APT3|ZIRCONIUM|GALLIUM|Kimsuky +T1055.002,Portable Executable Injection,Defense Evasion|Privilege Escalation,Gorgon Group|Rocke +T1027.006,HTML Smuggling,Defense Evasion,APT29 +T1656,Impersonation,Defense Evasion,LAPSUS$ +T1074.001,Local Data Staging,Collection,menuPass|Lazarus Group|APT39|Threat Group-3390|BackdoorDiplomacy|Sidewinder|FIN13|Volt Typhoon|FIN5|Wizard Spider|Mustang Panda|Kimsuky|Dragonfly|Patchwork|Leviathan|MuddyWater|GALLIUM|APT3|Chimera|TeamTNT|Indrik Spider|APT28|TEMP.Veles +T1608.002,Upload Tool,Resource Development,Threat Group-3390 +T1567.004,Exfiltration Over Webhook,Exfiltration,no +T1071.002,File Transfer Protocols,Command And Control,SilverTerrier|Dragonfly|Kimsuky|APT41 +T1111,Multi-Factor Authentication Interception,Credential Access,Chimera|LAPSUS$|Kimsuky +T1546.005,Trap,Privilege Escalation|Persistence,no +T1593.002,Search Engines,Reconnaissance,Kimsuky +T1574.001,DLL Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,menuPass|Whitefly|Evilnum|RTM|BackdoorDiplomacy|Threat Group-3390|Aquatic Panda|Tonto Team|APT41 +T1598.001,Spearphishing Service,Reconnaissance,no +T1055.011,Extra Window Memory Injection,Defense Evasion|Privilege Escalation,no +T1074,Data Staged,Collection,Wizard Spider|Volt Typhoon +T1542,Pre-OS Boot,Defense Evasion|Persistence,no +T1092,Communication Through Removable Media,Command And Control,APT28 +T1014,Rootkit,Defense Evasion,Rocke|Winnti Group|TeamTNT|APT41|APT28 +T1189,Drive-by Compromise,Initial Access,Leviathan|Windshift|Windigo|Lazarus Group|Threat Group-3390|Andariel|Earth Lusca|RTM|Axiom|Patchwork|APT32|BRONZE BUTLER|Dark Caracal|Leafminer|APT19|PROMETHIUM|APT28|APT38|Elderwood|Transparent Tribe|Dragonfly|Magic Hound|APT37|Turla|PLATINUM|Darkhotel|Machete +T1137.006,Add-ins,Persistence,Naikon +T1087.002,Domain Account,Discovery,Turla|FIN13|Volt Typhoon|MuddyWater|Chimera|Dragonfly|Wizard Spider|Poseidon Group|BRONZE BUTLER|OilRig|FIN6|Sandworm Team|LAPSUS$|Fox Kitten|Ke3chang|menuPass +T1134.003,Make and Impersonate Token,Defense Evasion|Privilege Escalation,FIN13 +T1222.002,Linux and Mac File and Directory Permissions Modification,Defense Evasion,APT32|Rocke|TeamTNT +T1562.002,Disable Windows Event Logging,Defense Evasion,Threat Group-3390|Magic Hound +T1548,Abuse Elevation Control Mechanism,Privilege Escalation|Defense Evasion,no +T1555,Credentials from Password Stores,Credential Access,Leafminer|APT33|MuddyWater|Evilnum|OilRig|Stealth Falcon|APT39|FIN6|Volt Typhoon|HEXANE +T1561.001,Disk Content Wipe,Impact,Lazarus Group +T1098.004,SSH Authorized Keys,Persistence|Privilege Escalation,TeamTNT|Earth Lusca +T1021.001,Remote Desktop Protocol,Lateral Movement,Wizard Spider|Magic Hound|FIN13|Axiom|APT41|Patchwork|APT1|Cobalt Group|HEXANE|Dragonfly|Leviathan|FIN7|APT3|Kimsuky|OilRig|Chimera|FIN8|FIN10|TEMP.Veles|Lazarus Group|Fox Kitten|Blue Mockingbird|FIN6|APT39|Silence|menuPass +T1213.003,Code Repositories,Collection,LAPSUS$ +T1205.001,Port Knocking,Defense Evasion|Persistence|Command And Control,PROMETHIUM +T1505.004,IIS Components,Persistence,no +T1569.002,Service Execution,Execution,APT32|Blue Mockingbird|APT38|Chimera|FIN6|APT41|Wizard Spider|APT39|Ke3chang|Silence +T1565.002,Transmitted Data Manipulation,Impact,APT38 +T1569,System Services,Execution,TeamTNT +T1499.004,Application or System Exploitation,Impact,no +T1037.005,Startup Items,Persistence|Privilege Escalation,no +T1553.003,SIP and Trust Provider Hijacking,Defense Evasion,no +T1595.001,Scanning IP Blocks,Reconnaissance,TeamTNT +T1546.004,Unix Shell Configuration Modification,Privilege Escalation|Persistence,no +T1053.003,Cron,Execution|Persistence|Privilege Escalation,APT38|Rocke +T1560,Archive Collected Data,Collection,Axiom|Dragonfly|APT28|APT32|menuPass|Ke3chang|FIN6|Patchwork|Leviathan|Lazarus Group|LuminousMoth +T1565,Data Manipulation,Impact,FIN13 +T1610,Deploy Container,Defense Evasion|Execution,TeamTNT +T1587.001,Malware,Resource Development,Ke3chang|TeamTNT|Indrik Spider|Moses Staff|APT29|Lazarus Group|Kimsuky|Aoqin Dragon|Cleaver|LuminousMoth|FIN13|FIN7|Sandworm Team|Turla +T1558.002,Silver Ticket,Credential Access,no +T1218.009,Regsvcs/Regasm,Defense Evasion,no +T1001.002,Steganography,Command And Control,Axiom +T1078.002,Domain Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT3|TA505|Threat Group-1314|Sandworm Team|Naikon|Magic Hound|Wizard Spider|Indrik Spider|Volt Typhoon|Chimera +T1557.002,ARP Cache Poisoning,Credential Access|Collection,Cleaver|LuminousMoth +T1608.005,Link Target,Resource Development,LuminousMoth|Silent Librarian +T1584.002,DNS Server,Resource Development,LAPSUS$ +T1560.001,Archive via Utility,Collection,Fox Kitten|APT33|MuddyWater|Aquatic Panda|APT3|Kimsuky|Gallmaker|Ke3chang|menuPass|Sowbug|FIN13|FIN8|Volt Typhoon|CopyKittens|APT28|BRONZE BUTLER|Magic Hound|HAFNIUM|Chimera|Earth Lusca|APT1|Wizard Spider|Mustang Panda|APT41|Turla|APT39|GALLIUM +T1489,Service Stop,Impact,Indrik Spider|LAPSUS$|Lazarus Group|Wizard Spider +T1207,Rogue Domain Controller,Defense Evasion,no +T1204,User Execution,Execution,LAPSUS$ +T1553.001,Gatekeeper Bypass,Defense Evasion,no +T1553.005,Mark-of-the-Web Bypass,Defense Evasion,TA505|APT29 +T1018,Remote System Discovery,Discovery,Sandworm Team|Threat Group-3390|Ke3chang|Chimera|menuPass|Deep Panda|HEXANE|BRONZE BUTLER|HAFNIUM|Turla|Fox Kitten|Wizard Spider|GALLIUM|APT3|Naikon|FIN5|Magic Hound|Rocke|APT39|Leafminer|FIN8|Indrik Spider|Earth Lusca|Volt Typhoon|Dragonfly|FIN6|Silence|APT32 +T1547.002,Authentication Package,Persistence|Privilege Escalation,no +T1091,Replication Through Removable Media,Lateral Movement|Initial Access,FIN7|Darkhotel|APT28|Aoqin Dragon|Tropic Trooper|Mustang Panda|LuminousMoth +T1600,Weaken Encryption,Defense Evasion,no +T1659,Content Injection,Initial Access|Command And Control,MoustachedBouncer +T1543.001,Launch Agent,Persistence|Privilege Escalation,no +T1555.002,Securityd Memory,Credential Access,no +T1555.005,Password Managers,Credential Access,LAPSUS$|Fox Kitten|Threat Group-3390 +T1048,Exfiltration Over Alternative Protocol,Exfiltration,TeamTNT +T1525,Implant Internal Image,Persistence,no +T1053.006,Systemd Timers,Execution|Persistence|Privilege Escalation,no +T1021.008,Direct Cloud VM Connections,Lateral Movement,no +T1583.006,Web Services,Resource Development,Lazarus Group|APT29|FIN7|Turla|APT32|APT17|APT28|ZIRCONIUM|MuddyWater|POLONIUM|LazyScripter|TA2541|Magic Hound|Confucius|Kimsuky|HAFNIUM|Earth Lusca|IndigoZebra +T1574.004,Dylib Hijacking,Persistence|Privilege Escalation|Defense Evasion,no +T1550.003,Pass the Ticket,Defense Evasion|Lateral Movement,APT32|APT29|BRONZE BUTLER +T1480,Execution Guardrails,Defense Evasion,no +T1558.001,Golden Ticket,Credential Access,Ke3chang +T1600.001,Reduce Key Space,Defense Evasion,no +T1546.006,LC_LOAD_DYLIB Addition,Privilege Escalation|Persistence,no +T1556,Modify Authentication Process,Credential Access|Defense Evasion|Persistence,FIN13 +T1087,Account Discovery,Discovery,FIN13 +T1574.005,Executable Installer File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no +T1564.001,Hidden Files and Directories,Defense Evasion,HAFNIUM|Rocke|Tropic Trooper|APT28|Mustang Panda|Lazarus Group|FIN13|Transparent Tribe|LuminousMoth|APT32 +T1564.007,VBA Stomping,Defense Evasion,no +T1593,Search Open Websites/Domains,Reconnaissance,Sandworm Team +T1546.007,Netsh Helper DLL,Privilege Escalation|Persistence,no +T1059.009,Cloud API,Execution,APT29|TeamTNT +T1090,Proxy,Command And Control,Sandworm Team|POLONIUM|MoustachedBouncer|APT41|LAPSUS$|Fox Kitten|Magic Hound|CopyKittens|Earth Lusca|Blue Mockingbird|Turla|Windigo|Volt Typhoon +T1498,Network Denial of Service,Impact,APT28 +T1027.005,Indicator Removal from Tools,Defense Evasion,APT3|Patchwork|OilRig|Turla|TEMP.Veles|GALLIUM|Deep Panda +T1543.004,Launch Daemon,Persistence|Privilege Escalation,no +T1027,Obfuscated Files or Information,Defense Evasion,Moses Staff|APT18|Dark Caracal|Leviathan|menuPass|APT37|APT33|Higaisa|APT39|APT3|APT-C-36|Tropic Trooper|BlackOasis|Lazarus Group|Magic Hound|Fox Kitten|Molerats|APT28|Kimsuky|BackdoorDiplomacy|TA2541|TeamTNT|Darkhotel|Group5|APT41|Putter Panda|Threat Group-3390|Inception|Metador|Ember Bear|Ke3chang|BITTER|Elderwood|TA505|Gamaredon Group|Windshift|Sandworm Team|APT19|Mustang Panda|Blue Mockingbird|Mofang|Transparent Tribe|Sidewinder|Gallmaker|Rocke|GALLIUM|Earth Lusca|Whitefly|OilRig|APT32 +T1566.003,Spearphishing via Service,Initial Access,CURIUM|Windshift|OilRig|Lazarus Group|Ajax Security Team|APT29|EXOTIC LILY|FIN6|Dark Caracal|Magic Hound +T1588.006,Vulnerabilities,Resource Development,Sandworm Team +T1546,Event Triggered Execution,Privilege Escalation|Persistence,no +T1556.002,Password Filter DLL,Credential Access|Defense Evasion|Persistence,Strider +T1176,Browser Extensions,Persistence,Kimsuky +T1562,Impair Defenses,Defense Evasion,Magic Hound +T1187,Forced Authentication,Credential Access,DarkHydrus|Dragonfly +T1027.008,Stripped Payloads,Defense Evasion,no +T1070.006,Timestomp,Defense Evasion,TEMP.Veles|APT29|Lazarus Group|APT38|APT28|Rocke|Kimsuky|APT32|Chimera +T1057,Process Discovery,Discovery,OilRig|Stealth Falcon|Earth Lusca|Higaisa|APT37|Lazarus Group|Andariel|Ke3chang|Darkhotel|Molerats|Mustang Panda|Magic Hound|Poseidon Group|Rocke|Windshift|APT38|APT28|TeamTNT|Gamaredon Group|HAFNIUM|Tropic Trooper|MuddyWater|Turla|Sidewinder|Kimsuky|Volt Typhoon|APT1|HEXANE|Winnti Group|Chimera|Deep Panda|APT3|Inception +T1543.002,Systemd Service,Persistence|Privilege Escalation,TeamTNT|Rocke +T1585,Establish Accounts,Resource Development,APT17|Fox Kitten +T1591,Gather Victim Org Information,Reconnaissance,Kimsuky|Lazarus Group +T1574.010,Services File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no +T1010,Application Window Discovery,Discovery,Lazarus Group|HEXANE +T1565.003,Runtime Data Manipulation,Impact,APT38 +T1056.001,Keylogging,Collection|Credential Access,PLATINUM|Kimsuky|Ke3chang|APT41|APT39|APT32|HEXANE|Sowbug|Group5|Threat Group-3390|menuPass|APT38|Magic Hound|FIN4|FIN13|APT28|APT3|Sandworm Team|Tonto Team|Lazarus Group|Darkhotel|OilRig|Ajax Security Team +T1110.003,Password Spraying,Credential Access,APT29|APT28|Leafminer|APT33|Chimera|HEXANE|Lazarus Group|Silent Librarian +T1547.006,Kernel Modules and Extensions,Persistence|Privilege Escalation,no +T1556.006,Multi-Factor Authentication,Credential Access|Defense Evasion|Persistence,no +T1037.003,Network Logon Script,Persistence|Privilege Escalation,no +T1071.003,Mail Protocols,Command And Control,Kimsuky|APT28|SilverTerrier|APT32|Turla +T1027.003,Steganography,Defense Evasion,Leviathan|MuddyWater|Andariel|BRONZE BUTLER|Earth Lusca|TA551|APT37|Tropic Trooper +T1055.012,Process Hollowing,Defense Evasion|Privilege Escalation,Patchwork|Kimsuky|TA2541|Gorgon Group|menuPass|Threat Group-3390 +T1056.003,Web Portal Capture,Collection|Credential Access,no +T1090.004,Domain Fronting,Command And Control,APT29 +T1137,Office Application Startup,Persistence,APT32|Gamaredon Group +T1485,Data Destruction,Impact,APT38|Sandworm Team|Gamaredon Group|Lazarus Group|LAPSUS$ +T1110.001,Password Guessing,Credential Access,APT29|APT28 +T1204.001,Malicious Link,Execution,Earth Lusca|Confucius|Molerats|APT32|Kimsuky|Sidewinder|Magic Hound|Elderwood|Machete|APT29|TA505|APT28|Mustang Panda|BlackTech|Evilnum|Patchwork|TA2541|APT3|Wizard Spider|Turla|LazyScripter|Leviathan|FIN7|Mofang|APT39|Windshift|LuminousMoth|Ember Bear|Transparent Tribe|APT33|ZIRCONIUM|OilRig|MuddyWater|Sandworm Team|FIN4|EXOTIC LILY|FIN8|Cobalt Group +T1609,Container Administration Command,Execution,TeamTNT +T1222.001,Windows File and Directory Permissions Modification,Defense Evasion,Wizard Spider +T1137.001,Office Template Macros,Persistence,MuddyWater +T1027.009,Embedded Payloads,Defense Evasion,no +T1588.004,Digital Certificates,Resource Development,LuminousMoth|Lazarus Group|BlackTech|Silent Librarian +T1027.004,Compile After Delivery,Defense Evasion,Gamaredon Group|Rocke|MuddyWater +T1106,Native API,Execution,Lazarus Group|SideCopy|Gorgon Group|Turla|TA505|Chimera|APT37|menuPass|Tropic Trooper|Silence|Higaisa|APT38|BlackTech|Gamaredon Group +T1036.005,Match Legitimate Name or Location,Defense Evasion,admin@338|APT32|Earth Lusca|APT39|Sidewinder|WIRTE|PROMETHIUM|Tropic Trooper|Machete|Silence|APT41|APT29|APT28|MuddyWater|FIN13|BackdoorDiplomacy|Gamaredon Group|Patchwork|Magic Hound|TEMP.Veles|Chimera|TA2541|Poseidon Group|Lazarus Group|Volt Typhoon|Ferocious Kitten|LuminousMoth|Carbanak|Darkhotel|Naikon|Transparent Tribe|TeamTNT|Rocke|APT1|menuPass|Whitefly|Ke3chang|Mustang Panda|BRONZE BUTLER|Kimsuky|Blue Mockingbird|Indrik Spider|Sandworm Team|SideCopy|Fox Kitten|FIN7|Sowbug|Aoqin Dragon +T1553.002,Code Signing,Defense Evasion,Winnti Group|Wizard Spider|Patchwork|Silence|Scattered Spider|LuminousMoth|menuPass|Moses Staff|Ember Bear|FIN7|Lazarus Group|Kimsuky|APT41|FIN6|CopyKittens|Leviathan|GALLIUM|Darkhotel|Molerats|TA505|PROMETHIUM|Suckfly +T1070.003,Clear Command History,Defense Evasion,menuPass|APT41|TeamTNT|Lazarus Group|Magic Hound +T1218.001,Compiled HTML File,Defense Evasion,OilRig|Silence|APT38|APT41|Dark Caracal +T1562.012,Disable or Modify Linux Audit System,Defense Evasion,no +T1482,Domain Trust Discovery,Discovery,Earth Lusca|FIN8|Magic Hound|Chimera +T1137.005,Outlook Rules,Persistence,no +T1203,Exploitation for Client Execution,Execution,Higaisa|Mustang Panda|APT3|Leviathan|APT29|APT37|Sandworm Team|BlackTech|EXOTIC LILY|Lazarus Group|TA459|APT32|APT28|Inception|BITTER|APT12|Cobalt Group|Patchwork|Elderwood|Threat Group-3390|admin@338|BRONZE BUTLER|Tonto Team|Transparent Tribe|Axiom|Aoqin Dragon|Tropic Trooper|Darkhotel|Confucius|APT33|Dragonfly|MuddyWater|Sidewinder|Andariel|Ember Bear|APT41|The White Company +T1556.008,Network Provider DLL,Credential Access|Defense Evasion|Persistence,no +T1123,Audio Capture,Collection,APT37 +T1021.005,VNC,Lateral Movement,GCMAN|FIN7|Gamaredon Group|Fox Kitten +T1574.006,Dynamic Linker Hijacking,Persistence|Privilege Escalation|Defense Evasion,APT41|Rocke +T1592.001,Hardware,Reconnaissance,no +T1012,Query Registry,Discovery,Turla|Kimsuky|OilRig|Stealth Falcon|Threat Group-3390|Dragonfly|APT32|APT39|Volt Typhoon|ZIRCONIUM|Chimera|Lazarus Group|Fox Kitten +T1597.002,Purchase Technical Data,Reconnaissance,LAPSUS$ +T1590.001,Domain Properties,Reconnaissance,Sandworm Team +T1027.010,Command Obfuscation,Defense Evasion,Chimera|Magic Hound|Sandworm Team|TA505|Sidewinder|Leafminer|Cobalt Group|Aquatic Panda|FIN7|FIN8|Fox Kitten|MuddyWater|TA551|Gamaredon Group|FIN6|Turla|LazyScripter|Wizard Spider|Silence|APT19|GOLD SOUTHFIELD|APT32|Ember Bear|HEXANE|Patchwork +T1059.008,Network Device CLI,Execution,no +T1499.003,Application Exhaustion Flood,Impact,no +T1218.004,InstallUtil,Defense Evasion,Mustang Panda|menuPass +T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,Exfiltration,no +T1222,File and Directory Permissions Modification,Defense Evasion,no +T1543.003,Windows Service,Persistence|Privilege Escalation,Kimsuky|Carbanak|Wizard Spider|APT19|APT38|PROMETHIUM|DarkVishnya|APT41|Ke3chang|APT32|Cobalt Group|Lazarus Group|TeamTNT|Threat Group-3390|Tropic Trooper|FIN7|APT3|Blue Mockingbird|Earth Lusca +T1134.002,Create Process with Token,Defense Evasion|Privilege Escalation,Lazarus Group|Turla +T1055.003,Thread Execution Hijacking,Defense Evasion|Privilege Escalation,no +T1480.001,Environmental Keying,Defense Evasion,APT41|Equation +T1570,Lateral Tool Transfer,Lateral Movement,FIN10|GALLIUM|Sandworm Team|APT32|Aoqin Dragon|Wizard Spider|Chimera|Magic Hound|Turla|Volt Typhoon +T1029,Scheduled Transfer,Exfiltration,Higaisa +T1584.003,Virtual Private Server,Resource Development,Turla +T1534,Internal Spearphishing,Lateral Movement,HEXANE|Kimsuky|Leviathan|Gamaredon Group +T1036.009,Break Process Trees,Defense Evasion,no +T1556.001,Domain Controller Authentication,Credential Access|Defense Evasion|Persistence,Chimera +T1491.001,Internal Defacement,Impact,Gamaredon Group|Lazarus Group +T1564.010,Process Argument Spoofing,Defense Evasion,no +T1056.002,GUI Input Capture,Collection|Credential Access,FIN4 +T1008,Fallback Channels,Command And Control,FIN7|Lazarus Group|OilRig|APT41 +T1036.004,Masquerade Task or Service,Defense Evasion,Kimsuky|BackdoorDiplomacy|Magic Hound|APT41|Wizard Spider|Higaisa|APT-C-36|APT32|ZIRCONIUM|Carbanak|FIN7|Fox Kitten|FIN6|Naikon|BITTER|Lazarus Group|PROMETHIUM|FIN13 +T1590.006,Network Security Appliances,Reconnaissance,no +T1195.003,Compromise Hardware Supply Chain,Initial Access,no +T1055,Process Injection,Defense Evasion|Privilege Escalation,Cobalt Group|Silence|TA2541|APT32|Turla|Wizard Spider|APT37|PLATINUM|Kimsuky|APT41 +T1606.001,Web Cookies,Credential Access,no +T1568.003,DNS Calculation,Command And Control,APT12 +T1583.003,Virtual Private Server,Resource Development,Axiom|LAPSUS$|TEMP.Veles|HAFNIUM|Dragonfly +T1596.003,Digital Certificates,Reconnaissance,no +T1601.002,Downgrade System Image,Defense Evasion,no +T1007,System Service Discovery,Discovery,Ke3chang|TeamTNT|BRONZE BUTLER|APT1|Chimera|Earth Lusca|OilRig|Indrik Spider|admin@338|Kimsuky|Turla|Aquatic Panda|Poseidon Group +T1597.001,Threat Intel Vendors,Reconnaissance,no +T1589.001,Credentials,Reconnaissance,LAPSUS$|APT28|Magic Hound|Chimera|Leviathan +T1574.011,Services Registry Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no +T1619,Cloud Storage Object Discovery,Discovery,no +T1505.001,SQL Stored Procedures,Persistence,no +T1016.002,Wi-Fi Discovery,Discovery,Magic Hound +T1564.003,Hidden Window,Defense Evasion,DarkHydrus|Higaisa|Deep Panda|APT19|CopyKittens|Gamaredon Group|APT32|Nomadic Octopus|APT28|Magic Hound|Gorgon Group|APT3|Kimsuky +T1114.003,Email Forwarding Rule,Collection,LAPSUS$|Silent Librarian|Kimsuky +T1528,Steal Application Access Token,Credential Access,APT28 +T1542.004,ROMMONkit,Defense Evasion|Persistence,no +T1020.001,Traffic Duplication,Exfiltration,no +T1592.003,Firmware,Reconnaissance,no +T1583.001,Domains,Resource Development,TeamTNT|Lazarus Group|IndigoZebra|APT28|LazyScripter|TA505|Silent Librarian|menuPass|ZIRCONIUM|Mustang Panda|HEXANE|APT1|Gamaredon Group|TA2541|Earth Lusca|Transparent Tribe|Ferocious Kitten|FIN7|Kimsuky|Dragonfly|Threat Group-3390|APT32|Sandworm Team|BITTER|EXOTIC LILY|Leviathan|Winnti Group|Magic Hound +T1652,Device Driver Discovery,Discovery,no +T1021.007,Cloud Services,Lateral Movement,APT29 +T1037.001,Logon Script (Windows),Persistence|Privilege Escalation,Cobalt Group|APT28 +T1578.005,Modify Cloud Compute Configurations,Defense Evasion,no +T1059.005,Visual Basic,Execution,HEXANE|SideCopy|Windshift|Gamaredon Group|FIN7|TA2541|Lazarus Group|Silence|FIN13|Turla|BRONZE BUTLER|Transparent Tribe|APT38|Machete|Mustang Panda|Leviathan|Patchwork|FIN4|Cobalt Group|Magic Hound|OilRig|Inception|Sidewinder|Earth Lusca|Confucius|Molerats|WIRTE|Kimsuky|APT33|MuddyWater|Sandworm Team|APT32|APT-C-36|TA505|LazyScripter|TA459|Rancor|APT37|Higaisa|Gorgon Group|APT39 +T1608.006,SEO Poisoning,Resource Development,no +T1110.004,Credential Stuffing,Credential Access,Chimera +T1591.004,Identify Roles,Reconnaissance,LAPSUS$|HEXANE +T1593.001,Social Media,Reconnaissance,EXOTIC LILY|Kimsuky +T1562.009,Safe Mode Boot,Defense Evasion,no +T1055.008,Ptrace System Calls,Defense Evasion|Privilege Escalation,no +T1548.005,Temporary Elevated Cloud Access,Privilege Escalation|Defense Evasion,no +T1568,Dynamic Resolution,Command And Control,APT29|TA2541|Gamaredon Group|Transparent Tribe|BITTER +T1055.001,Dynamic-link Library Injection,Defense Evasion|Privilege Escalation,BackdoorDiplomacy|Leviathan|Tropic Trooper|Lazarus Group|Putter Panda|Turla|Wizard Spider|TA505 +T1218.011,Rundll32,Defense Evasion,APT28|Blue Mockingbird|Kimsuky|Sandworm Team|Lazarus Group|TA551|TA505|APT3|APT19|MuddyWater|Wizard Spider|APT41|FIN7|CopyKittens|Carbanak|APT32|Magic Hound|Gamaredon Group|HAFNIUM|LazyScripter|APT38 +T1546.010,AppInit DLLs,Privilege Escalation|Persistence,APT39 +T1039,Data from Network Shared Drive,Collection,menuPass|Gamaredon Group|Sowbug|APT28|BRONZE BUTLER|Chimera|Fox Kitten +T1573.001,Symmetric Cryptography,Command And Control,BRONZE BUTLER|APT33|APT28|Inception|ZIRCONIUM|Stealth Falcon|Darkhotel|MuddyWater|Lazarus Group|Higaisa|Mustang Panda|Volt Typhoon +T1053.005,Scheduled Task,Execution|Persistence|Privilege Escalation,MuddyWater|APT38|APT39|FIN8|APT32|APT29|BITTER|Naikon|FIN7|APT33|Fox Kitten|Mustang Panda|Silence|Confucius|APT41|Cobalt Group|FIN10|menuPass|FIN13|APT3|Rancor|FIN6|Blue Mockingbird|Machete|Higaisa|Stealth Falcon|OilRig|Magic Hound|Kimsuky|TEMP.Veles|APT37|GALLIUM|Patchwork|BRONZE BUTLER|Wizard Spider|TA2541|Molerats|Gamaredon Group|LuminousMoth|Chimera|HEXANE|Dragonfly|Lazarus Group|APT-C-36 +T1547.012,Print Processors,Persistence|Privilege Escalation,Earth Lusca +T1546.001,Change Default File Association,Privilege Escalation|Persistence,Kimsuky +T1550.001,Application Access Token,Defense Evasion|Lateral Movement,APT28 +T1003.001,LSASS Memory,Credential Access,APT1|Kimsuky|Silence|OilRig|Leviathan|Whitefly|FIN13|APT32|GALLIUM|Threat Group-3390|Cleaver|Earth Lusca|MuddyWater|BRONZE BUTLER|Leafminer|HAFNIUM|APT28|PLATINUM|APT41|Magic Hound|FIN8|APT33|Sandworm Team|Wizard Spider|Aquatic Panda|APT39|Volt Typhoon|APT3|Fox Kitten|Blue Mockingbird|Indrik Spider|Ke3chang|TEMP.Veles|FIN6 +T1538,Cloud Service Dashboard,Discovery,no +T1001,Data Obfuscation,Command And Control,no +T1622,Debugger Evasion,Defense Evasion|Discovery,no +T1098.001,Additional Cloud Credentials,Persistence|Privilege Escalation,no +T1568.002,Domain Generation Algorithms,Command And Control,APT41|TA551 +T1547.008,LSASS Driver,Persistence|Privilege Escalation,no +T1133,External Remote Services,Persistence|Initial Access,APT29|LAPSUS$|APT41|GALLIUM|APT18|Wizard Spider|Leviathan|APT28|TeamTNT|Chimera|Dragonfly|Sandworm Team|Threat Group-3390|Kimsuky|Ke3chang|FIN13|Scattered Spider|TEMP.Veles|OilRig|FIN5|GOLD SOUTHFIELD +T1559.002,Dynamic Data Exchange,Execution,FIN7|Patchwork|Gallmaker|APT28|Leviathan|BITTER|MuddyWater|TA505|Sidewinder|APT37|Cobalt Group +T1567,Exfiltration Over Web Service,Exfiltration,Magic Hound|APT28 +T1547.013,XDG Autostart Entries,Persistence|Privilege Escalation,no +T1606,Forge Web Credentials,Credential Access,no +T1584.004,Server,Resource Development,Dragonfly|Turla|Lazarus Group|Indrik Spider|APT16|Earth Lusca|Volt Typhoon +T1588,Obtain Capabilities,Resource Development,no +T1587,Develop Capabilities,Resource Development,Kimsuky +T1114,Email Collection,Collection,Silent Librarian|Magic Hound +T1070.002,Clear Linux or Mac System Logs,Defense Evasion,Rocke|TeamTNT +T1535,Unused/Unsupported Cloud Regions,Defense Evasion,no +T1586,Compromise Accounts,Resource Development,no +T1564.002,Hidden Users,Defense Evasion,Kimsuky|Dragonfly +T1484,Domain Policy Modification,Defense Evasion|Privilege Escalation,no +T1055.009,Proc Memory,Defense Evasion|Privilege Escalation,no +T1135,Network Share Discovery,Discovery,Dragonfly|Chimera|FIN13|APT39|Tonto Team|Wizard Spider|APT41|Tropic Trooper|Sowbug|APT32|DarkVishnya|APT1|APT38 +T1574.012,COR_PROFILER,Persistence|Privilege Escalation|Defense Evasion,Blue Mockingbird +T1564.004,NTFS File Attributes,Defense Evasion,APT32 +T1562.007,Disable or Modify Cloud Firewall,Defense Evasion,no +T1003.002,Security Account Manager,Credential Access,Dragonfly|Ke3chang|GALLIUM|APT29|menuPass|FIN13|Threat Group-3390|Wizard Spider +T1650,Acquire Access,Resource Development,no +T1090.002,External Proxy,Command And Control,Tonto Team|APT39|MuddyWater|FIN5|Lazarus Group|APT28|Silence|GALLIUM|menuPass|APT3 +T1564.006,Run Virtual Instance,Defense Evasion,no +T1595,Active Scanning,Reconnaissance,no +T1055.013,Process Doppelgänging,Defense Evasion|Privilege Escalation,Leafminer +T1491,Defacement,Impact,no +T1592,Gather Victim Host Information,Reconnaissance,no +T1546.012,Image File Execution Options Injection,Privilege Escalation|Persistence,TEMP.Veles +T1602.002,Network Device Configuration Dump,Collection,no +T1596.005,Scan Databases,Reconnaissance,no +T1197,BITS Jobs,Defense Evasion|Persistence,Wizard Spider|APT39|APT41|Leviathan|Patchwork +T1547.010,Port Monitors,Persistence|Privilege Escalation,no +T1016,System Network Configuration Discovery,Discovery,Kimsuky|Threat Group-3390|Sidewinder|Chimera|Magic Hound|Moses Staff|Lazarus Group|FIN13|TeamTNT|Stealth Falcon|Higaisa|SideCopy|ZIRCONIUM|APT19|APT1|APT32|Naikon|Darkhotel|Earth Lusca|Dragonfly|APT3|menuPass|MuddyWater|Volt Typhoon|HEXANE|OilRig|Wizard Spider|GALLIUM|Ke3chang|Mustang Panda|HAFNIUM|Turla|Tropic Trooper|APT41|admin@338 +T1484.002,Domain Trust Modification,Defense Evasion|Privilege Escalation,no +T1584,Compromise Infrastructure,Resource Development,no +T1596,Search Open Technical Databases,Reconnaissance,no +T1499.001,OS Exhaustion Flood,Impact,no +T1573,Encrypted Channel,Command And Control,APT29|Tropic Trooper|BITTER|Magic Hound +T1127.001,MSBuild,Defense Evasion,no +T1588.003,Code Signing Certificates,Resource Development,Ember Bear|Threat Group-3390|Wizard Spider|FIN8|BlackTech +T1027.001,Binary Padding,Defense Evasion,APT32|Moafee|FIN7|Higaisa|Leviathan|Patchwork|Gamaredon Group|Ember Bear|Mustang Panda|APT29|BRONZE BUTLER +T1546.014,Emond,Privilege Escalation|Persistence,no +T1596.002,WHOIS,Reconnaissance,no +T1590.004,Network Topology,Reconnaissance,FIN13 +T1559,Inter-Process Communication,Execution,no +T1195,Supply Chain Compromise,Initial Access,no +T1047,Windows Management Instrumentation,Execution,APT41|FIN7|APT32|GALLIUM|Sandworm Team|Volt Typhoon|Blue Mockingbird|Mustang Panda|Deep Panda|TA2541|Indrik Spider|OilRig|MuddyWater|Gamaredon Group|menuPass|FIN6|Leviathan|Stealth Falcon|Windshift|Earth Lusca|Threat Group-3390|FIN13|Magic Hound|Chimera|Lazarus Group|APT29|Wizard Spider|FIN8|Naikon +T1560.002,Archive via Library,Collection,Lazarus Group|Threat Group-3390 +T1583.005,Botnet,Resource Development,no +T1621,Multi-Factor Authentication Request Generation,Credential Access,Scattered Spider|LAPSUS$|APT29 +T1110.002,Password Cracking,Credential Access,APT3|Dragonfly|FIN6|APT41 +T1566,Phishing,Initial Access,Axiom|GOLD SOUTHFIELD +T1059.007,JavaScript,Execution,Kimsuky|Cobalt Group|Indrik Spider|Leafminer|FIN7|MuddyWater|Molerats|TA505|Silence|FIN6|APT32|Earth Lusca|LazyScripter|Turla|Evilnum|Higaisa|Ember Bear|MoustachedBouncer|Sidewinder +T1592.004,Client Configurations,Reconnaissance,HAFNIUM +T1529,System Shutdown/Reboot,Impact,Lazarus Group|APT37|APT38 +T1218.012,Verclsid,Defense Evasion,no +T1550.004,Web Session Cookie,Defense Evasion|Lateral Movement,no +T1217,Browser Information Discovery,Discovery,Chimera|Fox Kitten|APT38 +T1218,System Binary Proxy Execution,Defense Evasion,Lazarus Group +T1578,Modify Cloud Compute Infrastructure,Defense Evasion,no +T1546.015,Component Object Model Hijacking,Privilege Escalation|Persistence,APT28 +T1006,Direct Volume Access,Defense Evasion,no +T1586.002,Email Accounts,Resource Development,APT29|APT28|Leviathan|LAPSUS$|IndigoZebra|HEXANE|Kimsuky|Magic Hound +T1137.003,Outlook Forms,Persistence,no +T1584.006,Web Services,Resource Development,Turla|Earth Lusca +T1134.001,Token Impersonation/Theft,Defense Evasion|Privilege Escalation,APT28|FIN8 +T1070,Indicator Removal,Defense Evasion,Lazarus Group +T1550.002,Pass the Hash,Defense Evasion|Lateral Movement,APT1|FIN13|APT28|APT32|Chimera|GALLIUM|Kimsuky|Wizard Spider +T1567.003,Exfiltration to Text Storage Sites,Exfiltration,no +T1030,Data Transfer Size Limits,Exfiltration,Threat Group-3390|LuminousMoth|APT28 +T1137.004,Outlook Home Page,Persistence,OilRig +T1036.006,Space after Filename,Defense Evasion,no +T1539,Steal Web Session Cookie,Credential Access,Evilnum|LuminousMoth +T1518.001,Security Software Discovery,Discovery,Cobalt Group|Kimsuky|TA2541|Tropic Trooper|APT38|Sidewinder|MuddyWater|Darkhotel|TeamTNT|Patchwork|Windshift|Rocke|The White Company|Naikon|Aquatic Panda|Wizard Spider|Turla|FIN8|SideCopy +T1578.002,Create Cloud Instance,Defense Evasion,LAPSUS$ +T1037.004,RC Scripts,Persistence|Privilege Escalation,APT29 +T1036.008,Masquerade File Type,Defense Evasion,Volt Typhoon +T1556.007,Hybrid Identity,Credential Access|Defense Evasion|Persistence,APT29 +T1114.001,Local Email Collection,Collection,APT1|Chimera|Magic Hound +T1490,Inhibit System Recovery,Impact,Wizard Spider +T1027.012,LNK Icon Smuggling,Defense Evasion,no +T1558.004,AS-REP Roasting,Credential Access,no +T1601.001,Patch System Image,Defense Evasion,no +T1132.001,Standard Encoding,Command And Control,MuddyWater|Tropic Trooper|HAFNIUM|BRONZE BUTLER|APT19|Lazarus Group|Sandworm Team|APT33|TA551|Patchwork +T1003.004,LSA Secrets,Credential Access,APT33|OilRig|Leafminer|menuPass|Threat Group-3390|Dragonfly|MuddyWater|Ke3chang|APT29 +T1566.001,Spearphishing Attachment,Initial Access,Ember Bear|Gorgon Group|OilRig|Naikon|Wizard Spider|Machete|Nomadic Octopus|IndigoZebra|RTM|Confucius|Gamaredon Group|APT28|FIN4|Rancor|Mustang Panda|TA551|DarkHydrus|Cobalt Group|APT12|menuPass|WIRTE|APT39|APT29|APT19|Tropic Trooper|Inception|LazyScripter|Silence|APT38|APT30|APT33|APT1|Patchwork|Sandworm Team|Leviathan|Windshift|APT37|Lazarus Group|Darkhotel|PLATINUM|Gallmaker|APT32|FIN6|Dragonfly|BITTER|Sidewinder|Tonto Team|Andariel|The White Company|FIN8|Transparent Tribe|BRONZE BUTLER|Threat Group-3390|TA505|EXOTIC LILY|Elderwood|SideCopy|Molerats|Ajax Security Team|MuddyWater|Ferocious Kitten|APT-C-36|Mofang|Higaisa|APT41|FIN7|TA2541|BlackTech|admin@338|Kimsuky|TA459 +T1102,Web Service,Command And Control,FIN6|EXOTIC LILY|Turla|APT32|Mustang Panda|Rocke|FIN8|TeamTNT|LazyScripter|Gamaredon Group|Inception|Fox Kitten|Ember Bear +T1649,Steal or Forge Authentication Certificates,Credential Access,APT29 +T1590,Gather Victim Network Information,Reconnaissance,HAFNIUM +T1562.010,Downgrade Attack,Defense Evasion,no +T1003,OS Credential Dumping,Credential Access,Axiom|Leviathan|APT28|Tonto Team|Poseidon Group|Suckfly|APT32|Sowbug|APT39 +T1087.004,Cloud Account,Discovery,APT29 +T1552.005,Cloud Instance Metadata API,Credential Access,TeamTNT +T1562.003,Impair Command History Logging,Defense Evasion,APT38 +T1608.004,Drive-by Target,Resource Development,FIN7|Threat Group-3390|APT32|Transparent Tribe|LuminousMoth|Dragonfly +T1553,Subvert Trust Controls,Defense Evasion,Axiom +T1547.001,Registry Run Keys / Startup Folder,Persistence|Privilege Escalation,Leviathan|Ke3chang|RTM|TeamTNT|Inception|Threat Group-3390|MuddyWater|FIN6|PROMETHIUM|Higaisa|Magic Hound|APT3|Sidewinder|APT29|TA2541|FIN10|Dark Caracal|Dragonfly|BRONZE BUTLER|FIN13|Tropic Trooper|LazyScripter|Rocke|APT33|APT19|ZIRCONIUM|APT28|Confucius|APT39|Turla|LuminousMoth|Darkhotel|APT37|Gamaredon Group|Mustang Panda|Patchwork|FIN7|Naikon|APT18|Silence|Kimsuky|Wizard Spider|Lazarus Group|Gorgon Group|Putter Panda|APT41|Windshift|Cobalt Group|Molerats|APT32 +T1526,Cloud Service Discovery,Discovery,no +T1027.011,Fileless Storage,Defense Evasion,Turla|APT32 +T1599,Network Boundary Bridging,Defense Evasion,no +T1218.014,MMC,Defense Evasion,no +T1216,System Script Proxy Execution,Defense Evasion,no +T1036.003,Rename System Utilities,Defense Evasion,Lazarus Group|GALLIUM|APT32|menuPass +T1569.001,Launchctl,Execution,no +T1571,Non-Standard Port,Command And Control,Silence|Lazarus Group|Magic Hound|Rocke|APT-C-36|DarkVishnya|TEMP.Veles|APT32|WIRTE|Sandworm Team|APT33|FIN7 +T1069.002,Domain Groups,Discovery,OilRig|Inception|Ke3chang|FIN7|Dragonfly|Turla|Volt Typhoon|LAPSUS$ +T1003.006,DCSync,Credential Access,LAPSUS$|Earth Lusca +T1497.002,User Activity Based Checks,Defense Evasion|Discovery,Darkhotel|FIN7 +T1110,Brute Force,Credential Access,APT38|OilRig|HEXANE|APT28|FIN5|Fox Kitten|APT39|Dragonfly|Turla|DarkVishnya +T1531,Account Access Removal,Impact,LAPSUS$ +T1596.004,CDNs,Reconnaissance,no +T1132,Data Encoding,Command And Control,no +T1589,Gather Victim Identity Information,Reconnaissance,Magic Hound|APT32|FIN13|HEXANE|LAPSUS$ +T1546.013,PowerShell Profile,Privilege Escalation|Persistence,Turla +T1036,Masquerading,Defense Evasion,OilRig|APT28|Nomadic Octopus|menuPass|ZIRCONIUM|FIN13|Windshift|TA551|APT32|Kimsuky|TeamTNT|PLATINUM|LazyScripter|BRONZE BUTLER|Dragonfly +T1102.002,Bidirectional Communication,Command And Control,APT28|APT37|Carbanak|Lazarus Group|APT12|FIN7|APT39|ZIRCONIUM|POLONIUM|HEXANE|Turla|Sandworm Team|MuddyWater|Magic Hound|Kimsuky +T1588.001,Malware,Resource Development,TA2541|LuminousMoth|LazyScripter|APT1|LAPSUS$|Aquatic Panda|Metador|Andariel|BackdoorDiplomacy|Earth Lusca|Turla|TA505 +T1033,System Owner/User Discovery,Discovery,ZIRCONIUM|APT37|Gamaredon Group|Magic Hound|FIN10|Sidewinder|HAFNIUM|HEXANE|GALLIUM|Stealth Falcon|Dragonfly|APT32|Tropic Trooper|APT19|Sandworm Team|APT39|OilRig|Patchwork|Ke3chang|APT41|FIN8|APT38|Earth Lusca|Wizard Spider|FIN7|Windshift|MuddyWater|Lazarus Group|Threat Group-3390|APT3|LuminousMoth|Chimera|Volt Typhoon +T1021.006,Windows Remote Management,Lateral Movement,Wizard Spider|Chimera|FIN13|Threat Group-3390 +T1497,Virtualization/Sandbox Evasion,Defense Evasion|Discovery,Darkhotel +T1136.002,Domain Account,Persistence,GALLIUM|Wizard Spider|HAFNIUM +T1556.004,Network Device Authentication,Credential Access|Defense Evasion|Persistence,no +T1078.004,Cloud Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT28|Ke3chang|APT29|APT33|LAPSUS$ diff --git a/dist/escu/lookups/network_acl_activity_baseline.csv b/dist/DA-ESS-ContentUpdate/lookups/network_acl_activity_baseline.csv similarity index 100% rename from dist/escu/lookups/network_acl_activity_baseline.csv rename to dist/DA-ESS-ContentUpdate/lookups/network_acl_activity_baseline.csv diff --git a/dist/escu/lookups/previously_seen_cmd_line_arguments.csv b/dist/DA-ESS-ContentUpdate/lookups/previously_seen_cmd_line_arguments.csv similarity index 100% rename from dist/escu/lookups/previously_seen_cmd_line_arguments.csv rename to dist/DA-ESS-ContentUpdate/lookups/previously_seen_cmd_line_arguments.csv diff --git a/dist/escu/lookups/previously_seen_ec2_modifications_by_user.csv b/dist/DA-ESS-ContentUpdate/lookups/previously_seen_ec2_modifications_by_user.csv similarity index 100% rename from dist/escu/lookups/previously_seen_ec2_modifications_by_user.csv rename to dist/DA-ESS-ContentUpdate/lookups/previously_seen_ec2_modifications_by_user.csv diff --git a/dist/escu/lookups/privileged_azure_ad_roles.csv b/dist/DA-ESS-ContentUpdate/lookups/privileged_azure_ad_roles.csv similarity index 100% rename from dist/escu/lookups/privileged_azure_ad_roles.csv rename to dist/DA-ESS-ContentUpdate/lookups/privileged_azure_ad_roles.csv diff --git a/dist/escu/lookups/prohibited_apps_launching_cmd.csv b/dist/DA-ESS-ContentUpdate/lookups/prohibited_apps_launching_cmd.csv similarity index 100% rename from dist/escu/lookups/prohibited_apps_launching_cmd.csv rename to dist/DA-ESS-ContentUpdate/lookups/prohibited_apps_launching_cmd.csv diff --git a/dist/escu/lookups/prohibited_processes.csv b/dist/DA-ESS-ContentUpdate/lookups/prohibited_processes.csv similarity index 100% rename from dist/escu/lookups/prohibited_processes.csv rename to dist/DA-ESS-ContentUpdate/lookups/prohibited_processes.csv diff --git a/dist/escu/lookups/ransomware_extensions.csv b/dist/DA-ESS-ContentUpdate/lookups/ransomware_extensions.csv similarity index 100% rename from dist/escu/lookups/ransomware_extensions.csv rename to dist/DA-ESS-ContentUpdate/lookups/ransomware_extensions.csv diff --git a/dist/escu/lookups/ransomware_notes.csv b/dist/DA-ESS-ContentUpdate/lookups/ransomware_notes.csv similarity index 100% rename from dist/escu/lookups/ransomware_notes.csv rename to dist/DA-ESS-ContentUpdate/lookups/ransomware_notes.csv diff --git a/dist/escu/lookups/rare_process_allow_list_default.csv b/dist/DA-ESS-ContentUpdate/lookups/rare_process_allow_list_default.csv similarity index 100% rename from dist/escu/lookups/rare_process_allow_list_default.csv rename to dist/DA-ESS-ContentUpdate/lookups/rare_process_allow_list_default.csv diff --git a/dist/escu/lookups/rare_process_allow_list_local.csv b/dist/DA-ESS-ContentUpdate/lookups/rare_process_allow_list_local.csv similarity index 100% rename from dist/escu/lookups/rare_process_allow_list_local.csv rename to dist/DA-ESS-ContentUpdate/lookups/rare_process_allow_list_local.csv diff --git a/dist/escu/lookups/remote_access_software.csv b/dist/DA-ESS-ContentUpdate/lookups/remote_access_software.csv similarity index 100% rename from dist/escu/lookups/remote_access_software.csv rename to dist/DA-ESS-ContentUpdate/lookups/remote_access_software.csv diff --git a/dist/escu/lookups/security_services.csv b/dist/DA-ESS-ContentUpdate/lookups/security_services.csv similarity index 100% rename from dist/escu/lookups/security_services.csv rename to dist/DA-ESS-ContentUpdate/lookups/security_services.csv diff --git a/dist/escu/lookups/splunk_risky_command_20231003.csv b/dist/DA-ESS-ContentUpdate/lookups/splunk_risky_command_20231003.csv similarity index 100% rename from dist/escu/lookups/splunk_risky_command_20231003.csv rename to dist/DA-ESS-ContentUpdate/lookups/splunk_risky_command_20231003.csv diff --git a/dist/escu/lookups/suspicious_files.csv b/dist/DA-ESS-ContentUpdate/lookups/suspicious_files.csv similarity index 100% rename from dist/escu/lookups/suspicious_files.csv rename to dist/DA-ESS-ContentUpdate/lookups/suspicious_files.csv diff --git a/dist/escu/lookups/uncommon_processes_default.csv b/dist/DA-ESS-ContentUpdate/lookups/uncommon_processes_default.csv similarity index 100% rename from dist/escu/lookups/uncommon_processes_default.csv rename to dist/DA-ESS-ContentUpdate/lookups/uncommon_processes_default.csv diff --git a/dist/escu/lookups/uncommon_processes_local.csv b/dist/DA-ESS-ContentUpdate/lookups/uncommon_processes_local.csv similarity index 100% rename from dist/escu/lookups/uncommon_processes_local.csv rename to dist/DA-ESS-ContentUpdate/lookups/uncommon_processes_local.csv diff --git a/dist/escu/lookups/windows_protocol_handlers.csv b/dist/DA-ESS-ContentUpdate/lookups/windows_protocol_handlers.csv similarity index 100% rename from dist/escu/lookups/windows_protocol_handlers.csv rename to dist/DA-ESS-ContentUpdate/lookups/windows_protocol_handlers.csv diff --git a/dist/escu/metadata/default.meta b/dist/DA-ESS-ContentUpdate/metadata/default.meta similarity index 100% rename from dist/escu/metadata/default.meta rename to dist/DA-ESS-ContentUpdate/metadata/default.meta diff --git a/dist/escu/static/appIcon.png b/dist/DA-ESS-ContentUpdate/static/appIcon.png similarity index 100% rename from dist/escu/static/appIcon.png rename to dist/DA-ESS-ContentUpdate/static/appIcon.png diff --git a/dist/escu/static/appIconAlt.png b/dist/DA-ESS-ContentUpdate/static/appIconAlt.png similarity index 100% rename from dist/escu/static/appIconAlt.png rename to dist/DA-ESS-ContentUpdate/static/appIconAlt.png diff --git a/dist/escu/static/appIconAlt_2x.png b/dist/DA-ESS-ContentUpdate/static/appIconAlt_2x.png similarity index 100% rename from dist/escu/static/appIconAlt_2x.png rename to dist/DA-ESS-ContentUpdate/static/appIconAlt_2x.png diff --git a/dist/escu/static/appIcon_2x.png b/dist/DA-ESS-ContentUpdate/static/appIcon_2x.png similarity index 100% rename from dist/escu/static/appIcon_2x.png rename to dist/DA-ESS-ContentUpdate/static/appIcon_2x.png diff --git a/dist/escu/default/content-version.conf b/dist/escu/default/content-version.conf deleted file mode 100644 index 52dd6b06d5..0000000000 --- a/dist/escu/default/content-version.conf +++ /dev/null @@ -1,2 +0,0 @@ -[content-version] -version = 4.13.0 diff --git a/dist/escu/lookups/csc_lookup.csv b/dist/escu/lookups/csc_lookup.csv deleted file mode 100644 index 58970a91f6..0000000000 --- a/dist/escu/lookups/csc_lookup.csv +++ /dev/null @@ -1,21 +0,0 @@ -number, name -1, Inventory of Authorized and Unauthorized Devices -2, Inventory of Authorized and Unauthorized Software -3, Secure Configuration of End-User Devices -4, Continuous Vulnerability Assessment & Remediation -5, Controlled Use of Administrative Privileges -6, Maintenance Monitoring and Analysis of Audit Logs -7, Email & Web Browser Protections -8, Malware Defense -9, Limitation & Control of Network Ports-Protocols & Services -10, Data Recovery Capability -11, Secure Configuration of Network Devices -12, Boundary Defense -13, Data Protection -14, Controlled Access Based on Need to Know -15, Wireless Access Control -16, Account Monitoring and Control -17, Security Skills Assessment and Appropriate Training -18, Application Software Security -19, Incident Response and Management -20, Penetration Tests and Red Team Exercises \ No newline at end of file diff --git a/dist/escu/lookups/mitre_enrichment.csv b/dist/escu/lookups/mitre_enrichment.csv deleted file mode 100644 index 98e157fb74..0000000000 --- a/dist/escu/lookups/mitre_enrichment.csv +++ /dev/null @@ -1,579 +0,0 @@ -mitre_id,technique,tactics,groups -T1647,Plist File Modification,Defense Evasion,no -T1622,Debugger Evasion,Defense Evasion|Discovery,no -T1621,Multi-Factor Authentication Request Generation,Credential Access,APT29 -T1505.005,Terminal Services DLL,Persistence,no -T1557.003,DHCP Spoofing,Credential Access|Collection,no -T1595.003,Wordlist Scanning,Reconnaissance,Volatile Cedar -T1098.005,Device Registration,Persistence,APT29 -T1574.013,KernelCallbackTable,Persistence|Privilege Escalation|Defense Evasion,Lazarus Group -T1556.005,Reversible Encryption,Credential Access|Defense Evasion|Persistence,no -T1055.015,ListPlanting,Defense Evasion|Privilege Escalation,no -T1564.010,Process Argument Spoofing,Defense Evasion,no -T1564.009,Resource Forking,Defense Evasion,no -T1559.003,XPC Services,Execution,no -T1562.010,Downgrade Attack,Defense Evasion,no -T1547.015,Login Items,Persistence|Privilege Escalation,no -T1620,Reflective Code Loading,Defense Evasion,Lazarus Group -T1619,Cloud Storage Object Discovery,Discovery,no -T1218.014,MMC,Defense Evasion,no -T1218.013,Mavinject,Defense Evasion,no -T1614.001,System Language Discovery,Discovery,Ke3chang|Lazarus Group -T1615,Group Policy Discovery,Discovery,Turla -T1036.007,Double File Extension,Defense Evasion,Mustang Panda -T1562.009,Safe Mode Boot,Defense Evasion,no -T1564.008,Email Hiding Rules,Defense Evasion,FIN4 -T1505.004,IIS Components,Persistence,no -T1027.006,HTML Smuggling,Defense Evasion,APT29 -T1213.003,Code Repositories,Collection,APT29 -T1553.006,Code Signing Policy Modification,Defense Evasion,Turla|APT39 -T1614,System Location Discovery,Discovery,no -T1613,Container and Resource Discovery,Discovery,TeamTNT -T1552.007,Container API,Credential Access,no -T1612,Build Image on Host,Defense Evasion,no -T1611,Escape to Host,Privilege Escalation,TeamTNT -T1204.003,Malicious Image,Execution,TeamTNT -T1053.007,Container Orchestration Job,Execution|Persistence|Privilege Escalation,no -T1610,Deploy Container,Defense Evasion|Execution,TeamTNT -T1609,Container Administration Command,Execution,TeamTNT -T1608.005,Link Target,Resource Development,Silent Librarian -T1608.004,Drive-by Target,Resource Development,Dragonfly|Transparent Tribe|APT32|Threat Group-3390 -T1608.003,Install Digital Certificate,Resource Development,no -T1608.002,Upload Tool,Resource Development,Lazarus Group|Threat Group-3390 -T1608.001,Upload Malware,Resource Development,Threat Group-3390|LazyScripter|Mustang Panda|Gamaredon Group|Kimsuky|Lazarus Group|TeamTNT|APT32 -T1608,Stage Capabilities,Resource Development,Mustang Panda -T1016.001,Internet Connection Discovery,Discovery,Gamaredon Group|APT29|Turla -T1553.005,Mark-of-the-Web Bypass,Defense Evasion,APT29|TA505 -T1555.005,Password Managers,Credential Access,Threat Group-3390|Fox Kitten|Operation Wocao -T1484.002,Domain Trust Modification,Defense Evasion|Privilege Escalation,APT29 -T1484.001,Group Policy Modification,Defense Evasion|Privilege Escalation,Indrik Spider -T1547.014,Active Setup,Persistence|Privilege Escalation,no -T1606.002,SAML Tokens,Credential Access,APT29 -T1606.001,Web Cookies,Credential Access,APT29 -T1606,Forge Web Credentials,Credential Access,no -T1555.004,Windows Credential Manager,Credential Access,Stealth Falcon|OilRig|Turla -T1059.008,Network Device CLI,Execution,no -T1602.002,Network Device Configuration Dump,Collection,no -T1542.005,TFTP Boot,Defense Evasion|Persistence,no -T1542.004,ROMMONkit,Defense Evasion|Persistence,no -T1602.001,SNMP (MIB Dump),Collection,no -T1602,Data from Configuration Repository,Collection,no -T1601.002,Downgrade System Image,Defense Evasion,no -T1601.001,Patch System Image,Defense Evasion,no -T1601,Modify System Image,Defense Evasion,no -T1600.002,Disable Crypto Hardware,Defense Evasion,no -T1600.001,Reduce Key Space,Defense Evasion,no -T1600,Weaken Encryption,Defense Evasion,no -T1556.004,Network Device Authentication,Credential Access|Defense Evasion|Persistence,no -T1599.001,Network Address Translation Traversal,Defense Evasion,no -T1599,Network Boundary Bridging,Defense Evasion,no -T1020.001,Traffic Duplication,Exfiltration,no -T1557.002,ARP Cache Poisoning,Credential Access|Collection,Cleaver -T1588.006,Vulnerabilities,Resource Development,Sandworm Team -T1053.006,Systemd Timers,Execution|Persistence|Privilege Escalation,no -T1562.008,Disable Cloud Logs,Defense Evasion,no -T1547.012,Print Processors,Persistence|Privilege Escalation,no -T1598.003,Spearphishing Link,Reconnaissance,APT28|Dragonfly|Magic Hound|Silent Librarian|Sidewinder|Sandworm Team|APT32|Kimsuky -T1598.002,Spearphishing Attachment,Reconnaissance,Dragonfly|Sidewinder -T1598.001,Spearphishing Service,Reconnaissance,no -T1598,Phishing for Information,Reconnaissance,ZIRCONIUM|APT28 -T1597.002,Purchase Technical Data,Reconnaissance,no -T1597.001,Threat Intel Vendors,Reconnaissance,no -T1597,Search Closed Sources,Reconnaissance,no -T1596.005,Scan Databases,Reconnaissance,no -T1596.004,CDNs,Reconnaissance,no -T1596.003,Digital Certificates,Reconnaissance,no -T1596.001,DNS/Passive DNS,Reconnaissance,no -T1596.002,WHOIS,Reconnaissance,no -T1596,Search Open Technical Databases,Reconnaissance,no -T1595.002,Vulnerability Scanning,Reconnaissance,Magic Hound|Aquatic Panda|Dragonfly|TeamTNT|APT29|Volatile Cedar|APT28|Sandworm Team -T1595.001,Scanning IP Blocks,Reconnaissance,TeamTNT -T1595,Active Scanning,Reconnaissance,no -T1594,Search Victim-Owned Websites,Reconnaissance,Kimsuky|Silent Librarian|Sandworm Team -T1593.002,Search Engines,Reconnaissance,Kimsuky -T1593.001,Social Media,Reconnaissance,Lazarus Group|Kimsuky -T1593,Search Open Websites/Domains,Reconnaissance,Sandworm Team -T1592.004,Client Configurations,Reconnaissance,HAFNIUM -T1592.003,Firmware,Reconnaissance,no -T1592.002,Software,Reconnaissance,Andariel|Sandworm Team -T1592.001,Hardware,Reconnaissance,no -T1592,Gather Victim Host Information,Reconnaissance,no -T1591.004,Identify Roles,Reconnaissance,Lazarus Group -T1591.003,Identify Business Tempo,Reconnaissance,no -T1591.001,Determine Physical Locations,Reconnaissance,no -T1591.002,Business Relationships,Reconnaissance,Dragonfly|Sandworm Team -T1591,Gather Victim Org Information,Reconnaissance,Kimsuky|Lazarus Group -T1590.006,Network Security Appliances,Reconnaissance,no -T1590.005,IP Addresses,Reconnaissance,Andariel|HAFNIUM -T1590.004,Network Topology,Reconnaissance,no -T1590.003,Network Trust Dependencies,Reconnaissance,no -T1590.002,DNS,Reconnaissance,no -T1590.001,Domain Properties,Reconnaissance,Sandworm Team -T1590,Gather Victim Network Information,Reconnaissance,HAFNIUM -T1589.003,Employee Names,Reconnaissance,Kimsuky|Silent Librarian|Sandworm Team -T1589.002,Email Addresses,Reconnaissance,Lazarus Group|Kimsuky|Magic Hound|TA551|MuddyWater|HAFNIUM|APT32|Silent Librarian|Sandworm Team -T1589.001,Credentials,Reconnaissance,APT29|Leviathan|APT28|Magic Hound|Chimera -T1589,Gather Victim Identity Information,Reconnaissance,Magic Hound|APT32 -T1588.005,Exploits,Resource Development,Kimsuky -T1588.004,Digital Certificates,Resource Development,BlackTech|Lazarus Group|Silent Librarian -T1588.003,Code Signing Certificates,Resource Development,BlackTech|Lazarus Group|Wizard Spider -T1588.002,Tool,Resource Development,Aquatic Panda|BlackTech|Lazarus Group|CostaRicto|Night Dragon|DarkVishnya|FIN5|Gorgon Group|Patchwork|Chimera|Dragonfly|Blue Mockingbird|Whitefly|APT41|FIN6|TEMP.Veles|Kimsuky|PittyTiger|Cobalt Group|APT29|Thrip|Ke3chang|DarkHydrus|APT32|APT38|BRONZE BUTLER|Carbanak|Cleaver|Inception|Leafminer|Threat Group-3390|Ferocious Kitten|IndigoZebra|BackdoorDiplomacy|menuPass|APT-C-36|Magic Hound|APT28|Wizard Spider|Frankenstein|Silence|WIRTE|Turla|APT33|APT19|FIN10|CopyKittens|APT39|APT1|MuddyWater|Silent Librarian|GALLIUM|Sandworm Team -T1588.001,Malware,Resource Development,Aquatic Panda|LazyScripter|Andariel|BackdoorDiplomacy|Turla|APT1 -T1588,Obtain Capabilities,Resource Development,no -T1587.004,Exploits,Resource Development,no -T1587.003,Digital Certificates,Resource Development,APT29|PROMETHIUM -T1587.002,Code Signing Certificates,Resource Development,PROMETHIUM|Patchwork -T1587.001,Malware,Resource Development,Ke3chang|Kimsuky|TeamTNT|APT29|Lazarus Group|Sandworm Team|Turla|FIN7|Night Dragon|Cleaver -T1587,Develop Capabilities,Resource Development,Kimsuky -T1586.002,Email Accounts,Resource Development,APT29|APT28|IndigoZebra|Leviathan|Magic Hound|Kimsuky -T1586.001,Social Media Accounts,Resource Development,Leviathan -T1586,Compromise Accounts,Resource Development,no -T1585.002,Email Accounts,Resource Development,Mustang Panda|Kimsuky|Lazarus Group|Leviathan|Magic Hound|Silent Librarian|Sandworm Team|APT1 -T1585.001,Social Media Accounts,Resource Development,Kimsuky|Lazarus Group|Leviathan|Magic Hound|Fox Kitten|Sandworm Team|APT32|Cleaver -T1585,Establish Accounts,Resource Development,Fox Kitten|APT17 -T1584.006,Web Services,Resource Development,Turla -T1584.005,Botnet,Resource Development,Sandworm Team|Axiom -T1584.004,Server,Resource Development,Lazarus Group|Dragonfly|Indrik Spider|Turla|APT16 -T1584.003,Virtual Private Server,Resource Development,Turla -T1584.002,DNS Server,Resource Development,no -T1584.001,Domains,Resource Development,Kimsuky|Lazarus Group|Transparent Tribe|Magic Hound|APT29|APT1 -T1583.006,Web Services,Resource Development,APT28|Confucius|LazyScripter|Kimsuky|Magic Hound|IndigoZebra|ZIRCONIUM|MuddyWater|HAFNIUM|Lazarus Group|Turla|APT32|APT17|APT29 -T1583.005,Botnet,Resource Development,no -T1583.004,Server,Resource Development,Kimsuky|Lazarus Group|Gelsemium|GALLIUM|Sandworm Team -T1583.003,Virtual Private Server,Resource Development,Axiom|Dragonfly|HAFNIUM|TEMP.Veles -T1583.002,DNS Server,Resource Development,Axiom -T1584,Compromise Infrastructure,Resource Development,no -T1583.001,Domains,Resource Development,LazyScripter|Gamaredon Group|Winnti Group|Dragonfly|IndigoZebra|TeamTNT|Ferocious Kitten|FIN7|Transparent Tribe|Leviathan|Magic Hound|APT29|Mustang Panda|ZIRCONIUM|Lazarus Group|Silent Librarian|menuPass|Sandworm Team|APT32|Kimsuky|APT1|APT28 -T1583,Acquire Infrastructure,Resource Development,no -T1564.007,VBA Stomping,Defense Evasion,no -T1558.004,AS-REP Roasting,Credential Access,no -T1580,Cloud Infrastructure Discovery,Discovery,no -T1218.012,Verclsid,Defense Evasion,no -T1205.001,Port Knocking,Defense Evasion|Persistence|Command And Control,PROMETHIUM -T1564.006,Run Virtual Instance,Defense Evasion,no -T1564.005,Hidden File System,Defense Evasion,Strider|Equation -T1556.003,Pluggable Authentication Modules,Credential Access|Defense Evasion|Persistence,no -T1574.012,COR_PROFILER,Persistence|Privilege Escalation|Defense Evasion,Blue Mockingbird -T1562.007,Disable or Modify Cloud Firewall,Defense Evasion,no -T1098.004,SSH Authorized Keys,Persistence,TeamTNT -T1480.001,Environmental Keying,Defense Evasion,APT41|Equation -T1059.007,JavaScript,Execution,LazyScripter|Indrik Spider|MuddyWater|Turla|Higaisa|Sidewinder|Evilnum|Kimsuky|FIN6|APT32|FIN7|Cobalt Group|Molerats|TA505|Silence|Leafminer -T1578.004,Revert Cloud Instance,Defense Evasion,no -T1578.003,Delete Cloud Instance,Defense Evasion,no -T1578.001,Create Snapshot,Defense Evasion,no -T1578.002,Create Cloud Instance,Defense Evasion,no -T1127.001,MSBuild,Defense Evasion,Frankenstein -T1027.005,Indicator Removal from Tools,Defense Evasion,Operation Wocao|GALLIUM|TEMP.Veles|Patchwork|APT3|Turla|OilRig|Deep Panda -T1562.006,Indicator Blocking,Defense Evasion,no -T1573.002,Asymmetric Cryptography,Command And Control,Operation Wocao|Tropic Trooper|Cobalt Group|OilRig|FIN8|FIN6 -T1573.001,Symmetric Cryptography,Command And Control,Mustang Panda|Darkhotel|ZIRCONIUM|Higaisa|Frankenstein|Inception|APT28|APT33|BRONZE BUTLER|Stealth Falcon|Lazarus Group -T1573,Encrypted Channel,Command And Control,APT29|Tropic Trooper -T1027.004,Compile After Delivery,Defense Evasion,Gamaredon Group|Rocke|MuddyWater -T1574.004,Dylib Hijacking,Persistence|Privilege Escalation|Defense Evasion,no -T1546.015,Component Object Model Hijacking,Privilege Escalation|Persistence,APT28 -T1071.004,DNS,Command And Control,LazyScripter|Chimera|APT39|Tropic Trooper|OilRig|Ke3chang|Cobalt Group|APT18|APT41|FIN7 -T1071.003,Mail Protocols,Command And Control,Turla|Kimsuky|APT32|SilverTerrier|APT28 -T1071.002,File Transfer Protocols,Command And Control,Kimsuky|APT41|SilverTerrier|Honeybee -T1071.001,Web Protocols,Command And Control,Kimsuky|Confucius|TeamTNT|FIN8|APT29|Mustang Panda|Windshift|TA551|Higaisa|HAFNIUM|Sidewinder|Chimera|Sandworm Team|TA505|Rocke|APT39|Tropic Trooper|MuddyWater|Wizard Spider|Inception|APT41|SilverTerrier|APT28|WIRTE|APT33|FIN4|Night Dragon|APT18|APT38|Rancor|Ke3chang|Orangeworm|APT37|APT19|Cobalt Group|Threat Group-3390|Dark Caracal|Turla|Lazarus Group|BRONZE BUTLER|Magic Hound|APT32|OilRig|Gamaredon Group|Stealth Falcon -T1572,Protocol Tunneling,Command And Control,Leviathan|CostaRicto|Chimera|Fox Kitten|OilRig|Cobalt Group|FIN6 -T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,Exfiltration,Wizard Spider|FIN6|APT32|APT33|Thrip|FIN8|OilRig|Lazarus Group -T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,Exfiltration,APT28|APT29 -T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,Exfiltration,no -T1001.003,Protocol Impersonation,Command And Control,Higaisa|Lazarus Group -T1001.002,Steganography,Command And Control,APT29|Axiom -T1001.001,Junk Data,Command And Control,APT28 -T1132.002,Non-Standard Encoding,Command And Control,no -T1132.001,Standard Encoding,Command And Control,HAFNIUM|TA551|Sandworm Team|Tropic Trooper|MuddyWater|APT33|APT19|Lazarus Group|BRONZE BUTLER|Patchwork -T1090.004,Domain Fronting,Command And Control,APT29 -T1090.003,Multi-hop Proxy,Command And Control,Leviathan|CostaRicto|APT28|Operation Wocao|Inception|FIN4|APT29 -T1090.002,External Proxy,Command And Control,Tonto Team|APT39|Silence|GALLIUM|MuddyWater|APT3|FIN5|Lazarus Group|menuPass|APT28 -T1090.001,Internal Proxy,Command And Control,Lazarus Group|Turla|APT29|Higaisa|Operation Wocao|APT39|Strider -T1102.003,One-Way Communication,Command And Control,Leviathan -T1102.002,Bidirectional Communication,Command And Control,Kimsuky|Lazarus Group|ZIRCONIUM|MuddyWater|APT28|APT29|Sandworm Team|APT39|APT12|Turla|FIN7|APT37|Magic Hound|Carbanak -T1102.001,Dead Drop Resolver,Command And Control,Rocke|APT41|BRONZE BUTLER|RTM|Patchwork -T1571,Non-Standard Port,Command And Control,WIRTE|Sandworm Team|Rocke|DarkVishnya|Silence|APT-C-36|Magic Hound|APT33|APT32|TEMP.Veles|Lazarus Group|FIN7 -T1074.002,Remote Data Staging,Collection,Leviathan|APT28|APT29|Chimera|Threat Group-3390|menuPass|FIN6|Night Dragon|FIN8 -T1074.001,Local Data Staging,Collection,Dragonfly|Indrik Spider|BackdoorDiplomacy|Mustang Panda|Sidewinder|Chimera|Kimsuky|APT39|Operation Wocao|GALLIUM|TEMP.Veles|Patchwork|Honeybee|Dragonfly 2.0|Leviathan|APT3|FIN5|menuPass|Lazarus Group|Threat Group-3390|APT28 -T1078.004,Cloud Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Ke3chang|APT29|APT28|APT33 -T1564.004,NTFS File Attributes,Defense Evasion,APT32 -T1564.003,Hidden Window,Defense Evasion,Gamaredon Group|Kimsuky|Nomadic Octopus|Higaisa|Gorgon Group|Deep Panda|DarkHydrus|CopyKittens|APT19|APT32|APT28|APT3|Magic Hound -T1078.003,Local Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT29|Kimsuky|HAFNIUM|Turla|Operation Wocao|PROMETHIUM|Tropic Trooper|FIN10|APT32 -T1078.002,Domain Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Naikon|Indrik Spider|Chimera|Operation Wocao|Sandworm Team|Wizard Spider|APT29|TA505|APT3|Threat Group-1314 -T1078.001,Default Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,no -T1564.002,Hidden Users,Defense Evasion,Kimsuky|Dragonfly|Dragonfly 2.0 -T1574.006,Dynamic Linker Hijacking,Persistence|Privilege Escalation|Defense Evasion,APT41|Rocke -T1574.002,DLL Side-Loading,Persistence|Privilege Escalation|Defense Evasion,Lazarus Group|Mustang Panda|Higaisa|BlackTech|Sidewinder|Chimera|BRONZE BUTLER|Naikon|APT41|GALLIUM|Tropic Trooper|APT19|Patchwork|APT32|APT3|menuPass|Threat Group-3390 -T1574.001,DLL Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,Aquatic Panda|BackdoorDiplomacy|Tonto Team|Evilnum|APT41|Whitefly|RTM|Threat Group-3390|menuPass -T1574.008,Path Interception by Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,no -T1574.007,Path Interception by PATH Environment Variable,Persistence|Privilege Escalation|Defense Evasion,no -T1574.009,Path Interception by Unquoted Path,Persistence|Privilege Escalation|Defense Evasion,no -T1574.011,Services Registry Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no -T1574.005,Executable Installer File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no -T1574.010,Services File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no -T1574,Hijack Execution Flow,Persistence|Privilege Escalation|Defense Evasion,no -T1069.001,Local Groups,Discovery,Tonto Team|Chimera|Operation Wocao|Turla|OilRig|admin@338 -T1570,Lateral Tool Transfer,Lateral Movement,Sandworm Team|Chimera|GALLIUM|Operation Wocao|APT32|Wizard Spider|Turla|FIN10 -T1568.003,DNS Calculation,Command And Control,APT12 -T1204.002,Malicious File,Execution,LazyScripter|WIRTE|Confucius|Dragonfly|Threat Group-3390|Nomadic Octopus|Indrik Spider|APT38|Andariel|Ferocious Kitten|IndigoZebra|Transparent Tribe|Tonto Team|Magic Hound|Ajax Security Team|Mustang Panda|TA551|Higaisa|Sidewinder|Kimsuky|FIN6|PROMETHIUM|APT30|Windshift|APT33|Sandworm Team|Naikon|Whitefly|Tropic Trooper|Gamaredon Group|Sharpshooter|Molerats|Wizard Spider|Mofang|Frankenstein|RTM|Inception|BlackTech|APT-C-36|Machete|admin@338|APT12|TA505|Silence|The White Company|APT39|FIN4|Darkhotel|Gallmaker|Dragonfly 2.0|FIN7|BRONZE BUTLER|Gorgon Group|OilRig|Dark Caracal|Cobalt Group|DarkHydrus|Rancor|Patchwork|APT32|APT19|MuddyWater|Lazarus Group|menuPass|APT37|Leviathan|TA459|APT29|APT28|FIN8|PLATINUM|Elderwood -T1204.001,Malicious Link,Execution,LazyScripter|Kimsuky|Lazarus Group|Confucius|FIN7|Transparent Tribe|APT3|Magic Hound|APT28|APT29|Mustang Panda|Sidewinder|ZIRCONIUM|MuddyWater|Evilnum|Sandworm Team|Wizard Spider|Patchwork|Windshift|APT32|Molerats|Mofang|BlackTech|TA505|OilRig|Machete|Leviathan|FIN8|FIN4|Elderwood|Dragonfly 2.0|Cobalt Group|APT39|Night Dragon|Turla|APT33 -T1195.003,Compromise Hardware Supply Chain,Initial Access,no -T1195.002,Compromise Software Supply Chain,Initial Access,Gelsemium|Threat Group-3390|APT29|Cobalt Group|GOLD SOUTHFIELD|Dragonfly|Sandworm Team|APT41 -T1195.001,Compromise Software Dependencies and Development Tools,Initial Access,no -T1568.001,Fast Flux DNS,Command And Control,menuPass|TA505 -T1052.001,Exfiltration over USB,Exfiltration,Mustang Panda|Tropic Trooper -T1569.002,Service Execution,Execution,APT38|Chimera|Operation Wocao|Wizard Spider|Blue Mockingbird|APT39|APT41|Silence|FIN6|APT32|Honeybee|Ke3chang -T1569.001,Launchctl,Execution,no -T1569,System Services,Execution,no -T1568.002,Domain Generation Algorithms,Command And Control,TA551|APT41 -T1568,Dynamic Resolution,Command And Control,Gamaredon Group|Gelsemium|Transparent Tribe|APT29 -T1011.001,Exfiltration Over Bluetooth,Exfiltration,no -T1567.002,Exfiltration to Cloud Storage,Exfiltration,Kimsuky|Threat Group-3390|Confucius|Lazarus Group|FIN7|ZIRCONIUM|HAFNIUM|Chimera|Leviathan|Turla -T1567.001,Exfiltration to Code Repository,Exfiltration,no -T1059.006,Python,Execution,Dragonfly|Tonto Team|APT37|ZIRCONIUM|MuddyWater|Turla|Operation Wocao|Kimsuky|APT29|Rocke|BRONZE BUTLER|APT39|Dragonfly 2.0|Machete -T1059.005,Visual Basic,Execution,Confucius|Lazarus Group|LazyScripter|OilRig|APT38|Transparent Tribe|APT29|Mustang Panda|Windshift|Higaisa|Sidewinder|APT39|Machete|Operation Wocao|Kimsuky|APT33|Sandworm Team|Gamaredon Group|Sharpshooter|Molerats|Frankenstein|Inception|APT-C-36|Rancor|Patchwork|MuddyWater|Honeybee|FIN7|APT37|BRONZE BUTLER|APT32|Turla|TA505|Silence|WIRTE|FIN4|Cobalt Group|Gorgon Group|Leviathan|TA459|Magic Hound -T1059.004,Unix Shell,Execution,TeamTNT|Rocke|APT41 -T1059.003,Windows Command Shell,Execution,Kimsuky|Aquatic Panda|Dragonfly|LazyScripter|Sandworm Team|Nomadic Octopus|TeamTNT|APT29|Mustang Panda|ZIRCONIUM|TA551|Higaisa|Indrik Spider|Chimera|Fox Kitten|Machete|Operation Wocao|Wizard Spider|FIN6|TA505|Blue Mockingbird|Tropic Trooper|Frankenstein|OilRig|Lazarus Group|Honeybee|Cobalt Group|FIN7|APT41|GALLIUM|Turla|Silence|APT32|Darkhotel|MuddyWater|APT18|APT38|Gorgon Group|Dark Caracal|Ke3chang|Dragonfly 2.0|Rancor|FIN8|APT28|APT37|Magic Hound|BRONZE BUTLER|Sowbug|menuPass|FIN10|Threat Group-3390|Gamaredon Group|Patchwork|Suckfly|Threat Group-1314|APT3|admin@338|APT1 -T1059.002,AppleScript,Execution,no -T1059.001,PowerShell,Execution,Gamaredon Group|Lazarus Group|Aquatic Panda|Confucius|Dragonfly|LazyScripter|Nomadic Octopus|TeamTNT|APT38|Tonto Team|Mustang Panda|Indrik Spider|HAFNIUM|Sidewinder|Fox Kitten|GOLD SOUTHFIELD|Sandworm Team|Operation Wocao|Chimera|Blue Mockingbird|APT39|DarkVishnya|Molerats|Wizard Spider|Frankenstein|Inception|Silence|APT41|Kimsuky|GALLIUM|TA505|WIRTE|TEMP.Veles|APT33|Gallmaker|Turla|Thrip|Cobalt Group|APT28|DarkHydrus|Dragonfly 2.0|APT19|Gorgon Group|TA459|Leviathan|MuddyWater|FIN8|CopyKittens|OilRig|Magic Hound|BRONZE BUTLER|FIN7|APT32|menuPass|FIN10|Threat Group-3390|Patchwork|Stealth Falcon|FIN6|Poseidon Group|APT3|APT29|Deep Panda -T1567,Exfiltration Over Web Service,Exfiltration,APT28 -T1497.003,Time Based Evasion,Defense Evasion|Discovery,no -T1497.002,User Activity Based Checks,Defense Evasion|Discovery,Darkhotel|FIN7 -T1497.001,System Checks,Defense Evasion|Discovery,Lazarus Group|OilRig|Darkhotel|Evilnum|Frankenstein -T1498.002,Reflection Amplification,Impact,no -T1498.001,Direct Network Flood,Impact,no -T1566.003,Spearphishing via Service,Initial Access,Lazarus Group|APT29|Ajax Security Team|Magic Hound|Windshift|FIN6|OilRig|Dark Caracal -T1566.002,Spearphishing Link,Initial Access,Lazarus Group|Confucius|LazyScripter|Transparent Tribe|FIN7|APT3|Mustang Panda|ZIRCONIUM|MuddyWater|Sidewinder|Evilnum|Sandworm Team|Wizard Spider|APT1|Windshift|Molerats|Mofang|BlackTech|Machete|Kimsuky|TA505|APT39|FIN4|APT32|Night Dragon|APT28|Cobalt Group|Turla|Dragonfly 2.0|OilRig|Elderwood|APT33|APT29|Leviathan|FIN8|Patchwork|Magic Hound -T1566.001,Spearphishing Attachment,Initial Access,WIRTE|Confucius|Dragonfly|LazyScripter|Threat Group-3390|APT38|Andariel|Ferocious Kitten|IndigoZebra|Transparent Tribe|Nomadic Octopus|Tonto Team|Ajax Security Team|Mustang Panda|TA551|Higaisa|Sidewinder|APT1|FIN6|APT30|Windshift|APT33|Sandworm Team|Naikon|Gamaredon Group|Sharpshooter|Molerats|Mofang|Wizard Spider|RTM|Frankenstein|Inception|BlackTech|APT-C-36|APT41|Machete|admin@338|Kimsuky|APT12|TA505|Silence|The White Company|APT39|FIN4|Darkhotel|Gallmaker|Tropic Trooper|DarkHydrus|Lazarus Group|Gorgon Group|OilRig|BRONZE BUTLER|APT19|APT32|Cobalt Group|Rancor|FIN7|Dragonfly 2.0|MuddyWater|APT28|TA459|APT29|APT37|Leviathan|FIN8|Patchwork|menuPass|Elderwood|PLATINUM -T1566,Phishing,Initial Access,Axiom|GOLD SOUTHFIELD|Dragonfly -T1565.003,Runtime Data Manipulation,Impact,APT38 -T1565.002,Transmitted Data Manipulation,Impact,APT38 -T1565.001,Stored Data Manipulation,Impact,APT38 -T1565,Data Manipulation,Impact,no -T1564.001,Hidden Files and Directories,Defense Evasion,Transparent Tribe|Mustang Panda|Rocke|APT32|Tropic Trooper|APT28|Lazarus Group -T1564,Hide Artifacts,Defense Evasion,no -T1563.002,RDP Hijacking,Lateral Movement,Axiom -T1563.001,SSH Hijacking,Lateral Movement,no -T1563,Remote Service Session Hijacking,Lateral Movement,no -T1518.001,Security Software Discovery,Discovery,Kimsuky|Aquatic Panda|TeamTNT|APT38|Windshift|Sidewinder|Operation Wocao|Wizard Spider|Turla|Rocke|Frankenstein|The White Company|Cobalt Group|Darkhotel|MuddyWater|Tropic Trooper|FIN8|Patchwork|Naikon -T1069.003,Cloud Groups,Discovery,no -T1069.002,Domain Groups,Discovery,APT29|Dragonfly|Turla|Inception|OilRig|Dragonfly 2.0|Ke3chang -T1087.004,Cloud Account,Discovery,APT29 -T1087.003,Email Account,Discovery,Sandworm Team|TA505 -T1087.002,Domain Account,Discovery,APT29|Lazarus Group|Dragonfly|MuddyWater|Fox Kitten|Operation Wocao|Wizard Spider|Chimera|Turla|Sandworm Team|Dragonfly 2.0|OilRig|BRONZE BUTLER|menuPass|FIN6|Poseidon Group|Ke3chang -T1087.001,Local Account,Discovery,Chimera|Fox Kitten|Turla|Poseidon Group|OilRig|Ke3chang|APT32|APT1|Threat Group-3390|APT3|admin@338 -T1553.004,Install Root Certificate,Defense Evasion,no -T1562.004,Disable or Modify System Firewall,Defense Evasion,Dragonfly|TeamTNT|APT38|APT29|Operation Wocao|Rocke|Lazarus Group|Kimsuky|Dragonfly 2.0|Carbanak -T1562.003,Impair Command History Logging,Defense Evasion,APT38 -T1562.002,Disable Windows Event Logging,Defense Evasion,Sandworm Team|APT29|Threat Group-3390 -T1562.001,Disable or Modify Tools,Defense Evasion,Aquatic Panda|TeamTNT|Indrik Spider|APT29|MuddyWater|Wizard Spider|FIN6|Gamaredon Group|BRONZE BUTLER|Rocke|Kimsuky|Turla|Night Dragon|Gorgon Group|Lazarus Group|Putter Panda -T1562,Impair Defenses,Defense Evasion,no -T1003.004,LSA Secrets,Credential Access,Dragonfly|OilRig|MuddyWater|menuPass|Leafminer|Ke3chang|Dragonfly 2.0|APT33|Threat Group-3390 -T1003.005,Cached Domain Credentials,Credential Access,OilRig|MuddyWater|Leafminer|APT33 -T1561.002,Disk Structure Wipe,Impact,Sandworm Team|Lazarus Group|APT38|APT37 -T1561.001,Disk Content Wipe,Impact,Lazarus Group -T1561,Disk Wipe,Impact,no -T1560.003,Archive via Custom Method,Collection,Mustang Panda|Lazarus Group|Kimsuky|CopyKittens|FIN6 -T1560.002,Archive via Library,Collection,Lazarus Group|Threat Group-3390 -T1560.001,Archive via Utility,Collection,Kimsuky|Aquatic Panda|APT28|APT29|Mustang Panda|HAFNIUM|Fox Kitten|Operation Wocao|Chimera|APT41|GALLIUM|Turla|Gallmaker|APT33|APT39|MuddyWater|Magic Hound|FIN8|BRONZE BUTLER|CopyKittens|Sowbug|APT3|menuPass|APT1|Ke3chang -T1560,Archive Collected Data,Collection,Axiom|Dragonfly|Leviathan|menuPass|APT32|Honeybee|Patchwork|APT28|Dragonfly 2.0|FIN6|Lazarus Group|Ke3chang -T1499.004,Application or System Exploitation,Impact,no -T1499.003,Application Exhaustion Flood,Impact,no -T1499.002,Service Exhaustion Flood,Impact,no -T1499.001,OS Exhaustion Flood,Impact,no -T1491.002,External Defacement,Impact,Sandworm Team -T1491.001,Internal Defacement,Impact,Gamaredon Group|Lazarus Group -T1114.003,Email Forwarding Rule,Collection,Silent Librarian|Kimsuky -T1114.002,Remote Email Collection,Collection,Kimsuky|Dragonfly|APT29|HAFNIUM|Chimera|APT1|FIN4|Ke3chang|Leafminer|Dragonfly 2.0|APT28 -T1114.001,Local Email Collection,Collection,Chimera|Magic Hound|APT1 -T1134.005,SID-History Injection,Defense Evasion|Privilege Escalation,no -T1134.004,Parent PID Spoofing,Defense Evasion|Privilege Escalation,no -T1134.003,Make and Impersonate Token,Defense Evasion|Privilege Escalation,no -T1134.002,Create Process with Token,Defense Evasion|Privilege Escalation,Turla|Lazarus Group -T1134.001,Token Impersonation/Theft,Defense Evasion|Privilege Escalation,FIN8|APT28 -T1213.002,Sharepoint,Collection,Chimera|Ke3chang|APT28 -T1213.001,Confluence,Collection,no -T1555.003,Credentials from Web Browsers,Credential Access,APT29|Ajax Security Team|ZIRCONIUM|FIN6|Sandworm Team|Inception|Stealth Falcon|OilRig|Leafminer|APT33|APT3|Kimsuky|TA505|MuddyWater|APT37|Patchwork|Molerats -T1555.002,Securityd Memory,Credential Access,no -T1555.001,Keychain,Credential Access,no -T1559.002,Dynamic Data Exchange,Execution,Leviathan|Sidewinder|Sharpshooter|TA505|MuddyWater|Gallmaker|Patchwork|Cobalt Group|APT37|FIN7|APT28 -T1559.001,Component Object Model,Execution,Gamaredon Group|MuddyWater -T1559,Inter-Process Communication,Execution,no -T1558.002,Silver Ticket,Credential Access,no -T1558.001,Golden Ticket,Credential Access,Ke3chang -T1558,Steal or Forge Kerberos Tickets,Credential Access,no -T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,Credential Access|Collection,Lazarus Group|Wizard Spider -T1557,Adversary-in-the-Middle,Credential Access|Collection,Kimsuky -T1556.002,Password Filter DLL,Credential Access|Defense Evasion|Persistence,Strider -T1556.001,Domain Controller Authentication,Credential Access|Defense Evasion|Persistence,Chimera -T1556,Modify Authentication Process,Credential Access|Defense Evasion|Persistence,no -T1056.004,Credential API Hooking,Collection|Credential Access,PLATINUM -T1056.003,Web Portal Capture,Collection|Credential Access,no -T1056.002,GUI Input Capture,Collection|Credential Access,FIN4 -T1056.001,Keylogging,Collection|Credential Access,Tonto Team|Ajax Security Team|Operation Wocao|APT32|Sandworm Team|APT39|APT41|Kimsuky|menuPass|FIN4|APT38|OilRig|Ke3chang|PLATINUM|Sowbug|Magic Hound|Group5|Lazarus Group|Threat Group-3390|APT3|Darkhotel|APT28 -T1555,Credentials from Password Stores,Credential Access,APT29|Evilnum|FIN6|APT39|OilRig|MuddyWater|Leafminer|APT33|Stealth Falcon -T1552.005,Cloud Instance Metadata API,Credential Access,TeamTNT -T1003.008,/etc/passwd and /etc/shadow,Credential Access,no -T1003.007,Proc Filesystem,Credential Access,no -T1003.006,DCSync,Credential Access,APT29|Operation Wocao -T1558.003,Kerberoasting,Credential Access,FIN7|APT29|Operation Wocao|Wizard Spider -T1552.006,Group Policy Preferences,Credential Access,APT33 -T1003.003,NTDS,Credential Access,Ke3chang|Dragonfly|APT28|Mustang Panda|HAFNIUM|Fox Kitten|menuPass|Wizard Spider|Chimera|FIN6|Dragonfly 2.0 -T1003.002,Security Account Manager,Credential Access,Dragonfly|Wizard Spider|Threat Group-3390|Ke3chang|GALLIUM|Night Dragon|Dragonfly 2.0|menuPass -T1003.001,LSASS Memory,Credential Access,Aquatic Panda|Indrik Spider|HAFNIUM|Fox Kitten|Operation Wocao|Kimsuky|Sandworm Team|Whitefly|Blue Mockingbird|Silence|Threat Group-3390|Leviathan|APT41|GALLIUM|TEMP.Veles|APT33|APT39|APT32|Leafminer|Magic Hound|FIN8|PLATINUM|MuddyWater|OilRig|BRONZE BUTLER|FIN6|APT3|APT28|APT1|Ke3chang|Cleaver -T1110.004,Credential Stuffing,Credential Access,Chimera -T1110.003,Password Spraying,Credential Access,Sandworm Team|APT29|Silent Librarian|Chimera|APT28|APT33|Leafminer|Lazarus Group -T1110.002,Password Cracking,Credential Access,Dragonfly|FIN6|APT41|Dragonfly 2.0|APT3 -T1110.001,Password Guessing,Credential Access,APT28 -T1021.006,Windows Remote Management,Lateral Movement,APT29|Chimera|Wizard Spider|Threat Group-3390 -T1021.005,VNC,Lateral Movement,Gamaredon Group|FIN7|Fox Kitten|GCMAN -T1021.004,SSH,Lateral Movement,BlackTech|Lazarus Group|TeamTNT|FIN7|Fox Kitten|Rocke|TEMP.Veles|Leviathan|APT39|OilRig|menuPass|GCMAN -T1021.003,Distributed Component Object Model,Lateral Movement,no -T1021.002,SMB/Windows Admin Shares,Lateral Movement,APT29|Sandworm Team|APT28|Fox Kitten|APT41|Operation Wocao|Wizard Spider|Chimera|Blue Mockingbird|APT39|APT32|Orangeworm|FIN8|APT3|Lazarus Group|Threat Group-1314|Turla|Deep Panda|Ke3chang -T1021.001,Remote Desktop Protocol,Lateral Movement,APT29|Dragonfly|Kimsuky|FIN7|Fox Kitten|Chimera|Blue Mockingbird|Wizard Spider|Silence|APT41|TEMP.Veles|Leviathan|APT39|Cobalt Group|Dragonfly 2.0|FIN8|APT3|OilRig|FIN10|menuPass|Patchwork|FIN6|Lazarus Group|APT1|Axiom -T1554,Compromise Client Software Binary,Persistence,no -T1036.006,Space after Filename,Defense Evasion,no -T1036.005,Match Legitimate Name or Location,Defense Evasion,Ke3chang|Kimsuky|Gamaredon Group|WIRTE|APT28|Ferocious Kitten|FIN7|BackdoorDiplomacy|Transparent Tribe|Naikon|APT29|Mustang Panda|Sidewinder|Darkhotel|Lazarus Group|Indrik Spider|Fox Kitten|Machete|Chimera|PROMETHIUM|Rocke|Sandworm Team|APT39|Blue Mockingbird|Whitefly|Tropic Trooper|Silence|APT41|menuPass|TEMP.Veles|MuddyWater|Sowbug|BRONZE BUTLER|APT32|Patchwork|Poseidon Group|admin@338|Carbanak|APT1 -T1036.004,Masquerade Task or Service,Defense Evasion,Lazarus Group|BackdoorDiplomacy|APT41|Naikon|ZIRCONIUM|APT29|Higaisa|Fox Kitten|Kimsuky|PROMETHIUM|Wizard Spider|APT-C-36|Carbanak|APT32|FIN6|FIN7 -T1036.003,Rename System Utilities,Defense Evasion,Lazarus Group|menuPass|APT32|GALLIUM -T1036.002,Right-to-Left Override,Defense Evasion,Ferocious Kitten|BRONZE BUTLER|BlackTech|Ke3chang|Scarlet Mimic -T1036.001,Invalid Code Signature,Defense Evasion,Windshift|APT37 -T1553.003,SIP and Trust Provider Hijacking,Defense Evasion,no -T1553.002,Code Signing,Defense Evasion,Lazarus Group|menuPass|APT29|GALLIUM|Wizard Spider|Kimsuky|PROMETHIUM|Patchwork|Silence|APT41|FIN6|TA505|FIN7|Honeybee|Leviathan|CopyKittens|Winnti Group|Suckfly|Molerats|Darkhotel -T1553.001,Gatekeeper Bypass,Defense Evasion,no -T1553,Subvert Trust Controls,Defense Evasion,Axiom -T1027.003,Steganography,Defense Evasion,Andariel|Leviathan|TA551|BRONZE BUTLER|Tropic Trooper|MuddyWater|APT37 -T1027.002,Software Packing,Defense Evasion,Threat Group-3390|Lazarus Group|Sandworm Team|Kimsuky|TeamTNT|ZIRCONIUM|TA505|Rocke|GALLIUM|The White Company|APT39|APT38|Dark Caracal|Elderwood|APT3|Patchwork|APT29|Night Dragon -T1027.001,Binary Padding,Defense Evasion,APT29|Mustang Panda|Higaisa|Gamaredon Group|Patchwork|APT32|Leviathan|BRONZE BUTLER|Moafee -T1222.002,Linux and Mac File and Directory Permissions Modification,Defense Evasion,TeamTNT|Rocke|APT32 -T1222.001,Windows File and Directory Permissions Modification,Defense Evasion,Wizard Spider -T1552.004,Private Keys,Credential Access,TeamTNT|APT29|Operation Wocao|Rocke -T1552.003,Bash History,Credential Access,no -T1552.002,Credentials in Registry,Credential Access,APT32 -T1552.001,Credentials In Files,Credential Access,TeamTNT|Kimsuky|Fox Kitten|Leafminer|APT33|OilRig|TA505|MuddyWater|APT3 -T1552,Unsecured Credentials,Credential Access,no -T1216.001,PubPrn,Defense Evasion,APT32 -T1070.006,Timestomp,Defense Evasion,APT38|APT29|Chimera|Kimsuky|Rocke|TEMP.Veles|APT32|Lazarus Group|APT28 -T1070.005,Network Share Connection Removal,Defense Evasion,Threat Group-3390 -T1070.004,File Deletion,Defense Evasion,Aquatic Panda|Dragonfly|TeamTNT|APT39|Mustang Panda|Chimera|Evilnum|Operation Wocao|FIN6|Sandworm Team|Rocke|Tropic Trooper|Gamaredon Group|Wizard Spider|APT41|Kimsuky|Silence|The White Company|TEMP.Veles|APT32|APT38|Cobalt Group|Dragonfly 2.0|Honeybee|Patchwork|menuPass|FIN8|OilRig|FIN5|BRONZE BUTLER|APT3|Magic Hound|Threat Group-3390|APT28|FIN10|Group5|Lazarus Group|APT18|APT29 -T1070.003,Clear Command History,Defense Evasion,Lazarus Group|TeamTNT|menuPass|APT41 -T1550.004,Web Session Cookie,Defense Evasion|Lateral Movement,APT29 -T1550.001,Application Access Token,Defense Evasion|Lateral Movement,APT29|APT28 -T1550.003,Pass the Ticket,Defense Evasion|Lateral Movement,APT32|BRONZE BUTLER|APT29 -T1550.002,Pass the Hash,Defense Evasion|Lateral Movement,Chimera|Kimsuky|GALLIUM|APT32|Night Dragon|APT28|APT1 -T1550,Use Alternate Authentication Material,Defense Evasion|Lateral Movement,APT29 -T1548.004,Elevated Execution with Prompt,Privilege Escalation|Defense Evasion,no -T1548.003,Sudo and Sudo Caching,Privilege Escalation|Defense Evasion,no -T1548.002,Bypass User Account Control,Privilege Escalation|Defense Evasion,Evilnum|APT37|MuddyWater|Threat Group-3390|Honeybee|Cobalt Group|BRONZE BUTLER|Patchwork|APT29 -T1548.001,Setuid and Setgid,Privilege Escalation|Defense Evasion,no -T1548,Abuse Elevation Control Mechanism,Privilege Escalation|Defense Evasion,no -T1136.003,Cloud Account,Persistence,APT29 -T1070.002,Clear Linux or Mac System Logs,Defense Evasion,TeamTNT|Rocke -T1070.001,Clear Windows Event Logs,Defense Evasion,Dragonfly|Indrik Spider|Chimera|Operation Wocao|APT41|APT38|Dragonfly 2.0|APT32|FIN8|FIN5|APT28 -T1136.002,Domain Account,Persistence,Sandworm Team|HAFNIUM|GALLIUM -T1136.001,Local Account,Persistence,Kimsuky|Dragonfly|TeamTNT|Fox Kitten|APT39|APT41|Leafminer|Dragonfly 2.0|APT3 -T1547.011,Plist Modification,Persistence|Privilege Escalation,no -T1547.010,Port Monitors,Persistence|Privilege Escalation,no -T1547.009,Shortcut Modification,Persistence|Privilege Escalation,Dragonfly|APT39|Darkhotel|APT29|Gorgon Group|Dragonfly 2.0|Lazarus Group|Leviathan -T1547.008,LSASS Driver,Persistence|Privilege Escalation,no -T1547.007,Re-opened Applications,Persistence|Privilege Escalation,no -T1547.006,Kernel Modules and Extensions,Persistence|Privilege Escalation,no -T1547.005,Security Support Provider,Persistence|Privilege Escalation,no -T1547.004,Winlogon Helper DLL,Persistence|Privilege Escalation,Wizard Spider|Tropic Trooper|Turla -T1547.003,Time Providers,Persistence|Privilege Escalation,no -T1546.014,Emond,Privilege Escalation|Persistence,no -T1546.013,PowerShell Profile,Privilege Escalation|Persistence,Turla -T1546.012,Image File Execution Options Injection,Privilege Escalation|Persistence,TEMP.Veles -T1218.008,Odbcconf,Defense Evasion,Cobalt Group -T1546.011,Application Shimming,Privilege Escalation|Persistence,FIN7 -T1547.002,Authentication Package,Persistence|Privilege Escalation,no -T1546.010,AppInit DLLs,Privilege Escalation|Persistence,APT39 -T1546.009,AppCert DLLs,Privilege Escalation|Persistence,Honeybee -T1218.007,Msiexec,Defense Evasion,ZIRCONIUM|Molerats|Machete|TA505|Rancor -T1546.008,Accessibility Features,Privilege Escalation|Persistence,Fox Kitten|APT41|APT3|APT29|Deep Panda|Axiom -T1546.007,Netsh Helper DLL,Privilege Escalation|Persistence,no -T1546.006,LC_LOAD_DYLIB Addition,Privilege Escalation|Persistence,no -T1546.005,Trap,Privilege Escalation|Persistence,no -T1546.004,Unix Shell Configuration Modification,Privilege Escalation|Persistence,no -T1546.003,Windows Management Instrumentation Event Subscription,Privilege Escalation|Persistence,FIN8|Mustang Panda|APT33|Blue Mockingbird|Turla|Leviathan|APT29 -T1546.002,Screensaver,Privilege Escalation|Persistence,no -T1546.001,Change Default File Association,Privilege Escalation|Persistence,Kimsuky -T1547.001,Registry Run Keys / Startup Folder,Persistence|Privilege Escalation,Confucius|Dragonfly|LazyScripter|TeamTNT|Naikon|Windshift|Mustang Panda|ZIRCONIUM|Higaisa|Sidewinder|APT28|Wizard Spider|PROMETHIUM|Rocke|Tropic Trooper|Gamaredon Group|Sharpshooter|Molerats|Silence|RTM|Inception|APT41|Kimsuky|APT33|APT39|APT32|APT18|Dark Caracal|Threat Group-3390|Honeybee|Turla|Cobalt Group|Ke3chang|Dragonfly 2.0|APT19|Gorgon Group|MuddyWater|APT37|Leviathan|BRONZE BUTLER|APT3|Magic Hound|FIN10|FIN7|Patchwork|FIN6|Lazarus Group|Putter Panda|APT29|Darkhotel -T1218.002,Control Panel,Defense Evasion,no -T1218.010,Regsvr32,Defense Evasion,Kimsuky|Lazarus Group|TA551|Blue Mockingbird|Inception|WIRTE|Cobalt Group|APT19|Leviathan|APT32|Deep Panda -T1218.009,Regsvcs/Regasm,Defense Evasion,no -T1218.005,Mshta,Defense Evasion,Gamaredon Group|Confucius|Lazarus Group|APT29|LazyScripter|Mustang Panda|TA551|Sidewinder|Inception|Kimsuky|APT32|MuddyWater|FIN7 -T1218.004,InstallUtil,Defense Evasion,Mustang Panda|menuPass -T1218.001,Compiled HTML File,Defense Evasion,APT38|APT41|Silence|Dark Caracal|OilRig|Lazarus Group -T1218.003,CMSTP,Defense Evasion,Cobalt Group|MuddyWater -T1218.011,Rundll32,Defense Evasion,Kimsuky|Lazarus Group|LazyScripter|APT38|HAFNIUM|TA551|APT41|Gamaredon Group|APT32|Sandworm Team|Blue Mockingbird|TA505|MuddyWater|APT29|APT19|CopyKittens|APT3|Carbanak|APT28 -T1547,Boot or Logon Autostart Execution,Persistence|Privilege Escalation,no -T1546,Event Triggered Execution,Privilege Escalation|Persistence,no -T1098.003,Add Office 365 Global Administrator Role,Persistence,APT29 -T1098.002,Exchange Email Delegate Permissions,Persistence,APT28|APT29|Magic Hound -T1098.001,Additional Cloud Credentials,Persistence,APT29 -T1543.004,Launch Daemon,Persistence|Privilege Escalation,no -T1543.003,Windows Service,Persistence|Privilege Escalation,TeamTNT|APT38|PROMETHIUM|Blue Mockingbird|DarkVishnya|Wizard Spider|APT32|APT41|Kimsuky|Tropic Trooper|Cobalt Group|Ke3chang|FIN7|APT19|Threat Group-3390|Honeybee|APT3|Lazarus Group|Carbanak -T1543.002,Systemd Service,Persistence|Privilege Escalation,TeamTNT|Rocke -T1543.001,Launch Agent,Persistence|Privilege Escalation,no -T1037.005,Startup Items,Persistence|Privilege Escalation,no -T1037.004,RC Scripts,Persistence|Privilege Escalation,no -T1055.012,Process Hollowing,Defense Evasion|Privilege Escalation,Kimsuky|Threat Group-3390|menuPass|Gorgon Group|Patchwork -T1055.013,Process Doppelgänging,Defense Evasion|Privilege Escalation,Leafminer -T1055.011,Extra Window Memory Injection,Defense Evasion|Privilege Escalation,no -T1055.014,VDSO Hijacking,Defense Evasion|Privilege Escalation,no -T1055.009,Proc Memory,Defense Evasion|Privilege Escalation,no -T1055.008,Ptrace System Calls,Defense Evasion|Privilege Escalation,no -T1055.005,Thread Local Storage,Defense Evasion|Privilege Escalation,no -T1055.004,Asynchronous Procedure Call,Defense Evasion|Privilege Escalation,FIN8 -T1055.003,Thread Execution Hijacking,Defense Evasion|Privilege Escalation,no -T1055.002,Portable Executable Injection,Defense Evasion|Privilege Escalation,Rocke|Gorgon Group -T1055.001,Dynamic-link Library Injection,Defense Evasion|Privilege Escalation,BackdoorDiplomacy|Leviathan|Wizard Spider|TA505|Turla|Tropic Trooper|Lazarus Group|Putter Panda -T1037.003,Network Logon Script,Persistence|Privilege Escalation,no -T1543,Create or Modify System Process,Persistence|Privilege Escalation,no -T1037.002,Logon Script (Mac),Persistence|Privilege Escalation,no -T1037.001,Logon Script (Windows),Persistence|Privilege Escalation,Cobalt Group|APT28 -T1542.003,Bootkit,Persistence|Defense Evasion,APT41|Lazarus Group|APT28 -T1542.002,Component Firmware,Persistence|Defense Evasion,Equation -T1542.001,System Firmware,Persistence|Defense Evasion,no -T1505.003,Web Shell,Persistence,Dragonfly|BackdoorDiplomacy|APT38|APT29|APT28|Tonto Team|Sandworm Team|HAFNIUM|Volatile Cedar|Fox Kitten|Operation Wocao|Kimsuky|Tropic Trooper|GALLIUM|Threat Group-3390|TEMP.Veles|Leviathan|APT39|Dragonfly 2.0|APT32|OilRig|Deep Panda -T1505.002,Transport Agent,Persistence,no -T1505.001,SQL Stored Procedures,Persistence,Sandworm Team -T1053.003,Cron,Execution|Persistence|Privilege Escalation,APT38|Rocke -T1053.001,At (Linux),Execution|Persistence|Privilege Escalation,no -T1053.005,Scheduled Task,Execution|Persistence|Privilege Escalation,Kimsuky|Lazarus Group|Confucius|Dragonfly|APT37|APT38|Naikon|CostaRicto|Mustang Panda|Higaisa|Fox Kitten|Molerats|Machete|Operation Wocao|Chimera|Gamaredon Group|Blue Mockingbird|MuddyWater|Wizard Spider|Frankenstein|APT-C-36|BRONZE BUTLER|APT41|GALLIUM|Silence|TEMP.Veles|APT33|APT39|Rancor|OilRig|Patchwork|Dragonfly 2.0|Cobalt Group|FIN8|menuPass|FIN10|FIN7|APT32|Stealth Falcon|FIN6|APT3|APT29 -T1053.002,At (Windows),Execution|Persistence|Privilege Escalation,BRONZE BUTLER|Threat Group-3390|APT18 -T1542,Pre-OS Boot,Defense Evasion|Persistence,no -T1137.001,Office Template Macros,Persistence,MuddyWater -T1137.004,Outlook Home Page,Persistence,OilRig -T1137.003,Outlook Forms,Persistence,no -T1137.005,Outlook Rules,Persistence,no -T1137.006,Add-ins,Persistence,Naikon -T1137.002,Office Test,Persistence,APT28 -T1531,Account Access Removal,Impact,no -T1539,Steal Web Session Cookie,Credential Access,APT29|Evilnum -T1529,System Shutdown/Reboot,Impact,Lazarus Group|APT38|APT37 -T1518,Software Discovery,Discovery,Mustang Panda|Windshift|MuddyWater|Windigo|Sidewinder|Operation Wocao|BRONZE BUTLER|Tropic Trooper|Inception -T1547.013,XDG Autostart Entries,Persistence|Privilege Escalation,no -T1534,Internal Spearphishing,Lateral Movement,Kimsuky|Lazarus Group|Leviathan|Gamaredon Group -T1528,Steal Application Access Token,Credential Access,APT28 -T1535,Unused/Unsupported Cloud Regions,Defense Evasion,no -T1525,Implant Internal Image,Persistence,no -T1538,Cloud Service Dashboard,Discovery,no -T1530,Data from Cloud Storage Object,Collection,Fox Kitten -T1578,Modify Cloud Compute Infrastructure,Defense Evasion,no -T1537,Transfer Data to Cloud Account,Exfiltration,no -T1526,Cloud Service Discovery,Discovery,no -T1505,Server Software Component,Persistence,no -T1499,Endpoint Denial of Service,Impact,Sandworm Team -T1497,Virtualization/Sandbox Evasion,Defense Evasion|Discovery,Darkhotel -T1498,Network Denial of Service,Impact,APT28 -T1496,Resource Hijacking,Impact,TeamTNT|Blue Mockingbird|Rocke|APT41 -T1495,Firmware Corruption,Impact,no -T1491,Defacement,Impact,no -T1490,Inhibit System Recovery,Impact,no -T1489,Service Stop,Impact,Indrik Spider|Wizard Spider|Lazarus Group -T1486,Data Encrypted for Impact,Impact,FIN7|Indrik Spider|APT41|TA505|APT38 -T1485,Data Destruction,Impact,Gamaredon Group|Sandworm Team|Lazarus Group|APT38 -T1484,Domain Policy Modification,Defense Evasion|Privilege Escalation,no -T1482,Domain Trust Discovery,Discovery,FIN8|APT29|Chimera -T1480,Execution Guardrails,Defense Evasion,no -T1221,Template Injection,Defense Evasion,Lazarus Group|Confucius|Dragonfly|Gamaredon Group|Frankenstein|Inception|APT28|Tropic Trooper|DarkHydrus|Dragonfly 2.0 -T1222,File and Directory Permissions Modification,Defense Evasion,no -T1220,XSL Script Processing,Defense Evasion,Lazarus Group|Higaisa|Cobalt Group -T1217,Browser Bookmark Discovery,Discovery,APT38|Chimera|Fox Kitten -T1212,Exploitation for Credential Access,Credential Access,no -T1189,Drive-by Compromise,Initial Access,Magic Hound|APT28|Axiom|Transparent Tribe|Andariel|Leviathan|Machete|Windigo|Dragonfly|PROMETHIUM|Turla|Windshift|RTM|Darkhotel|APT38|APT19|Lazarus Group|Threat Group-3390|BRONZE BUTLER|APT32|Dark Caracal|Dragonfly 2.0|Leafminer|Patchwork|APT37|Elderwood|PLATINUM -T1211,Exploitation for Defense Evasion,Defense Evasion,APT28 -T1197,BITS Jobs,Defense Evasion|Persistence,APT39|Patchwork|APT41|Leviathan -T1203,Exploitation for Client Execution,Execution,Axiom|Confucius|Dragonfly|Andariel|Transparent Tribe|APT3|Tonto Team|Mustang Panda|Darkhotel|Higaisa|HAFNIUM|Sidewinder|Sandworm Team|MuddyWater|Frankenstein|Inception|BlackTech|APT41|admin@338|Threat Group-3390|APT12|The White Company|APT33|APT32|APT28|Tropic Trooper|BRONZE BUTLER|Cobalt Group|Lazarus Group|Patchwork|Elderwood|APT29|TA459|APT37|Leviathan -T1201,Password Policy Discovery,Discovery,Chimera|Turla|OilRig -T1195,Supply Chain Compromise,Initial Access,no -T1199,Trusted Relationship,Initial Access,Threat Group-3390|APT29|Sandworm Team|GOLD SOUTHFIELD|APT28|menuPass -T1218,Signed Binary Proxy Execution,Defense Evasion,Lazarus Group -T1204,User Execution,Execution,no -T1213,Data from Information Repositories,Collection,APT29|APT28|Fox Kitten|FIN6|Turla -T1190,Exploit Public-Facing Application,Initial Access,Threat Group-3390|Ke3chang|Kimsuky|Magic Hound|Dragonfly|BackdoorDiplomacy|menuPass|Volatile Cedar|Fox Kitten|Operation Wocao|APT28|APT29|GOLD SOUTHFIELD|Blue Mockingbird|Rocke|APT39|BlackTech|APT41|GALLIUM|Night Dragon|Axiom -T1210,Exploitation of Remote Services,Lateral Movement,Dragonfly|Tonto Team|FIN7|Fox Kitten|menuPass|Wizard Spider|Threat Group-3390|APT28 -T1200,Hardware Additions,Initial Access,DarkVishnya -T1202,Indirect Command Execution,Defense Evasion,Lazarus Group -T1219,Remote Access Software,Command And Control,TeamTNT|Mustang Panda|MuddyWater|Evilnum|GOLD SOUTHFIELD|Sandworm Team|DarkVishnya|RTM|Kimsuky|Night Dragon|Cobalt Group|Thrip|Carbanak -T1207,Rogue Domain Controller,Defense Evasion,no -T1216,Signed Script Proxy Execution,Defense Evasion,no -T1205,Traffic Signaling,Defense Evasion|Persistence|Command And Control,no -T1176,Browser Extensions,Persistence,Kimsuky -T1187,Forced Authentication,Credential Access,Dragonfly|DarkHydrus|Dragonfly 2.0 -T1185,Browser Session Hijacking,Collection,no -T1140,Deobfuscate/Decode Files or Information,Defense Evasion,Lazarus Group|Ke3chang|Kimsuky|APT39|APT29|ZIRCONIUM|Higaisa|Rocke|Sandworm Team|Gamaredon Group|Molerats|Frankenstein|Turla|WIRTE|Darkhotel|Tropic Trooper|Honeybee|Gorgon Group|Threat Group-3390|menuPass|APT19|Leviathan|MuddyWater|APT28|OilRig|BRONZE BUTLER -T1134,Access Token Manipulation,Defense Evasion|Privilege Escalation,FIN6|Blue Mockingbird -T1136,Create Account,Persistence,Sandworm Team|Indrik Spider -T1135,Network Share Discovery,Discovery,Dragonfly|Tonto Team|APT38|Chimera|Operation Wocao|Wizard Spider|APT32|APT39|DarkVishnya|APT41|Tropic Trooper|APT1|Dragonfly 2.0|Sowbug -T1137,Office Application Startup,Persistence,Gamaredon Group|APT32 -T1133,External Remote Services,Persistence|Initial Access,Dragonfly|TeamTNT|Leviathan|APT28|APT29|Operation Wocao|Wizard Spider|Kimsuky|GOLD SOUTHFIELD|Chimera|Sandworm Team|APT41|GALLIUM|TEMP.Veles|Night Dragon|Ke3chang|OilRig|Dragonfly 2.0|FIN5|Threat Group-3390|APT18 -T1132,Data Encoding,Command And Control,no -T1129,Shared Modules,Execution,no -T1127,Trusted Developer Utilities Proxy Execution,Defense Evasion,no -T1125,Video Capture,Collection,Silence|FIN7 -T1124,System Time Discovery,Discovery,Darkhotel|ZIRCONIUM|Higaisa|Sidewinder|Chimera|Operation Wocao|The White Company|Lazarus Group|BRONZE BUTLER|Turla -T1123,Audio Capture,Collection,APT37 -T1120,Peripheral Device Discovery,Discovery,OilRig|BackdoorDiplomacy|Operation Wocao|Turla|APT37|Gamaredon Group|Equation|APT28 -T1119,Automated Collection,Collection,Ke3chang|Confucius|Mustang Panda|Sidewinder|Chimera|menuPass|Operation Wocao|Gamaredon Group|Tropic Trooper|Frankenstein|APT1|APT28|Patchwork|OilRig|FIN5|Threat Group-3390|FIN6 -T1115,Clipboard Data,Collection,Operation Wocao|APT39|APT38 -T1114,Email Collection,Collection,Magic Hound|Silent Librarian -T1113,Screen Capture,Collection,Dragonfly|GOLD SOUTHFIELD|Gamaredon Group|APT39|Silence|MuddyWater|Dragonfly 2.0|OilRig|Dark Caracal|FIN7|BRONZE BUTLER|Magic Hound|Group5|APT28 -T1112,Modify Registry,Defense Evasion,Dragonfly|Operation Wocao|Kimsuky|Gamaredon Group|Blue Mockingbird|Wizard Spider|Silence|APT41|Turla|APT32|APT38|Patchwork|Gorgon Group|Threat Group-3390|Dragonfly 2.0|APT19|Honeybee|FIN8 -T1111,Two-Factor Authentication Interception,Credential Access,Kimsuky|Chimera|Operation Wocao -T1110,Brute Force,Credential Access,Lazarus Group|Dragonfly|APT38|APT28|Fox Kitten|DarkVishnya|APT39|OilRig|FIN5|Turla -T1106,Native API,Execution,BlackTech|Lazarus Group|APT38|Higaisa|menuPass|Operation Wocao|Chimera|Gamaredon Group|Tropic Trooper|Sharpshooter|Turla|Silence|APT37|Gorgon Group -T1105,Ingress Tool Transfer,Command And Control,LazyScripter|Ke3chang|Aquatic Panda|Winnti Group|Confucius|Dragonfly|TeamTNT|Nomadic Octopus|IndigoZebra|Andariel|BackdoorDiplomacy|Tonto Team|HAFNIUM|APT29|Ajax Security Team|Mustang Panda|Windshift|Darkhotel|ZIRCONIUM|TA551|Volatile Cedar|Indrik Spider|Evilnum|Sidewinder|Fox Kitten|Kimsuky|Operation Wocao|Chimera|Sandworm Team|Whitefly|Rocke|APT39|Tropic Trooper|Sharpshooter|Molerats|Frankenstein|Silence|APT-C-36|APT41|GALLIUM|TA505|WIRTE|APT33|MuddyWater|APT18|APT38|Rancor|Gorgon Group|OilRig|Turla|Cobalt Group|Dragonfly 2.0|FIN8|PLATINUM|APT37|Elderwood|Leviathan|APT32|Magic Hound|BRONZE BUTLER|APT3|menuPass|FIN7|Gamaredon Group|Patchwork|Lazarus Group|Threat Group-3390|APT28 -T1104,Multi-Stage Channels,Command And Control,Lazarus Group|APT41|MuddyWater|APT3 -T1102,Web Service,Command And Control,Mustang Panda|LazyScripter|TeamTNT|FIN8|Fox Kitten|Turla|APT32|Gamaredon Group|Rocke|Inception|FIN6 -T1098,Account Manipulation,Persistence,Kimsuky|Dragonfly|Sandworm Team|APT3|Dragonfly 2.0|Lazarus Group -T1095,Non-Application Layer Protocol,Command And Control,BackdoorDiplomacy|HAFNIUM|Operation Wocao|FIN6|APT29|PLATINUM|APT3 -T1092,Communication Through Removable Media,Command And Control,APT28 -T1091,Replication Through Removable Media,Lateral Movement|Initial Access,FIN7|Mustang Panda|Tropic Trooper|Darkhotel|APT28 -T1090,Proxy,Command And Control,Windigo|Fox Kitten|Operation Wocao|Sandworm Team|Blue Mockingbird|APT41|Turla -T1087,Account Discovery,Discovery,APT29 -T1083,File and Directory Discovery,Discovery,Winnti Group|Confucius|Dragonfly|APT38|APT29|Mustang Panda|Darkhotel|Windigo|Sidewinder|Chimera|Fox Kitten|menuPass|APT39|Sandworm Team|Operation Wocao|Gamaredon Group|Tropic Trooper|Inception|APT41|Kimsuky|APT32|MuddyWater|APT18|Leafminer|Honeybee|Dark Caracal|Dragonfly 2.0|APT3|Sowbug|Magic Hound|BRONZE BUTLER|APT28|Patchwork|Lazarus Group|Dust Storm|admin@338|Turla|Ke3chang -T1082,System Information Discovery,Discovery,Aquatic Panda|Confucius|TeamTNT|APT38|APT29|Mustang Panda|Windshift|ZIRCONIUM|Higaisa|Windigo|Sidewinder|Chimera|Operation Wocao|Wizard Spider|Rocke|Sandworm Team|Blue Mockingbird|Tropic Trooper|Frankenstein|Inception|Kimsuky|Darkhotel|MuddyWater|APT18|APT32|APT37|Honeybee|APT19|Magic Hound|Sowbug|OilRig|APT3|Gamaredon Group|Patchwork|Stealth Falcon|Lazarus Group|admin@338|Turla|Ke3chang -T1080,Taint Shared Content,Lateral Movement,Gamaredon Group|BRONZE BUTLER|Darkhotel -T1078,Valid Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Ke3chang|Lazarus Group|Axiom|Dragonfly|FIN7|Leviathan|APT29|Silent Librarian|Fox Kitten|Operation Wocao|Chimera|Sandworm Team|Wizard Spider|Silence|APT41|GALLIUM|TEMP.Veles|APT39|FIN4|Night Dragon|Dragonfly 2.0|FIN8|APT33|FIN5|OilRig|APT28|menuPass|FIN10|Suckfly|FIN6|Threat Group-3390|APT18|PittyTiger|Carbanak -T1074,Data Staged,Collection,Wizard Spider -T1072,Software Deployment Tools,Execution|Lateral Movement,Silence|APT32|Threat Group-1314 -T1071,Application Layer Protocol,Command And Control,Dragonfly|TeamTNT|Rocke|Magic Hound|Dragonfly 2.0 -T1070,Indicator Removal on Host,Defense Evasion,Lazarus Group|APT29 -T1069,Permission Groups Discovery,Discovery,APT29|TA505|APT3 -T1068,Exploitation for Privilege Escalation,Privilege Escalation,APT29|Tonto Team|ZIRCONIUM|Turla|Whitefly|APT33|Cobalt Group|PLATINUM|FIN8|APT32|Threat Group-3390|FIN6|APT28 -T1059,Command and Scripting Interpreter,Execution,Dragonfly|APT37|Windigo|Fox Kitten|APT32|Whitefly|APT39|Dragonfly 2.0|FIN7|APT19|OilRig|FIN5|Stealth Falcon|FIN6|Ke3chang -T1057,Process Discovery,Discovery,Gamaredon Group|Kimsuky|TeamTNT|Andariel|APT29|Mustang Panda|Windshift|Higaisa|Sidewinder|Chimera|Operation Wocao|Rocke|Frankenstein|Inception|Darkhotel|MuddyWater|APT1|APT38|Tropic Trooper|APT37|Honeybee|OilRig|APT3|Magic Hound|APT28|Winnti Group|Stealth Falcon|Poseidon Group|Lazarus Group|Molerats|Turla|Deep Panda|Ke3chang -T1056,Input Capture,Collection|Credential Access,APT39 -T1055,Process Injection,Defense Evasion|Privilege Escalation,Operation Wocao|APT32|Sharpshooter|Silence|APT41|Kimsuky|Cobalt Group|Turla|APT37|Honeybee|PLATINUM -T1053,Scheduled Task/Job,Execution|Persistence|Privilege Escalation,no -T1052,Exfiltration Over Physical Medium,Exfiltration,no -T1049,System Network Connections Discovery,Discovery,Lazarus Group|TeamTNT|Andariel|BackdoorDiplomacy|Mustang Panda|MuddyWater|Chimera|Sandworm Team|Operation Wocao|Tropic Trooper|APT41|APT38|GALLIUM|APT32|APT1|OilRig|APT3|menuPass|Threat Group-3390|Poseidon Group|admin@338|Turla|Ke3chang -T1048,Exfiltration Over Alternative Protocol,Exfiltration,no -T1047,Windows Management Instrumentation,Execution,Gamaredon Group|Sandworm Team|FIN7|Indrik Spider|Naikon|Mustang Panda|Windshift|Operation Wocao|Chimera|Blue Mockingbird|Wizard Spider|Frankenstein|APT41|FIN6|GALLIUM|APT32|MuddyWater|Threat Group-3390|OilRig|FIN8|Leviathan|menuPass|Stealth Falcon|Lazarus Group|APT29|Deep Panda -T1046,Network Service Scanning,Discovery,BlackTech|Lazarus Group|TeamTNT|BackdoorDiplomacy|Naikon|CostaRicto|Chimera|Fox Kitten|Operation Wocao|Rocke|DarkVishnya|APT41|Tropic Trooper|APT39|APT32|OilRig|Cobalt Group|Leafminer|menuPass|Suckfly|FIN6|Threat Group-3390 -T1041,Exfiltration Over C2 Channel,Exfiltration,Confucius|Leviathan|ZIRCONIUM|Higaisa|Chimera|APT39|Operation Wocao|Sandworm Team|MuddyWater|Wizard Spider|Frankenstein|Kimsuky|GALLIUM|APT32|APT3|Gamaredon Group|Stealth Falcon|Lazarus Group|Ke3chang -T1040,Network Sniffing,Credential Access|Discovery,Kimsuky|Sandworm Team|DarkVishnya|APT33|APT28 -T1039,Data from Network Shared Drive,Collection,APT28|Chimera|Fox Kitten|Gamaredon Group|BRONZE BUTLER|Sowbug|menuPass -T1037,Boot or Logon Initialization Scripts,Persistence|Privilege Escalation,Rocke -T1036,Masquerading,Defense Evasion,Kimsuky|Lazarus Group|Dragonfly|LazyScripter|APT28|Nomadic Octopus|OilRig|APT29|ZIRCONIUM|TA551|Windshift|APT32|BRONZE BUTLER|menuPass|PLATINUM|Dragonfly 2.0 -T1033,System Owner/User Discovery,Discovery,Threat Group-3390|Ke3chang|Dragonfly|APT38|Windshift|ZIRCONIUM|Sidewinder|Chimera|Sandworm Team|Operation Wocao|Wizard Spider|Frankenstein|APT41|GALLIUM|Tropic Trooper|APT39|MuddyWater|APT37|Dragonfly 2.0|APT19|APT32|Magic Hound|OilRig|FIN10|Gamaredon Group|Patchwork|Stealth Falcon|Lazarus Group|APT3 -T1030,Data Transfer Size Limits,Exfiltration,APT28|Threat Group-3390 -T1029,Scheduled Transfer,Exfiltration,Higaisa -T1027,Obfuscated Files or Information,Defense Evasion,Aquatic Panda|Ke3chang|LazyScripter|TeamTNT|BackdoorDiplomacy|Transparent Tribe|APT39|Mustang Panda|Windshift|TA551|Higaisa|Sidewinder|Fox Kitten|GOLD SOUTHFIELD|Operation Wocao|Kimsuky|FIN6|Chimera|Gamaredon Group|Rocke|Sandworm Team|Blue Mockingbird|Whitefly|Molerats|Wizard Spider|Mofang|Frankenstein|Inception|APT-C-36|APT41|GALLIUM|Turla|TA505|Silence|APT33|Night Dragon|Darkhotel|Gallmaker|APT29|APT18|Tropic Trooper|Patchwork|menuPass|APT37|Threat Group-3390|Cobalt Group|Dark Caracal|Leafminer|Honeybee|APT19|BlackOasis|Leviathan|FIN8|MuddyWater|FIN7|Elderwood|OilRig|Magic Hound|APT3|APT32|Group5|Dust Storm|Lazarus Group|Putter Panda|APT28 -T1025,Data from Removable Media,Collection,Turla|Gamaredon Group|APT28 -T1021,Remote Services,Lateral Movement,no -T1020,Automated Exfiltration,Exfiltration,Ke3chang|Sidewinder|Gamaredon Group|Tropic Trooper|Frankenstein|Honeybee -T1018,Remote System Discovery,Discovery,Dragonfly|Indrik Spider|Naikon|APT29|Chimera|Fox Kitten|Operation Wocao|Sandworm Team|Rocke|Wizard Spider|Silence|GALLIUM|APT39|APT32|Deep Panda|Ke3chang|Threat Group-3390|Dragonfly 2.0|Leafminer|FIN8|FIN5|APT3|BRONZE BUTLER|menuPass|FIN6|Turla -T1016,System Network Configuration Discovery,Discovery,Kimsuky|Dragonfly|TeamTNT|ZIRCONIUM|Mustang Panda|Higaisa|Sidewinder|Chimera|Operation Wocao|Wizard Spider|Sandworm Team|Tropic Trooper|Frankenstein|APT41|GALLIUM|APT32|Darkhotel|MuddyWater|APT1|APT19|Dragonfly 2.0|Magic Hound|OilRig|Threat Group-3390|menuPass|Stealth Falcon|Lazarus Group|APT3|Naikon|admin@338|Turla|Ke3chang -T1014,Rootkit,Defense Evasion,TeamTNT|Rocke|APT41|APT28|Winnti Group -T1012,Query Registry,Discovery,Kimsuky|Dragonfly|ZIRCONIUM|Chimera|Fox Kitten|APT39|Operation Wocao|APT32|Dragonfly 2.0|Threat Group-3390|OilRig|Stealth Falcon|Lazarus Group|Turla -T1011,Exfiltration Over Other Network Medium,Exfiltration,no -T1010,Application Window Discovery,Discovery,Lazarus Group -T1008,Fallback Channels,Command And Control,FIN7|APT41|OilRig|Lazarus Group -T1007,System Service Discovery,Discovery,Kimsuky|Aquatic Panda|Indrik Spider|Chimera|Operation Wocao|BRONZE BUTLER|APT1|OilRig|Poseidon Group|admin@338|Turla|Ke3chang -T1006,Direct Volume Access,Defense Evasion,no -T1005,Data from Local System,Collection,Axiom|Dragonfly|FIN7|APT41|APT38|Andariel|APT29|Windigo|Fox Kitten|Sandworm Team|Operation Wocao|FIN6|Gamaredon Group|APT39|Frankenstein|Inception|Kimsuky|GALLIUM|Turla|menuPass|Dark Caracal|Dragonfly 2.0|Honeybee|APT37|APT28|APT3|BRONZE BUTLER|Patchwork|Stealth Falcon|Lazarus Group|Dust Storm|Threat Group-3390|APT1|Ke3chang -T1003,OS Credential Dumping,Credential Access,Tonto Team|APT39|Frankenstein|APT32|APT28|Leviathan|Sowbug|Suckfly|Poseidon Group|Axiom -T1001,Data Obfuscation,Command And Control,Operation Wocao|Axiom diff --git a/dist/escu/lookups/prohibited_softwares.csv b/dist/escu/lookups/prohibited_softwares.csv deleted file mode 100644 index b418ab0f74..0000000000 --- a/dist/escu/lookups/prohibited_softwares.csv +++ /dev/null @@ -1,20 +0,0 @@ -app,note -remcom.exe,ESCU - This process is an open source replacement to psexec and is not typically seen in an enterprise environment. -pwdump.exe,ESCU - This process is associated with a tool used to dump password hashes on a Windows system. -pwdump2.exe,ESCU - This process is associated with a tool used to dump password hashes on a Windows system. -nc.exe,ESCU - This process is an open source tool used for network communications. -wce.exe,ESCU - This process is associated with a tool used to dump hashes and execute pass-the-hash and pass-the-ticket attacks. -cain.exe,ESCU - This process is associated with a tool used to collect user credentials and execute attacks. -nmap.exe,ESCU - This process is an open source network mapping tool used to identify hosts and listening services on a network. -kidlogger.exe,ESCU - This process is associated with a tool used to collect keyboard input on a host. -isass.exe,ESCU - This process name is used by attackers to hide in plain sight and look like a legitimate Windows system process. -svch0st.exe,ESCU - This process name is used by attackers to hide in plain sight and look like a legitimate Windows system process. -at.exe,ESCU - This process is used to schedule other processes to run. schtasks.exe should be used instead as it provides more flexibility. -getmail.exe,ESCU - This process is seen to be used by attackers to extract email files from host machines. -ntdll.exe,ESCU - This process was identified as malicious by DHS Alert TA18-074A. -netpass.exe,ESCU - This process was identified as malicious by DHS Alert TA18-201A and attackers use this tool to recover all network passwords stored on your system for the current logged-on user. -WebBrowserPassView.exe,ESCU - This process was identified as malicious by DHS Alert TA18-201A and is used by attackers as a password recovery tool that reveals the passwords stored in Web Browsers. -OutlookAddressBookView.exe,ESCU - This process was identified as malicious by DHS Alert TA18-201A and is used by attackers to steal the details of all recipients stored in the address books of Microsoft Outlook. -mailpv.exe,ESCU - This process was identified by DHS Alert TA18-201A and attackers use this tool is a password-recovery tool that reveals the passwords and other account details from various email clients. -NLBrute.exe,ESCU - This process was identified in the SamSam Ransomware Campaign and attackers use this tool to brute force RDP instances with a range of commonly used passwords. -selfdel.exe,ESCU - This executable was delivered in the SamSam Ransomware Campain and the attackers levereged this binary to delete its malicilous activities. diff --git a/dist/escu/lookups/splunk_risky_command.csv b/dist/escu/lookups/splunk_risky_command.csv deleted file mode 100644 index 9f6e6665b0..0000000000 --- a/dist/escu/lookups/splunk_risky_command.csv +++ /dev/null @@ -1,11 +0,0 @@ -"splunk_risky_command","description","vulnerable_versions","CVE","other_metadata" -"*createrss*","createrss command overwrites existing RSS feeds without verifying permissions","8.1.13, 8.2.10","CVE-2023-22931","" -"*pivot?seedSid=*","pivot command allows a search to bypass SPL safeguards for risky commands using a saved job","8.1.13, 8.2.10, 9.0.4","CVE-2023-22934","" -"*|makeresults+&search_listener*","search_listener parameter in a Search allows for a Blind Server Side Request Forgery by an authenticated user","8.1.13, 8.2.10, 9.0.4","CVE-2023-22936","" -"*| map search=*| *","map search processing language (SPL) command lets a search bypass SPL safeguards for risky commands","8.1.13, 8.2.10, 9.0.4","CVE-2023-22939","" -"*|mcollect%20index*","collect command SPL aliases commands could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" -"*|""*meventcollect*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" -"*|""*summaryindex*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" -"*|""*sumindex*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" -"*|""*stash*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" -"*| sendalert *","display.page.search.patterns.sensitivity search parameter allows a search to bypass SPL safeguards for risky commands using obfuscation","8.1.13, 8.2.10, 9.0.4","CVE-2023-22935","" \ No newline at end of file diff --git a/dist/escu/lookups/splunk_risky_command_20230830.csv b/dist/escu/lookups/splunk_risky_command_20230830.csv deleted file mode 100644 index b0acb94c8e..0000000000 --- a/dist/escu/lookups/splunk_risky_command_20230830.csv +++ /dev/null @@ -1,12 +0,0 @@ -"splunk_risky_command","description","vulnerable_versions","CVE","other_metadata" -"*createrss*","createrss command overwrites existing RSS feeds without verifying permissions","8.1.13, 8.2.10","CVE-2023-22931","" -"*pivot?seedSid=*","pivot command allows a search to bypass SPL safeguards for risky commands using a saved job","8.1.13, 8.2.10, 9.0.4","CVE-2023-22934","" -"*|makeresults+&search_listener*","search_listener parameter in a Search allows for a Blind Server Side Request Forgery by an authenticated user","8.1.13, 8.2.10, 9.0.4","CVE-2023-22936","" -"*| map search=*| *","map search processing language (SPL) command lets a search bypass SPL safeguards for risky commands","8.1.13, 8.2.10, 9.0.4","CVE-2023-22939","" -"*|mcollect%20index*","collect command SPL aliases commands could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" -"*|""*meventcollect*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" -"*|""*summaryindex*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" -"*|""*sumindex*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" -"*|""*stash*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" -"*| sendalert *","display.page.search.patterns.sensitivity search parameter allows a search to bypass SPL safeguards for risky commands using obfuscation","8.1.13, 8.2.10, 9.0.4","CVE-2023-22935","" -"*| *runshellscript* """"*","runshellscript searches should not be run interactively via User Interface or REST API and may be used to bypass safeguards","<8.1.14, <8.2.12, <9.0.6, <9.1.1","CVE-2023-40598","" diff --git a/lookups/mitre_enrichment.csv b/lookups/mitre_enrichment.csv index 98e157fb74..ba76164483 100644 --- a/lookups/mitre_enrichment.csv +++ b/lookups/mitre_enrichment.csv @@ -1,579 +1,626 @@ mitre_id,technique,tactics,groups -T1647,Plist File Modification,Defense Evasion,no -T1622,Debugger Evasion,Defense Evasion|Discovery,no -T1621,Multi-Factor Authentication Request Generation,Credential Access,APT29 -T1505.005,Terminal Services DLL,Persistence,no -T1557.003,DHCP Spoofing,Credential Access|Collection,no +T1568.001,Fast Flux DNS,Command And Control,menuPass|TA505 +T1218.010,Regsvr32,Defense Evasion,Deep Panda|APT32|Inception|Kimsuky|Cobalt Group|WIRTE|Leviathan|TA551|APT19|Blue Mockingbird +T1608.001,Upload Malware,Resource Development,Threat Group-3390|Mustang Panda|APT32|Earth Lusca|LuminousMoth|BITTER|EXOTIC LILY|FIN7|LazyScripter|SideCopy|Kimsuky|TA2541|TeamTNT|TA505|Gamaredon Group|HEXANE +T1213,Data from Information Repositories,Collection,FIN6|Fox Kitten|Turla|APT28|LAPSUS$ +T1021.002,SMB/Windows Admin Shares,Lateral Movement,Orangeworm|FIN8|Chimera|Moses Staff|APT3|Wizard Spider|APT39|Ke3chang|Fox Kitten|FIN13|APT32|Blue Mockingbird|APT28|Sandworm Team|Deep Panda|Lazarus Group|APT41|Threat Group-1314|Turla +T1027.002,Software Packing,Defense Evasion,TA505|The White Company|APT38|Dark Caracal|MoustachedBouncer|APT39|APT29|Ember Bear|Aoqin Dragon|Kimsuky|Rocke|TA2541|Threat Group-3390|Elderwood|TeamTNT|Patchwork|APT3|ZIRCONIUM|GALLIUM T1595.003,Wordlist Scanning,Reconnaissance,Volatile Cedar -T1098.005,Device Registration,Persistence,APT29 -T1574.013,KernelCallbackTable,Persistence|Privilege Escalation|Defense Evasion,Lazarus Group -T1556.005,Reversible Encryption,Credential Access|Defense Evasion|Persistence,no -T1055.015,ListPlanting,Defense Evasion|Privilege Escalation,no -T1564.010,Process Argument Spoofing,Defense Evasion,no -T1564.009,Resource Forking,Defense Evasion,no T1559.003,XPC Services,Execution,no -T1562.010,Downgrade Attack,Defense Evasion,no -T1547.015,Login Items,Persistence|Privilege Escalation,no +T1020,Automated Exfiltration,Exfiltration,Gamaredon Group|Ke3chang|Sidewinder|Tropic Trooper +T1003.003,NTDS,Credential Access,Sandworm Team|HAFNIUM|Volt Typhoon|Mustang Panda|Dragonfly|menuPass|Fox Kitten|FIN13|Ke3chang|APT28|Chimera|Wizard Spider|FIN6|LAPSUS$ +T1201,Password Policy Discovery,Discovery,Chimera|Turla|OilRig +T1578.003,Delete Cloud Instance,Defense Evasion,LAPSUS$ +T1049,System Network Connections Discovery,Discovery,Andariel|APT1|FIN13|Poseidon Group|Chimera|Sandworm Team|Earth Lusca|APT41|Ke3chang|Magic Hound|Tropic Trooper|BackdoorDiplomacy|APT3|HEXANE|admin@338|Volt Typhoon|TeamTNT|APT38|Turla|MuddyWater|APT32|OilRig|Mustang Panda|Lazarus Group|menuPass|Threat Group-3390|GALLIUM +T1185,Browser Session Hijacking,Collection,no +T1564.005,Hidden File System,Defense Evasion,Equation|Strider +T1647,Plist File Modification,Defense Evasion,no +T1119,Automated Collection,Collection,menuPass|Mustang Panda|Chimera|Patchwork|Threat Group-3390|FIN5|APT1|Sidewinder|Ke3chang|Tropic Trooper|FIN6|APT28|Confucius|OilRig|Gamaredon Group +T1037,Boot or Logon Initialization Scripts,Persistence|Privilege Escalation,Rocke|APT29 +T1055.005,Thread Local Storage,Defense Evasion|Privilege Escalation,no +T1199,Trusted Relationship,Initial Access,APT28|Sandworm Team|APT29|GOLD SOUTHFIELD|menuPass|POLONIUM|LAPSUS$|Threat Group-3390 +T1547.003,Time Providers,Persistence|Privilege Escalation,no +T1069.003,Cloud Groups,Discovery,no +T1537,Transfer Data to Cloud Account,Exfiltration,no +T1599.001,Network Address Translation Traversal,Defense Evasion,no +T1136.001,Local Account,Persistence,Leafminer|Kimsuky|FIN13|Dragonfly|APT3|APT39|Magic Hound|Fox Kitten|Wizard Spider|TeamTNT|APT41 +T1098.005,Device Registration,Persistence|Privilege Escalation,APT29 +T1069,Permission Groups Discovery,Discovery,APT3|FIN13|TA505 +T1552.008,Chat Messages,Credential Access,LAPSUS$ +T1589.003,Employee Names,Reconnaissance,Kimsuky|Silent Librarian|Sandworm Team +T1505,Server Software Component,Persistence,no +T1505.005,Terminal Services DLL,Persistence,no +T1114.002,Remote Email Collection,Collection,Chimera|FIN4|Kimsuky|HAFNIUM|APT28|Magic Hound|Dragonfly|APT1|Ke3chang|APT29|Leafminer +T1542.001,System Firmware,Persistence|Defense Evasion,no +T1586.003,Cloud Accounts,Resource Development,APT29 +T1552,Unsecured Credentials,Credential Access,no +T1052,Exfiltration Over Physical Medium,Exfiltration,no +T1583.004,Server,Resource Development,GALLIUM|Earth Lusca|Kimsuky|Sandworm Team +T1556.003,Pluggable Authentication Modules,Credential Access|Defense Evasion|Persistence,no +T1563.001,SSH Hijacking,Lateral Movement,no +T1499.002,Service Exhaustion Flood,Impact,no +T1574,Hijack Execution Flow,Persistence|Privilege Escalation|Defense Evasion,no +T1563,Remote Service Session Hijacking,Lateral Movement,no +T1055.014,VDSO Hijacking,Defense Evasion|Privilege Escalation,no +T1134.005,SID-History Injection,Defense Evasion|Privilege Escalation,no +T1593.003,Code Repositories,Reconnaissance,LAPSUS$ +T1558,Steal or Forge Kerberos Tickets,Credential Access,no +T1587.004,Exploits,Resource Development,no +T1542.002,Component Firmware,Persistence|Defense Evasion,Equation +T1059.006,Python,Execution,ZIRCONIUM|Turla|Kimsuky|MuddyWater|Machete|Tonto Team|APT37|APT39|BRONZE BUTLER|Rocke|Dragonfly|Earth Lusca|APT29 +T1597,Search Closed Sources,Reconnaissance,EXOTIC LILY +T1048.003,Exfiltration Over Unencrypted Non-C2 Protocol,Exfiltration,APT32|OilRig|Wizard Spider|APT33|FIN6|FIN8|Lazarus Group|Thrip T1620,Reflective Code Loading,Defense Evasion,Lazarus Group -T1619,Cloud Storage Object Discovery,Discovery,no -T1218.014,MMC,Defense Evasion,no -T1218.013,Mavinject,Defense Evasion,no -T1614.001,System Language Discovery,Discovery,Ke3chang|Lazarus Group -T1615,Group Policy Discovery,Discovery,Turla -T1036.007,Double File Extension,Defense Evasion,Mustang Panda -T1562.009,Safe Mode Boot,Defense Evasion,no -T1564.008,Email Hiding Rules,Defense Evasion,FIN4 -T1505.004,IIS Components,Persistence,no -T1027.006,HTML Smuggling,Defense Evasion,APT29 -T1213.003,Code Repositories,Collection,APT29 -T1553.006,Code Signing Policy Modification,Defense Evasion,Turla|APT39 -T1614,System Location Discovery,Discovery,no -T1613,Container and Resource Discovery,Discovery,TeamTNT -T1552.007,Container API,Credential Access,no -T1612,Build Image on Host,Defense Evasion,no -T1611,Escape to Host,Privilege Escalation,TeamTNT -T1204.003,Malicious Image,Execution,TeamTNT +T1547.015,Login Items,Persistence|Privilege Escalation,no +T1574.002,DLL Side-Loading,Persistence|Privilege Escalation|Defense Evasion,BlackTech|Lazarus Group|Earth Lusca|menuPass|APT3|Chimera|APT41|GALLIUM|Naikon|SideCopy|BRONZE BUTLER|Threat Group-3390|Patchwork|Mustang Panda|APT32|LuminousMoth|APT19|MuddyWater|Higaisa|Tropic Trooper|FIN13|Sidewinder T1053.007,Container Orchestration Job,Execution|Persistence|Privilege Escalation,no -T1610,Deploy Container,Defense Evasion|Execution,TeamTNT -T1609,Container Administration Command,Execution,TeamTNT -T1608.005,Link Target,Resource Development,Silent Librarian -T1608.004,Drive-by Target,Resource Development,Dragonfly|Transparent Tribe|APT32|Threat Group-3390 -T1608.003,Install Digital Certificate,Resource Development,no -T1608.002,Upload Tool,Resource Development,Lazarus Group|Threat Group-3390 -T1608.001,Upload Malware,Resource Development,Threat Group-3390|LazyScripter|Mustang Panda|Gamaredon Group|Kimsuky|Lazarus Group|TeamTNT|APT32 -T1608,Stage Capabilities,Resource Development,Mustang Panda -T1016.001,Internet Connection Discovery,Discovery,Gamaredon Group|APT29|Turla -T1553.005,Mark-of-the-Web Bypass,Defense Evasion,APT29|TA505 -T1555.005,Password Managers,Credential Access,Threat Group-3390|Fox Kitten|Operation Wocao -T1484.002,Domain Trust Modification,Defense Evasion|Privilege Escalation,APT29 -T1484.001,Group Policy Modification,Defense Evasion|Privilege Escalation,Indrik Spider -T1547.014,Active Setup,Persistence|Privilege Escalation,no -T1606.002,SAML Tokens,Credential Access,APT29 -T1606.001,Web Cookies,Credential Access,APT29 -T1606,Forge Web Credentials,Credential Access,no -T1555.004,Windows Credential Manager,Credential Access,Stealth Falcon|OilRig|Turla -T1059.008,Network Device CLI,Execution,no -T1602.002,Network Device Configuration Dump,Collection,no -T1542.005,TFTP Boot,Defense Evasion|Persistence,no -T1542.004,ROMMONkit,Defense Evasion|Persistence,no -T1602.001,SNMP (MIB Dump),Collection,no -T1602,Data from Configuration Repository,Collection,no -T1601.002,Downgrade System Image,Defense Evasion,no -T1601.001,Patch System Image,Defense Evasion,no +T1587.003,Digital Certificates,Resource Development,APT29|PROMETHIUM T1601,Modify System Image,Defense Evasion,no -T1600.002,Disable Crypto Hardware,Defense Evasion,no -T1600.001,Reduce Key Space,Defense Evasion,no -T1600,Weaken Encryption,Defense Evasion,no -T1556.004,Network Device Authentication,Credential Access|Defense Evasion|Persistence,no -T1599.001,Network Address Translation Traversal,Defense Evasion,no -T1599,Network Boundary Bridging,Defense Evasion,no -T1020.001,Traffic Duplication,Exfiltration,no -T1557.002,ARP Cache Poisoning,Credential Access|Collection,Cleaver -T1588.006,Vulnerabilities,Resource Development,Sandworm Team -T1053.006,Systemd Timers,Execution|Persistence|Privilege Escalation,no -T1562.008,Disable Cloud Logs,Defense Evasion,no -T1547.012,Print Processors,Persistence|Privilege Escalation,no -T1598.003,Spearphishing Link,Reconnaissance,APT28|Dragonfly|Magic Hound|Silent Librarian|Sidewinder|Sandworm Team|APT32|Kimsuky -T1598.002,Spearphishing Attachment,Reconnaissance,Dragonfly|Sidewinder -T1598.001,Spearphishing Service,Reconnaissance,no -T1598,Phishing for Information,Reconnaissance,ZIRCONIUM|APT28 -T1597.002,Purchase Technical Data,Reconnaissance,no -T1597.001,Threat Intel Vendors,Reconnaissance,no -T1597,Search Closed Sources,Reconnaissance,no -T1596.005,Scan Databases,Reconnaissance,no -T1596.004,CDNs,Reconnaissance,no -T1596.003,Digital Certificates,Reconnaissance,no +T1213.001,Confluence,Collection,LAPSUS$ +T1090.001,Internal Proxy,Command And Control,Volt Typhoon|FIN13|APT39|Higaisa|Strider|Turla|Lazarus Group +T1083,File and Directory Discovery,Discovery,Ke3chang|Dragonfly|Winnti Group|Sandworm Team|Aoqin Dragon|Leafminer|Darkhotel|Tropic Trooper|Magic Hound|Fox Kitten|Windigo|TeamTNT|admin@338|BRONZE BUTLER|Kimsuky|Chimera|APT41|MuddyWater|Gamaredon Group|APT18|Inception|menuPass|Lazarus Group|HAFNIUM|FIN13|Sowbug|APT38|Patchwork|Dark Caracal|LuminousMoth|Mustang Panda|Turla|Sidewinder|Confucius|APT28|APT32|APT39|APT3 +T1611,Escape to Host,Privilege Escalation,TeamTNT +T1583.008,Malvertising,Resource Development,no +T1552.001,Credentials In Files,Credential Access,APT3|Kimsuky|MuddyWater|Leafminer|FIN13|APT33|Fox Kitten|TA505|TeamTNT|OilRig +T1134,Access Token Manipulation,Defense Evasion|Privilege Escalation,Blue Mockingbird|FIN6 +T1078.003,Local Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Kimsuky|PROMETHIUM|Tropic Trooper|Turla|APT32|FIN10|HAFNIUM +T1530,Data from Cloud Storage,Collection,Fox Kitten +T1657,Financial Theft,Impact,SilverTerrier|FIN13 +T1546.016,Installer Packages,Privilege Escalation|Persistence,no +T1120,Peripheral Device Discovery,Discovery,Gamaredon Group|Turla|BackdoorDiplomacy|TeamTNT|APT28|Equation|OilRig|APT37 +T1112,Modify Registry,Defense Evasion,Wizard Spider|Magic Hound|Kimsuky|Dragonfly|APT32|Earth Lusca|Patchwork|TA505|Turla|APT19|FIN8|Gamaredon Group|Gorgon Group|Blue Mockingbird|Silence|LuminousMoth|Ember Bear|APT41|Threat Group-3390|APT38 +T1546.011,Application Shimming,Privilege Escalation|Persistence,FIN7 +T1590.002,DNS,Reconnaissance,no +T1550,Use Alternate Authentication Material,Defense Evasion|Lateral Movement,no +T1547.004,Winlogon Helper DLL,Persistence|Privilege Escalation,Tropic Trooper|Wizard Spider|Turla T1596.001,DNS/Passive DNS,Reconnaissance,no -T1596.002,WHOIS,Reconnaissance,no -T1596,Search Open Technical Databases,Reconnaissance,no -T1595.002,Vulnerability Scanning,Reconnaissance,Magic Hound|Aquatic Panda|Dragonfly|TeamTNT|APT29|Volatile Cedar|APT28|Sandworm Team -T1595.001,Scanning IP Blocks,Reconnaissance,TeamTNT -T1595,Active Scanning,Reconnaissance,no -T1594,Search Victim-Owned Websites,Reconnaissance,Kimsuky|Silent Librarian|Sandworm Team -T1593.002,Search Engines,Reconnaissance,Kimsuky -T1593.001,Social Media,Reconnaissance,Lazarus Group|Kimsuky -T1593,Search Open Websites/Domains,Reconnaissance,Sandworm Team -T1592.004,Client Configurations,Reconnaissance,HAFNIUM -T1592.003,Firmware,Reconnaissance,no -T1592.002,Software,Reconnaissance,Andariel|Sandworm Team -T1592.001,Hardware,Reconnaissance,no -T1592,Gather Victim Host Information,Reconnaissance,no -T1591.004,Identify Roles,Reconnaissance,Lazarus Group -T1591.003,Identify Business Tempo,Reconnaissance,no -T1591.001,Determine Physical Locations,Reconnaissance,no -T1591.002,Business Relationships,Reconnaissance,Dragonfly|Sandworm Team -T1591,Gather Victim Org Information,Reconnaissance,Kimsuky|Lazarus Group -T1590.006,Network Security Appliances,Reconnaissance,no -T1590.005,IP Addresses,Reconnaissance,Andariel|HAFNIUM -T1590.004,Network Topology,Reconnaissance,no +T1218.003,CMSTP,Defense Evasion,Cobalt Group|MuddyWater +T1068,Exploitation for Privilege Escalation,Privilege Escalation,APT28|Scattered Spider|Turla|APT32|Cobalt Group|APT33|ZIRCONIUM|LAPSUS$|FIN6|Tonto Team|BITTER|MoustachedBouncer|FIN8|PLATINUM|Threat Group-3390|Whitefly|APT29 +T1059.004,Unix Shell,Execution,APT41|TeamTNT|Rocke T1590.003,Network Trust Dependencies,Reconnaissance,no -T1590.002,DNS,Reconnaissance,no -T1590.001,Domain Properties,Reconnaissance,Sandworm Team -T1590,Gather Victim Network Information,Reconnaissance,HAFNIUM -T1589.003,Employee Names,Reconnaissance,Kimsuky|Silent Librarian|Sandworm Team -T1589.002,Email Addresses,Reconnaissance,Lazarus Group|Kimsuky|Magic Hound|TA551|MuddyWater|HAFNIUM|APT32|Silent Librarian|Sandworm Team -T1589.001,Credentials,Reconnaissance,APT29|Leviathan|APT28|Magic Hound|Chimera -T1589,Gather Victim Identity Information,Reconnaissance,Magic Hound|APT32 -T1588.005,Exploits,Resource Development,Kimsuky -T1588.004,Digital Certificates,Resource Development,BlackTech|Lazarus Group|Silent Librarian -T1588.003,Code Signing Certificates,Resource Development,BlackTech|Lazarus Group|Wizard Spider -T1588.002,Tool,Resource Development,Aquatic Panda|BlackTech|Lazarus Group|CostaRicto|Night Dragon|DarkVishnya|FIN5|Gorgon Group|Patchwork|Chimera|Dragonfly|Blue Mockingbird|Whitefly|APT41|FIN6|TEMP.Veles|Kimsuky|PittyTiger|Cobalt Group|APT29|Thrip|Ke3chang|DarkHydrus|APT32|APT38|BRONZE BUTLER|Carbanak|Cleaver|Inception|Leafminer|Threat Group-3390|Ferocious Kitten|IndigoZebra|BackdoorDiplomacy|menuPass|APT-C-36|Magic Hound|APT28|Wizard Spider|Frankenstein|Silence|WIRTE|Turla|APT33|APT19|FIN10|CopyKittens|APT39|APT1|MuddyWater|Silent Librarian|GALLIUM|Sandworm Team -T1588.001,Malware,Resource Development,Aquatic Panda|LazyScripter|Andariel|BackdoorDiplomacy|Turla|APT1 -T1588,Obtain Capabilities,Resource Development,no -T1587.004,Exploits,Resource Development,no -T1587.003,Digital Certificates,Resource Development,APT29|PROMETHIUM -T1587.002,Code Signing Certificates,Resource Development,PROMETHIUM|Patchwork -T1587.001,Malware,Resource Development,Ke3chang|Kimsuky|TeamTNT|APT29|Lazarus Group|Sandworm Team|Turla|FIN7|Night Dragon|Cleaver -T1587,Develop Capabilities,Resource Development,Kimsuky -T1586.002,Email Accounts,Resource Development,APT29|APT28|IndigoZebra|Leviathan|Magic Hound|Kimsuky -T1586.001,Social Media Accounts,Resource Development,Leviathan -T1586,Compromise Accounts,Resource Development,no -T1585.002,Email Accounts,Resource Development,Mustang Panda|Kimsuky|Lazarus Group|Leviathan|Magic Hound|Silent Librarian|Sandworm Team|APT1 -T1585.001,Social Media Accounts,Resource Development,Kimsuky|Lazarus Group|Leviathan|Magic Hound|Fox Kitten|Sandworm Team|APT32|Cleaver -T1585,Establish Accounts,Resource Development,Fox Kitten|APT17 -T1584.006,Web Services,Resource Development,Turla -T1584.005,Botnet,Resource Development,Sandworm Team|Axiom -T1584.004,Server,Resource Development,Lazarus Group|Dragonfly|Indrik Spider|Turla|APT16 -T1584.003,Virtual Private Server,Resource Development,Turla -T1584.002,DNS Server,Resource Development,no -T1584.001,Domains,Resource Development,Kimsuky|Lazarus Group|Transparent Tribe|Magic Hound|APT29|APT1 -T1583.006,Web Services,Resource Development,APT28|Confucius|LazyScripter|Kimsuky|Magic Hound|IndigoZebra|ZIRCONIUM|MuddyWater|HAFNIUM|Lazarus Group|Turla|APT32|APT17|APT29 -T1583.005,Botnet,Resource Development,no -T1583.004,Server,Resource Development,Kimsuky|Lazarus Group|Gelsemium|GALLIUM|Sandworm Team -T1583.003,Virtual Private Server,Resource Development,Axiom|Dragonfly|HAFNIUM|TEMP.Veles -T1583.002,DNS Server,Resource Development,Axiom -T1584,Compromise Infrastructure,Resource Development,no -T1583.001,Domains,Resource Development,LazyScripter|Gamaredon Group|Winnti Group|Dragonfly|IndigoZebra|TeamTNT|Ferocious Kitten|FIN7|Transparent Tribe|Leviathan|Magic Hound|APT29|Mustang Panda|ZIRCONIUM|Lazarus Group|Silent Librarian|menuPass|Sandworm Team|APT32|Kimsuky|APT1|APT28 -T1583,Acquire Infrastructure,Resource Development,no -T1564.007,VBA Stomping,Defense Evasion,no -T1558.004,AS-REP Roasting,Credential Access,no -T1580,Cloud Infrastructure Discovery,Discovery,no -T1218.012,Verclsid,Defense Evasion,no -T1205.001,Port Knocking,Defense Evasion|Persistence|Command And Control,PROMETHIUM -T1564.006,Run Virtual Instance,Defense Evasion,no -T1564.005,Hidden File System,Defense Evasion,Strider|Equation -T1556.003,Pluggable Authentication Modules,Credential Access|Defense Evasion|Persistence,no -T1574.012,COR_PROFILER,Persistence|Privilege Escalation|Defense Evasion,Blue Mockingbird -T1562.007,Disable or Modify Cloud Firewall,Defense Evasion,no -T1098.004,SSH Authorized Keys,Persistence,TeamTNT -T1480.001,Environmental Keying,Defense Evasion,APT41|Equation -T1059.007,JavaScript,Execution,LazyScripter|Indrik Spider|MuddyWater|Turla|Higaisa|Sidewinder|Evilnum|Kimsuky|FIN6|APT32|FIN7|Cobalt Group|Molerats|TA505|Silence|Leafminer +T1011.001,Exfiltration Over Bluetooth,Exfiltration,no +T1204.003,Malicious Image,Execution,TeamTNT +T1021,Remote Services,Lateral Movement,Wizard Spider +T1564,Hide Artifacts,Defense Evasion,no +T1547.009,Shortcut Modification,Persistence|Privilege Escalation,APT39|Leviathan|Lazarus Group|Gorgon Group +T1584.007,Serverless,Resource Development,no +T1102.001,Dead Drop Resolver,Command And Control,APT41|Rocke|BRONZE BUTLER|Patchwork|RTM +T1105,Ingress Tool Transfer,Command And Control,APT29|Magic Hound|Threat Group-3390|APT41|Moses Staff|Fox Kitten|LazyScripter|Leviathan|FIN13|Winnti Group|FIN8|Volatile Cedar|Nomadic Octopus|LuminousMoth|Turla|APT3|APT-C-36|Mustang Panda|Metador|APT38|APT37|TA551|TA2541|MuddyWater|WIRTE|Aquatic Panda|Windshift|SideCopy|TA505|Cobalt Group|Tropic Trooper|Andariel|Chimera|HAFNIUM|Dragonfly|Darkhotel|Ajax Security Team|Rocke|Evilnum|Molerats|IndigoZebra|APT28|menuPass|Whitefly|Wizard Spider|Lazarus Group|Ke3chang|ZIRCONIUM|Rancor|BITTER|TeamTNT|APT33|Confucius|APT39|Ember Bear|OilRig|Elderwood|HEXANE|Sandworm Team|Sidewinder|Indrik Spider|BackdoorDiplomacy|Kimsuky|Tonto Team|Gamaredon Group|Gorgon Group|PLATINUM|APT32|GALLIUM|BRONZE BUTLER|APT18|FIN7|Silence|Patchwork +T1585.002,Email Accounts,Resource Development,Kimsuky|Indrik Spider|Wizard Spider|Magic Hound|Leviathan|APT1|Sandworm Team|HEXANE|EXOTIC LILY|Silent Librarian|Lazarus Group|Mustang Panda +T1559.001,Component Object Model,Execution,MuddyWater|Gamaredon Group +T1036.001,Invalid Code Signature,Defense Evasion,APT37|Windshift +T1070.004,File Deletion,Defense Evasion,Rocke|Tropic Trooper|APT38|FIN5|Sandworm Team|APT39|Magic Hound|Patchwork|Mustang Panda|Chimera|Group5|APT32|menuPass|APT29|Evilnum|FIN8|Aquatic Panda|APT28|APT18|APT3|Silence|Volt Typhoon|Kimsuky|TEMP.Veles|Threat Group-3390|TeamTNT|The White Company|FIN6|Gamaredon Group|Lazarus Group|Wizard Spider|Cobalt Group|APT41|Metador|Dragonfly|BRONZE BUTLER|FIN10|OilRig T1578.004,Revert Cloud Instance,Defense Evasion,no -T1578.003,Delete Cloud Instance,Defense Evasion,no +T1572,Protocol Tunneling,Command And Control,OilRig|FIN13|Leviathan|Fox Kitten|Chimera|FIN6|Cobalt Group|Magic Hound +T1562.008,Disable or Modify Cloud Logs,Defense Evasion,no +T1546.009,AppCert DLLs,Privilege Escalation|Persistence,no +T1518,Software Discovery,Discovery,Mustang Panda|MuddyWater|Wizard Spider|Sidewinder|Volt Typhoon|SideCopy|HEXANE|Windigo|Inception|Windshift|BRONZE BUTLER|Tropic Trooper +T1598,Phishing for Information,Reconnaissance,ZIRCONIUM|Scattered Spider|APT28 +T1053.002,At,Execution|Persistence|Privilege Escalation,Threat Group-3390|BRONZE BUTLER|APT18 +T1548.002,Bypass User Account Control,Privilege Escalation|Defense Evasion,Evilnum|Threat Group-3390|APT37|BRONZE BUTLER|APT29|Patchwork|MuddyWater|Earth Lusca|Cobalt Group +T1585.001,Social Media Accounts,Resource Development,EXOTIC LILY|Magic Hound|Fox Kitten|APT32|Lazarus Group|Leviathan|Kimsuky|Cleaver|Sandworm Team|HEXANE|CURIUM +T1212,Exploitation for Credential Access,Credential Access,no +T1218.013,Mavinject,Defense Evasion,no +T1546.003,Windows Management Instrumentation Event Subscription,Privilege Escalation|Persistence,Mustang Panda|APT29|Leviathan|Metador|APT33|Blue Mockingbird|FIN8|Turla +T1552.004,Private Keys,Credential Access,TeamTNT|Rocke +T1574.008,Path Interception by Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,no +T1027.007,Dynamic API Resolution,Defense Evasion,Lazarus Group +T1654,Log Enumeration,Discovery,Volt Typhoon +T1016.001,Internet Connection Discovery,Discovery,Magic Hound|HAFNIUM|HEXANE|APT29|Turla|Gamaredon Group|TA2541|FIN13|FIN8 +T1567.002,Exfiltration to Cloud Storage,Exfiltration,Kimsuky|HEXANE|Earth Lusca|Leviathan|ZIRCONIUM|HAFNIUM|Turla|LuminousMoth|Chimera|Threat Group-3390|Confucius|Wizard Spider|POLONIUM|FIN7 +T1218.002,Control Panel,Defense Evasion,Ember Bear +T1583.007,Serverless,Resource Development,no +T1608,Stage Capabilities,Resource Development,Mustang Panda +T1484.001,Group Policy Modification,Defense Evasion|Privilege Escalation,Indrik Spider +T1125,Video Capture,Collection,Silence|FIN7 +T1615,Group Policy Discovery,Discovery,Turla +T1200,Hardware Additions,Initial Access,DarkVishnya +T1564.009,Resource Forking,Defense Evasion,no +T1589.002,Email Addresses,Reconnaissance,Magic Hound|Sandworm Team|TA551|Lazarus Group|HAFNIUM|Silent Librarian|Kimsuky|MuddyWater|HEXANE|APT32|EXOTIC LILY|LAPSUS$ +T1608.003,Install Digital Certificate,Resource Development,no T1578.001,Create Snapshot,Defense Evasion,no -T1578.002,Create Cloud Instance,Defense Evasion,no -T1127.001,MSBuild,Defense Evasion,Frankenstein -T1027.005,Indicator Removal from Tools,Defense Evasion,Operation Wocao|GALLIUM|TEMP.Veles|Patchwork|APT3|Turla|OilRig|Deep Panda -T1562.006,Indicator Blocking,Defense Evasion,no -T1573.002,Asymmetric Cryptography,Command And Control,Operation Wocao|Tropic Trooper|Cobalt Group|OilRig|FIN8|FIN6 -T1573.001,Symmetric Cryptography,Command And Control,Mustang Panda|Darkhotel|ZIRCONIUM|Higaisa|Frankenstein|Inception|APT28|APT33|BRONZE BUTLER|Stealth Falcon|Lazarus Group -T1573,Encrypted Channel,Command And Control,APT29|Tropic Trooper -T1027.004,Compile After Delivery,Defense Evasion,Gamaredon Group|Rocke|MuddyWater -T1574.004,Dylib Hijacking,Persistence|Privilege Escalation|Defense Evasion,no -T1546.015,Component Object Model Hijacking,Privilege Escalation|Persistence,APT28 -T1071.004,DNS,Command And Control,LazyScripter|Chimera|APT39|Tropic Trooper|OilRig|Ke3chang|Cobalt Group|APT18|APT41|FIN7 -T1071.003,Mail Protocols,Command And Control,Turla|Kimsuky|APT32|SilverTerrier|APT28 -T1071.002,File Transfer Protocols,Command And Control,Kimsuky|APT41|SilverTerrier|Honeybee -T1071.001,Web Protocols,Command And Control,Kimsuky|Confucius|TeamTNT|FIN8|APT29|Mustang Panda|Windshift|TA551|Higaisa|HAFNIUM|Sidewinder|Chimera|Sandworm Team|TA505|Rocke|APT39|Tropic Trooper|MuddyWater|Wizard Spider|Inception|APT41|SilverTerrier|APT28|WIRTE|APT33|FIN4|Night Dragon|APT18|APT38|Rancor|Ke3chang|Orangeworm|APT37|APT19|Cobalt Group|Threat Group-3390|Dark Caracal|Turla|Lazarus Group|BRONZE BUTLER|Magic Hound|APT32|OilRig|Gamaredon Group|Stealth Falcon -T1572,Protocol Tunneling,Command And Control,Leviathan|CostaRicto|Chimera|Fox Kitten|OilRig|Cobalt Group|FIN6 -T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,Exfiltration,Wizard Spider|FIN6|APT32|APT33|Thrip|FIN8|OilRig|Lazarus Group -T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,Exfiltration,APT28|APT29 -T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,Exfiltration,no +T1614.001,System Language Discovery,Discovery,Ke3chang +T1136,Create Account,Persistence,Indrik Spider +T1573.002,Asymmetric Cryptography,Command And Control,TA2541|Cobalt Group|FIN6|Tropic Trooper|OilRig|FIN8 +T1059.003,Windows Command Shell,Execution,Gorgon Group|menuPass|APT18|Mustang Panda|TA551|Rancor|TA505|Wizard Spider|APT1|Aquatic Panda|HAFNIUM|Fox Kitten|FIN13|APT37|TeamTNT|Blue Mockingbird|GALLIUM|Gamaredon Group|FIN8|FIN6|Patchwork|Threat Group-3390|Suckfly|Chimera|Dark Caracal|LazyScripter|Metador|APT32|Sowbug|Lazarus Group|Tropic Trooper|Machete|Cobalt Group|ZIRCONIUM|Nomadic Octopus|Higaisa|Turla|BRONZE BUTLER|FIN7|FIN10|Dragonfly|APT28|Magic Hound|Volt Typhoon|Kimsuky|Darkhotel|Ember Bear|APT3|Indrik Spider|APT38|admin@338|Silence|Threat Group-1314|MuddyWater|Ke3chang|APT41|OilRig +T1552.007,Container API,Credential Access,no +T1205,Traffic Signaling,Defense Evasion|Persistence|Command And Control,no +T1552.006,Group Policy Preferences,Credential Access,APT33|Wizard Spider +T1104,Multi-Stage Channels,Command And Control,APT41|Lazarus Group|MuddyWater|APT3 +T1562.001,Disable or Modify Tools,Defense Evasion,Indrik Spider|Rocke|Gorgon Group|TeamTNT|Wizard Spider|Ember Bear|Aquatic Panda|Turla|Magic Hound|BRONZE BUTLER|TA505|Kimsuky|Putter Panda|TA2541|FIN6|MuddyWater|Gamaredon Group|Lazarus Group|APT29 +T1056,Input Capture,Collection|Credential Access,APT39 +T1585.003,Cloud Accounts,Resource Development,no +T1219,Remote Access Software,Command And Control,DarkVishnya|Cobalt Group|FIN7|RTM|Mustang Panda|Carbanak|Kimsuky|MuddyWater|GOLD SOUTHFIELD|Thrip|Sandworm Team|Evilnum|TeamTNT +T1567.001,Exfiltration to Code Repository,Exfiltration,no +T1566.002,Spearphishing Link,Initial Access,Mofang|Lazarus Group|TA505|Sidewinder|Evilnum|ZIRCONIUM|EXOTIC LILY|APT28|Confucius|Magic Hound|APT3|Mustang Panda|APT1|OilRig|Cobalt Group|MuddyWater|Turla|LazyScripter|Elderwood|Wizard Spider|Kimsuky|FIN7|Ember Bear|Transparent Tribe|Sandworm Team|Molerats|FIN8|APT29|APT39|Machete|Leviathan|APT33|LuminousMoth|FIN4|Windshift|APT32|Earth Lusca|BlackTech|Patchwork|TA2541 +T1036.002,Right-to-Left Override,Defense Evasion,Scarlet Mimic|Ke3chang|BRONZE BUTLER|BlackTech|Ferocious Kitten +T1598.004,Spearphishing Voice,Reconnaissance,LAPSUS$ +T1046,Network Service Discovery,Discovery,FIN13|Suckfly|Leafminer|menuPass|FIN6|APT32|Chimera|Naikon|OilRig|Cobalt Group|BlackTech|Threat Group-3390|Magic Hound|DarkVishnya|Rocke|TeamTNT|Fox Kitten|APT41|Lazarus Group|Tropic Trooper|APT39|BackdoorDiplomacy +T1564.011,Ignore Process Interrupts,Defense Evasion,no +T1098.006,Additional Container Cluster Roles,Persistence|Privilege Escalation,no +T1115,Clipboard Data,Collection,APT38|APT39 +T1554,Compromise Client Software Binary,Persistence,no +T1542.005,TFTP Boot,Defense Evasion|Persistence,no +T1546.002,Screensaver,Privilege Escalation|Persistence,no +T1565.001,Stored Data Manipulation,Impact,APT38 +T1592.002,Software,Reconnaissance,Andariel|Sandworm Team|Magic Hound +T1580,Cloud Infrastructure Discovery,Discovery,no +T1211,Exploitation for Defense Evasion,Defense Evasion,APT28 +T1072,Software Deployment Tools,Execution|Lateral Movement,APT32|Sandworm Team|Silence|Threat Group-1314 +T1080,Taint Shared Content,Lateral Movement,BRONZE BUTLER|Darkhotel|Gamaredon Group +T1560.003,Archive via Custom Method,Collection,CopyKittens|Mustang Panda|FIN6|Kimsuky|Lazarus Group +T1070.005,Network Share Connection Removal,Defense Evasion,Threat Group-3390 +T1600.002,Disable Crypto Hardware,Defense Evasion,no +T1542.003,Bootkit,Persistence|Defense Evasion,Lazarus Group|APT41|APT28 +T1555.001,Keychain,Credential Access,no +T1052.001,Exfiltration over USB,Exfiltration,Tropic Trooper|Mustang Panda +T1564.008,Email Hiding Rules,Defense Evasion,FIN4 +T1056.004,Credential API Hooking,Collection|Credential Access,PLATINUM T1001.003,Protocol Impersonation,Command And Control,Higaisa|Lazarus Group -T1001.002,Steganography,Command And Control,APT29|Axiom +T1218.007,Msiexec,Defense Evasion,Machete|ZIRCONIUM|Rancor|Molerats|TA505 +T1036.007,Double File Extension,Defense Evasion,Mustang Panda +T1140,Deobfuscate/Decode Files or Information,Defense Evasion,Darkhotel|Sandworm Team|APT39|BRONZE BUTLER|Gorgon Group|APT28|WIRTE|OilRig|FIN13|Kimsuky|menuPass|APT19|Leviathan|TeamTNT|Rocke|Turla|Threat Group-3390|Molerats|TA505|Ke3chang|Higaisa|Lazarus Group|Earth Lusca|ZIRCONIUM|Tropic Trooper|Gamaredon Group|MuddyWater +T1025,Data from Removable Media,Collection,APT28|Gamaredon Group|Turla +T1136.003,Cloud Account,Persistence,APT29|LAPSUS$ +T1547.007,Re-opened Applications,Persistence|Privilege Escalation,no +T1566.004,Spearphishing Voice,Initial Access,no +T1070.007,Clear Network Connection History and Configurations,Defense Evasion,Volt Typhoon +T1552.003,Bash History,Credential Access,no +T1602,Data from Configuration Repository,Collection,no +T1213.002,Sharepoint,Collection,LAPSUS$|Chimera|Ke3chang|APT28 T1001.001,Junk Data,Command And Control,APT28 -T1132.002,Non-Standard Encoding,Command And Control,no -T1132.001,Standard Encoding,Command And Control,HAFNIUM|TA551|Sandworm Team|Tropic Trooper|MuddyWater|APT33|APT19|Lazarus Group|BRONZE BUTLER|Patchwork -T1090.004,Domain Fronting,Command And Control,APT29 -T1090.003,Multi-hop Proxy,Command And Control,Leviathan|CostaRicto|APT28|Operation Wocao|Inception|FIN4|APT29 -T1090.002,External Proxy,Command And Control,Tonto Team|APT39|Silence|GALLIUM|MuddyWater|APT3|FIN5|Lazarus Group|menuPass|APT28 -T1090.001,Internal Proxy,Command And Control,Lazarus Group|Turla|APT29|Higaisa|Operation Wocao|APT39|Strider -T1102.003,One-Way Communication,Command And Control,Leviathan -T1102.002,Bidirectional Communication,Command And Control,Kimsuky|Lazarus Group|ZIRCONIUM|MuddyWater|APT28|APT29|Sandworm Team|APT39|APT12|Turla|FIN7|APT37|Magic Hound|Carbanak -T1102.001,Dead Drop Resolver,Command And Control,Rocke|APT41|BRONZE BUTLER|RTM|Patchwork -T1571,Non-Standard Port,Command And Control,WIRTE|Sandworm Team|Rocke|DarkVishnya|Silence|APT-C-36|Magic Hound|APT33|APT32|TEMP.Veles|Lazarus Group|FIN7 -T1074.002,Remote Data Staging,Collection,Leviathan|APT28|APT29|Chimera|Threat Group-3390|menuPass|FIN6|Night Dragon|FIN8 -T1074.001,Local Data Staging,Collection,Dragonfly|Indrik Spider|BackdoorDiplomacy|Mustang Panda|Sidewinder|Chimera|Kimsuky|APT39|Operation Wocao|GALLIUM|TEMP.Veles|Patchwork|Honeybee|Dragonfly 2.0|Leviathan|APT3|FIN5|menuPass|Lazarus Group|Threat Group-3390|APT28 -T1078.004,Cloud Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Ke3chang|APT29|APT28|APT33 -T1564.004,NTFS File Attributes,Defense Evasion,APT32 -T1564.003,Hidden Window,Defense Evasion,Gamaredon Group|Kimsuky|Nomadic Octopus|Higaisa|Gorgon Group|Deep Panda|DarkHydrus|CopyKittens|APT19|APT32|APT28|APT3|Magic Hound -T1078.003,Local Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT29|Kimsuky|HAFNIUM|Turla|Operation Wocao|PROMETHIUM|Tropic Trooper|FIN10|APT32 -T1078.002,Domain Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Naikon|Indrik Spider|Chimera|Operation Wocao|Sandworm Team|Wizard Spider|APT29|TA505|APT3|Threat Group-1314 -T1078.001,Default Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,no -T1564.002,Hidden Users,Defense Evasion,Kimsuky|Dragonfly|Dragonfly 2.0 -T1574.006,Dynamic Linker Hijacking,Persistence|Privilege Escalation|Defense Evasion,APT41|Rocke -T1574.002,DLL Side-Loading,Persistence|Privilege Escalation|Defense Evasion,Lazarus Group|Mustang Panda|Higaisa|BlackTech|Sidewinder|Chimera|BRONZE BUTLER|Naikon|APT41|GALLIUM|Tropic Trooper|APT19|Patchwork|APT32|APT3|menuPass|Threat Group-3390 -T1574.001,DLL Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,Aquatic Panda|BackdoorDiplomacy|Tonto Team|Evilnum|APT41|Whitefly|RTM|Threat Group-3390|menuPass -T1574.008,Path Interception by Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,no -T1574.007,Path Interception by PATH Environment Variable,Persistence|Privilege Escalation|Defense Evasion,no -T1574.009,Path Interception by Unquoted Path,Persistence|Privilege Escalation|Defense Evasion,no -T1574.011,Services Registry Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no -T1574.005,Executable Installer File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no -T1574.010,Services File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no -T1574,Hijack Execution Flow,Persistence|Privilege Escalation|Defense Evasion,no -T1069.001,Local Groups,Discovery,Tonto Team|Chimera|Operation Wocao|Turla|OilRig|admin@338 -T1570,Lateral Tool Transfer,Lateral Movement,Sandworm Team|Chimera|GALLIUM|Operation Wocao|APT32|Wizard Spider|Turla|FIN10 -T1568.003,DNS Calculation,Command And Control,APT12 -T1204.002,Malicious File,Execution,LazyScripter|WIRTE|Confucius|Dragonfly|Threat Group-3390|Nomadic Octopus|Indrik Spider|APT38|Andariel|Ferocious Kitten|IndigoZebra|Transparent Tribe|Tonto Team|Magic Hound|Ajax Security Team|Mustang Panda|TA551|Higaisa|Sidewinder|Kimsuky|FIN6|PROMETHIUM|APT30|Windshift|APT33|Sandworm Team|Naikon|Whitefly|Tropic Trooper|Gamaredon Group|Sharpshooter|Molerats|Wizard Spider|Mofang|Frankenstein|RTM|Inception|BlackTech|APT-C-36|Machete|admin@338|APT12|TA505|Silence|The White Company|APT39|FIN4|Darkhotel|Gallmaker|Dragonfly 2.0|FIN7|BRONZE BUTLER|Gorgon Group|OilRig|Dark Caracal|Cobalt Group|DarkHydrus|Rancor|Patchwork|APT32|APT19|MuddyWater|Lazarus Group|menuPass|APT37|Leviathan|TA459|APT29|APT28|FIN8|PLATINUM|Elderwood -T1204.001,Malicious Link,Execution,LazyScripter|Kimsuky|Lazarus Group|Confucius|FIN7|Transparent Tribe|APT3|Magic Hound|APT28|APT29|Mustang Panda|Sidewinder|ZIRCONIUM|MuddyWater|Evilnum|Sandworm Team|Wizard Spider|Patchwork|Windshift|APT32|Molerats|Mofang|BlackTech|TA505|OilRig|Machete|Leviathan|FIN8|FIN4|Elderwood|Dragonfly 2.0|Cobalt Group|APT39|Night Dragon|Turla|APT33 -T1195.003,Compromise Hardware Supply Chain,Initial Access,no -T1195.002,Compromise Software Supply Chain,Initial Access,Gelsemium|Threat Group-3390|APT29|Cobalt Group|GOLD SOUTHFIELD|Dragonfly|Sandworm Team|APT41 -T1195.001,Compromise Software Dependencies and Development Tools,Initial Access,no -T1568.001,Fast Flux DNS,Command And Control,menuPass|TA505 -T1052.001,Exfiltration over USB,Exfiltration,Mustang Panda|Tropic Trooper -T1569.002,Service Execution,Execution,APT38|Chimera|Operation Wocao|Wizard Spider|Blue Mockingbird|APT39|APT41|Silence|FIN6|APT32|Honeybee|Ke3chang -T1569.001,Launchctl,Execution,no -T1569,System Services,Execution,no -T1568.002,Domain Generation Algorithms,Command And Control,TA551|APT41 -T1568,Dynamic Resolution,Command And Control,Gamaredon Group|Gelsemium|Transparent Tribe|APT29 -T1011.001,Exfiltration Over Bluetooth,Exfiltration,no -T1567.002,Exfiltration to Cloud Storage,Exfiltration,Kimsuky|Threat Group-3390|Confucius|Lazarus Group|FIN7|ZIRCONIUM|HAFNIUM|Chimera|Leviathan|Turla -T1567.001,Exfiltration to Code Repository,Exfiltration,no -T1059.006,Python,Execution,Dragonfly|Tonto Team|APT37|ZIRCONIUM|MuddyWater|Turla|Operation Wocao|Kimsuky|APT29|Rocke|BRONZE BUTLER|APT39|Dragonfly 2.0|Machete -T1059.005,Visual Basic,Execution,Confucius|Lazarus Group|LazyScripter|OilRig|APT38|Transparent Tribe|APT29|Mustang Panda|Windshift|Higaisa|Sidewinder|APT39|Machete|Operation Wocao|Kimsuky|APT33|Sandworm Team|Gamaredon Group|Sharpshooter|Molerats|Frankenstein|Inception|APT-C-36|Rancor|Patchwork|MuddyWater|Honeybee|FIN7|APT37|BRONZE BUTLER|APT32|Turla|TA505|Silence|WIRTE|FIN4|Cobalt Group|Gorgon Group|Leviathan|TA459|Magic Hound -T1059.004,Unix Shell,Execution,TeamTNT|Rocke|APT41 -T1059.003,Windows Command Shell,Execution,Kimsuky|Aquatic Panda|Dragonfly|LazyScripter|Sandworm Team|Nomadic Octopus|TeamTNT|APT29|Mustang Panda|ZIRCONIUM|TA551|Higaisa|Indrik Spider|Chimera|Fox Kitten|Machete|Operation Wocao|Wizard Spider|FIN6|TA505|Blue Mockingbird|Tropic Trooper|Frankenstein|OilRig|Lazarus Group|Honeybee|Cobalt Group|FIN7|APT41|GALLIUM|Turla|Silence|APT32|Darkhotel|MuddyWater|APT18|APT38|Gorgon Group|Dark Caracal|Ke3chang|Dragonfly 2.0|Rancor|FIN8|APT28|APT37|Magic Hound|BRONZE BUTLER|Sowbug|menuPass|FIN10|Threat Group-3390|Gamaredon Group|Patchwork|Suckfly|Threat Group-1314|APT3|admin@338|APT1 +T1594,Search Victim-Owned Websites,Reconnaissance,Sandworm Team|Kimsuky|EXOTIC LILY|Silent Librarian +T1195.002,Compromise Software Supply Chain,Initial Access,Dragonfly|FIN7|Sandworm Team|Cobalt Group|GOLD SOUTHFIELD|Threat Group-3390|APT41 +T1053,Scheduled Task/Job,Execution|Persistence|Privilege Escalation,Earth Lusca +T1588.005,Exploits,Resource Development,Kimsuky +T1069.001,Local Groups,Discovery,HEXANE|admin@338|Chimera|Turla|Tonto Team|Volt Typhoon|OilRig +T1612,Build Image on Host,Defense Evasion,no +T1556.005,Reversible Encryption,Credential Access|Defense Evasion|Persistence,no +T1591.003,Identify Business Tempo,Reconnaissance,no +T1586.001,Social Media Accounts,Resource Development,Leviathan +T1098.003,Additional Cloud Roles,Persistence|Privilege Escalation,LAPSUS$ +T1505.002,Transport Agent,Persistence,no T1059.002,AppleScript,Execution,no -T1059.001,PowerShell,Execution,Gamaredon Group|Lazarus Group|Aquatic Panda|Confucius|Dragonfly|LazyScripter|Nomadic Octopus|TeamTNT|APT38|Tonto Team|Mustang Panda|Indrik Spider|HAFNIUM|Sidewinder|Fox Kitten|GOLD SOUTHFIELD|Sandworm Team|Operation Wocao|Chimera|Blue Mockingbird|APT39|DarkVishnya|Molerats|Wizard Spider|Frankenstein|Inception|Silence|APT41|Kimsuky|GALLIUM|TA505|WIRTE|TEMP.Veles|APT33|Gallmaker|Turla|Thrip|Cobalt Group|APT28|DarkHydrus|Dragonfly 2.0|APT19|Gorgon Group|TA459|Leviathan|MuddyWater|FIN8|CopyKittens|OilRig|Magic Hound|BRONZE BUTLER|FIN7|APT32|menuPass|FIN10|Threat Group-3390|Patchwork|Stealth Falcon|FIN6|Poseidon Group|APT3|APT29|Deep Panda -T1567,Exfiltration Over Web Service,Exfiltration,APT28 -T1497.003,Time Based Evasion,Defense Evasion|Discovery,no -T1497.002,User Activity Based Checks,Defense Evasion|Discovery,Darkhotel|FIN7 -T1497.001,System Checks,Defense Evasion|Discovery,Lazarus Group|OilRig|Darkhotel|Evilnum|Frankenstein -T1498.002,Reflection Amplification,Impact,no -T1498.001,Direct Network Flood,Impact,no -T1566.003,Spearphishing via Service,Initial Access,Lazarus Group|APT29|Ajax Security Team|Magic Hound|Windshift|FIN6|OilRig|Dark Caracal -T1566.002,Spearphishing Link,Initial Access,Lazarus Group|Confucius|LazyScripter|Transparent Tribe|FIN7|APT3|Mustang Panda|ZIRCONIUM|MuddyWater|Sidewinder|Evilnum|Sandworm Team|Wizard Spider|APT1|Windshift|Molerats|Mofang|BlackTech|Machete|Kimsuky|TA505|APT39|FIN4|APT32|Night Dragon|APT28|Cobalt Group|Turla|Dragonfly 2.0|OilRig|Elderwood|APT33|APT29|Leviathan|FIN8|Patchwork|Magic Hound -T1566.001,Spearphishing Attachment,Initial Access,WIRTE|Confucius|Dragonfly|LazyScripter|Threat Group-3390|APT38|Andariel|Ferocious Kitten|IndigoZebra|Transparent Tribe|Nomadic Octopus|Tonto Team|Ajax Security Team|Mustang Panda|TA551|Higaisa|Sidewinder|APT1|FIN6|APT30|Windshift|APT33|Sandworm Team|Naikon|Gamaredon Group|Sharpshooter|Molerats|Mofang|Wizard Spider|RTM|Frankenstein|Inception|BlackTech|APT-C-36|APT41|Machete|admin@338|Kimsuky|APT12|TA505|Silence|The White Company|APT39|FIN4|Darkhotel|Gallmaker|Tropic Trooper|DarkHydrus|Lazarus Group|Gorgon Group|OilRig|BRONZE BUTLER|APT19|APT32|Cobalt Group|Rancor|FIN7|Dragonfly 2.0|MuddyWater|APT28|TA459|APT29|APT37|Leviathan|FIN8|Patchwork|menuPass|Elderwood|PLATINUM -T1566,Phishing,Initial Access,Axiom|GOLD SOUTHFIELD|Dragonfly -T1565.003,Runtime Data Manipulation,Impact,APT38 -T1565.002,Transmitted Data Manipulation,Impact,APT38 -T1565.001,Stored Data Manipulation,Impact,APT38 -T1565,Data Manipulation,Impact,no -T1564.001,Hidden Files and Directories,Defense Evasion,Transparent Tribe|Mustang Panda|Rocke|APT32|Tropic Trooper|APT28|Lazarus Group -T1564,Hide Artifacts,Defense Evasion,no +T1078.001,Default Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Magic Hound|FIN13 +T1562.004,Disable or Modify System Firewall,Defense Evasion,Rocke|Kimsuky|Magic Hound|TeamTNT|Carbanak|Dragonfly|Lazarus Group|APT38|Moses Staff T1563.002,RDP Hijacking,Lateral Movement,Axiom -T1563.001,SSH Hijacking,Lateral Movement,no -T1563,Remote Service Session Hijacking,Lateral Movement,no -T1518.001,Security Software Discovery,Discovery,Kimsuky|Aquatic Panda|TeamTNT|APT38|Windshift|Sidewinder|Operation Wocao|Wizard Spider|Turla|Rocke|Frankenstein|The White Company|Cobalt Group|Darkhotel|MuddyWater|Tropic Trooper|FIN8|Patchwork|Naikon -T1069.003,Cloud Groups,Discovery,no -T1069.002,Domain Groups,Discovery,APT29|Dragonfly|Turla|Inception|OilRig|Dragonfly 2.0|Ke3chang -T1087.004,Cloud Account,Discovery,APT29 -T1087.003,Email Account,Discovery,Sandworm Team|TA505 -T1087.002,Domain Account,Discovery,APT29|Lazarus Group|Dragonfly|MuddyWater|Fox Kitten|Operation Wocao|Wizard Spider|Chimera|Turla|Sandworm Team|Dragonfly 2.0|OilRig|BRONZE BUTLER|menuPass|FIN6|Poseidon Group|Ke3chang -T1087.001,Local Account,Discovery,Chimera|Fox Kitten|Turla|Poseidon Group|OilRig|Ke3chang|APT32|APT1|Threat Group-3390|APT3|admin@338 -T1553.004,Install Root Certificate,Defense Evasion,no -T1562.004,Disable or Modify System Firewall,Defense Evasion,Dragonfly|TeamTNT|APT38|APT29|Operation Wocao|Rocke|Lazarus Group|Kimsuky|Dragonfly 2.0|Carbanak -T1562.003,Impair Command History Logging,Defense Evasion,APT38 -T1562.002,Disable Windows Event Logging,Defense Evasion,Sandworm Team|APT29|Threat Group-3390 -T1562.001,Disable or Modify Tools,Defense Evasion,Aquatic Panda|TeamTNT|Indrik Spider|APT29|MuddyWater|Wizard Spider|FIN6|Gamaredon Group|BRONZE BUTLER|Rocke|Kimsuky|Turla|Night Dragon|Gorgon Group|Lazarus Group|Putter Panda -T1562,Impair Defenses,Defense Evasion,no -T1003.004,LSA Secrets,Credential Access,Dragonfly|OilRig|MuddyWater|menuPass|Leafminer|Ke3chang|Dragonfly 2.0|APT33|Threat Group-3390 -T1003.005,Cached Domain Credentials,Credential Access,OilRig|MuddyWater|Leafminer|APT33 -T1561.002,Disk Structure Wipe,Impact,Sandworm Team|Lazarus Group|APT38|APT37 -T1561.001,Disk Content Wipe,Impact,Lazarus Group -T1561,Disk Wipe,Impact,no -T1560.003,Archive via Custom Method,Collection,Mustang Panda|Lazarus Group|Kimsuky|CopyKittens|FIN6 -T1560.002,Archive via Library,Collection,Lazarus Group|Threat Group-3390 -T1560.001,Archive via Utility,Collection,Kimsuky|Aquatic Panda|APT28|APT29|Mustang Panda|HAFNIUM|Fox Kitten|Operation Wocao|Chimera|APT41|GALLIUM|Turla|Gallmaker|APT33|APT39|MuddyWater|Magic Hound|FIN8|BRONZE BUTLER|CopyKittens|Sowbug|APT3|menuPass|APT1|Ke3chang -T1560,Archive Collected Data,Collection,Axiom|Dragonfly|Leviathan|menuPass|APT32|Honeybee|Patchwork|APT28|Dragonfly 2.0|FIN6|Lazarus Group|Ke3chang -T1499.004,Application or System Exploitation,Impact,no -T1499.003,Application Exhaustion Flood,Impact,no -T1499.002,Service Exhaustion Flood,Impact,no -T1499.001,OS Exhaustion Flood,Impact,no -T1491.002,External Defacement,Impact,Sandworm Team -T1491.001,Internal Defacement,Impact,Gamaredon Group|Lazarus Group -T1114.003,Email Forwarding Rule,Collection,Silent Librarian|Kimsuky -T1114.002,Remote Email Collection,Collection,Kimsuky|Dragonfly|APT29|HAFNIUM|Chimera|APT1|FIN4|Ke3chang|Leafminer|Dragonfly 2.0|APT28 -T1114.001,Local Email Collection,Collection,Chimera|Magic Hound|APT1 -T1134.005,SID-History Injection,Defense Evasion|Privilege Escalation,no +T1558.003,Kerberoasting,Credential Access,FIN7|Wizard Spider +T1059.001,PowerShell,Execution,Gorgon Group|APT33|TA505|Volt Typhoon|Chimera|LazyScripter|BRONZE BUTLER|APT19|Lazarus Group|Threat Group-3390|Confucius|TeamTNT|HEXANE|OilRig|Silence|FIN6|GALLIUM|Cobalt Group|Leviathan|HAFNIUM|APT41|Patchwork|APT29|Aquatic Panda|FIN13|Poseidon Group|Sandworm Team|GOLD SOUTHFIELD|APT32|CopyKittens|Tonto Team|APT39|MoustachedBouncer|MuddyWater|FIN8|Sidewinder|menuPass|Kimsuky|Dragonfly|Indrik Spider|Magic Hound|WIRTE|Thrip|TA459|DarkHydrus|Ember Bear|DarkVishnya|Mustang Panda|Fox Kitten|Deep Panda|Gamaredon Group|TA2541|Earth Lusca|Gallmaker|APT3|Nomadic Octopus|Molerats|Blue Mockingbird|Wizard Spider|Turla|APT28|FIN10|Stealth Falcon|Inception|FIN7|APT38|TEMP.Veles +T1195.001,Compromise Software Dependencies and Development Tools,Initial Access,no +T1497.001,System Checks,Defense Evasion|Discovery,Evilnum|OilRig|Volt Typhoon|Darkhotel +T1005,Data from Local System,Collection,FIN13|Threat Group-3390|LAPSUS$|Sandworm Team|Dragonfly|LuminousMoth|menuPass|APT3|Axiom|APT38|APT39|BRONZE BUTLER|Gamaredon Group|Wizard Spider|Windigo|GALLIUM|APT41|CURIUM|Kimsuky|Volt Typhoon|FIN6|APT1|Ke3chang|Patchwork|Stealth Falcon|Inception|APT28|FIN7|Dark Caracal|APT37|APT29|Fox Kitten|HAFNIUM|Lazarus Group|Turla|Magic Hound|Andariel +T1552.002,Credentials in Registry,Credential Access,APT32 +T1218.005,Mshta,Defense Evasion,APT32|Confucius|APT29|Gamaredon Group|Inception|Lazarus Group|TA2541|TA551|Sidewinder|Mustang Panda|FIN7|Kimsuky|MuddyWater|Earth Lusca|LazyScripter|SideCopy +T1547.014,Active Setup,Persistence|Privilege Escalation,no +T1486,Data Encrypted for Impact,Impact,Indrik Spider|TA505|APT41|Magic Hound|Sandworm Team|APT38|FIN7|FIN8 +T1003.008,/etc/passwd and /etc/shadow,Credential Access,no +T1078,Valid Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Silent Librarian|FIN6|APT39|Silence|Fox Kitten|GALLIUM|APT41|APT18|FIN10|POLONIUM|menuPass|Axiom|TEMP.Veles|FIN8|Wizard Spider|Leviathan|Sandworm Team|Dragonfly|OilRig|PittyTiger|Chimera|FIN4|LAPSUS$|Suckfly|Carbanak|Lazarus Group|Ke3chang|Threat Group-3390|APT28|APT29|FIN7|FIN5|APT33 +T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,Credential Access|Collection,Wizard Spider|Lazarus Group +T1606.002,SAML Tokens,Credential Access,no +T1498.001,Direct Network Flood,Impact,no +T1210,Exploitation of Remote Services,Lateral Movement,Threat Group-3390|APT28|menuPass|Earth Lusca|FIN7|Tonto Team|MuddyWater|Dragonfly|Wizard Spider|Fox Kitten +T1074.002,Remote Data Staging,Collection,MoustachedBouncer|menuPass|Leviathan|FIN8|APT28|Chimera|Threat Group-3390|FIN6 +T1202,Indirect Command Execution,Defense Evasion,Lazarus Group +T1495,Firmware Corruption,Impact,no +T1555.004,Windows Credential Manager,Credential Access,Turla|Stealth Falcon|Wizard Spider|OilRig +T1561.002,Disk Structure Wipe,Impact,Lazarus Group|APT37|Sandworm Team|APT38 +T1102.003,One-Way Communication,Command And Control,Leviathan +T1574.009,Path Interception by Unquoted Path,Persistence|Privilege Escalation|Defense Evasion,no +T1190,Exploit Public-Facing Application,Initial Access,GOLD SOUTHFIELD|Volatile Cedar|BackdoorDiplomacy|Dragonfly|APT41|Rocke|Axiom|Magic Hound|MuddyWater|Kimsuky|Volt Typhoon|FIN13|GALLIUM|APT28|menuPass|HAFNIUM|Ke3chang|Moses Staff|Blue Mockingbird|Earth Lusca|Threat Group-3390|Fox Kitten|APT39|APT29|BlackTech +T1648,Serverless Execution,Execution,no +T1595.002,Vulnerability Scanning,Reconnaissance,Magic Hound|Aquatic Panda|Volatile Cedar|TeamTNT|Earth Lusca|Sandworm Team|Dragonfly|APT28|APT29 +T1095,Non-Application Layer Protocol,Command And Control,Metador|PLATINUM|BackdoorDiplomacy|APT3|BITTER|FIN6|HAFNIUM +T1087.001,Local Account,Discovery,Moses Staff|APT3|APT1|OilRig|Fox Kitten|APT32|Chimera|Threat Group-3390|Turla|Poseidon Group|Ke3chang|admin@338 +T1218.008,Odbcconf,Defense Evasion,Cobalt Group +T1547.005,Security Support Provider,Persistence|Privilege Escalation,no +T1598.003,Spearphishing Link,Reconnaissance,Sandworm Team|Mustang Panda|Sidewinder|Dragonfly|Patchwork|APT32|ZIRCONIUM|Silent Librarian|Kimsuky|Magic Hound|APT28 +T1040,Network Sniffing,Credential Access|Discovery,DarkVishnya|Kimsuky|Sandworm Team|APT28|APT33 +T1087.003,Email Account,Discovery,Magic Hound|TA505|Sandworm Team +T1071,Application Layer Protocol,Command And Control,Rocke|Magic Hound|TeamTNT +T1129,Shared Modules,Execution,no +T1204.002,Malicious File,Execution,FIN6|Darkhotel|TA551|Indrik Spider|Transparent Tribe|Naikon|Inception|Mofang|Higaisa|Wizard Spider|SideCopy|Leviathan|APT29|Tonto Team|APT38|PLATINUM|Tropic Trooper|Cobalt Group|APT33|BRONZE BUTLER|APT30|Sandworm Team|Windshift|Ember Bear|Ferocious Kitten|APT32|APT37|OilRig|FIN4|APT-C-36|Threat Group-3390|CURIUM|Whitefly|BlackTech|Earth Lusca|Andariel|APT39|Aoqin Dragon|The White Company|WIRTE|RTM|HEXANE|Gallmaker|Kimsuky|Gorgon Group|APT28|PROMETHIUM|Mustang Panda|Elderwood|Gamaredon Group|admin@338|LazyScripter|Sidewinder|Patchwork|Silence|BITTER|TA2541|DarkHydrus|Machete|Dark Caracal|Rancor|FIN7|FIN8|MuddyWater|IndigoZebra|TA459|menuPass|Nomadic Octopus|APT19|Magic Hound|Molerats|Confucius|Dragonfly|TA505|APT12|EXOTIC LILY|Lazarus Group|Ajax Security Team +T1070.009,Clear Persistence,Defense Evasion,no +T1021.004,SSH,Lateral Movement,BlackTech|Fox Kitten|TEMP.Veles|OilRig|Rocke|Lazarus Group|FIN7|GCMAN|FIN13|Leviathan|menuPass|TeamTNT|APT39 +T1583.002,DNS Server,Resource Development,Axiom|HEXANE +T1090.003,Multi-hop Proxy,Command And Control,Inception|Leviathan|APT29|FIN4|APT28 T1134.004,Parent PID Spoofing,Defense Evasion|Privilege Escalation,no -T1134.003,Make and Impersonate Token,Defense Evasion|Privilege Escalation,no -T1134.002,Create Process with Token,Defense Evasion|Privilege Escalation,Turla|Lazarus Group -T1134.001,Token Impersonation/Theft,Defense Evasion|Privilege Escalation,FIN8|APT28 -T1213.002,Sharepoint,Collection,Chimera|Ke3chang|APT28 -T1213.001,Confluence,Collection,no -T1555.003,Credentials from Web Browsers,Credential Access,APT29|Ajax Security Team|ZIRCONIUM|FIN6|Sandworm Team|Inception|Stealth Falcon|OilRig|Leafminer|APT33|APT3|Kimsuky|TA505|MuddyWater|APT37|Patchwork|Molerats -T1555.002,Securityd Memory,Credential Access,no -T1555.001,Keychain,Credential Access,no -T1559.002,Dynamic Data Exchange,Execution,Leviathan|Sidewinder|Sharpshooter|TA505|MuddyWater|Gallmaker|Patchwork|Cobalt Group|APT37|FIN7|APT28 -T1559.001,Component Object Model,Execution,Gamaredon Group|MuddyWater -T1559,Inter-Process Communication,Execution,no -T1558.002,Silver Ticket,Credential Access,no -T1558.001,Golden Ticket,Credential Access,Ke3chang -T1558,Steal or Forge Kerberos Tickets,Credential Access,no -T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,Credential Access|Collection,Lazarus Group|Wizard Spider +T1221,Template Injection,Defense Evasion,Gamaredon Group|Dragonfly|Tropic Trooper|APT28|DarkHydrus|Inception|Confucius +T1584.005,Botnet,Resource Development,Axiom|Volt Typhoon|Sandworm Team T1557,Adversary-in-the-Middle,Credential Access|Collection,Kimsuky -T1556.002,Password Filter DLL,Credential Access|Defense Evasion|Persistence,Strider -T1556.001,Domain Controller Authentication,Credential Access|Defense Evasion|Persistence,Chimera -T1556,Modify Authentication Process,Credential Access|Defense Evasion|Persistence,no -T1056.004,Credential API Hooking,Collection|Credential Access,PLATINUM -T1056.003,Web Portal Capture,Collection|Credential Access,no -T1056.002,GUI Input Capture,Collection|Credential Access,FIN4 -T1056.001,Keylogging,Collection|Credential Access,Tonto Team|Ajax Security Team|Operation Wocao|APT32|Sandworm Team|APT39|APT41|Kimsuky|menuPass|FIN4|APT38|OilRig|Ke3chang|PLATINUM|Sowbug|Magic Hound|Group5|Lazarus Group|Threat Group-3390|APT3|Darkhotel|APT28 -T1555,Credentials from Password Stores,Credential Access,APT29|Evilnum|FIN6|APT39|OilRig|MuddyWater|Leafminer|APT33|Stealth Falcon -T1552.005,Cloud Instance Metadata API,Credential Access,TeamTNT -T1003.008,/etc/passwd and /etc/shadow,Credential Access,no +T1602.001,SNMP (MIB Dump),Collection,no +T1553.006,Code Signing Policy Modification,Defense Evasion,Turla|APT39 +T1055.015,ListPlanting,Defense Evasion|Privilege Escalation,no T1003.007,Proc Filesystem,Credential Access,no -T1003.006,DCSync,Credential Access,APT29|Operation Wocao -T1558.003,Kerberoasting,Credential Access,FIN7|APT29|Operation Wocao|Wizard Spider -T1552.006,Group Policy Preferences,Credential Access,APT33 -T1003.003,NTDS,Credential Access,Ke3chang|Dragonfly|APT28|Mustang Panda|HAFNIUM|Fox Kitten|menuPass|Wizard Spider|Chimera|FIN6|Dragonfly 2.0 -T1003.002,Security Account Manager,Credential Access,Dragonfly|Wizard Spider|Threat Group-3390|Ke3chang|GALLIUM|Night Dragon|Dragonfly 2.0|menuPass -T1003.001,LSASS Memory,Credential Access,Aquatic Panda|Indrik Spider|HAFNIUM|Fox Kitten|Operation Wocao|Kimsuky|Sandworm Team|Whitefly|Blue Mockingbird|Silence|Threat Group-3390|Leviathan|APT41|GALLIUM|TEMP.Veles|APT33|APT39|APT32|Leafminer|Magic Hound|FIN8|PLATINUM|MuddyWater|OilRig|BRONZE BUTLER|FIN6|APT3|APT28|APT1|Ke3chang|Cleaver -T1110.004,Credential Stuffing,Credential Access,Chimera -T1110.003,Password Spraying,Credential Access,Sandworm Team|APT29|Silent Librarian|Chimera|APT28|APT33|Leafminer|Lazarus Group -T1110.002,Password Cracking,Credential Access,Dragonfly|FIN6|APT41|Dragonfly 2.0|APT3 -T1110.001,Password Guessing,Credential Access,APT28 -T1021.006,Windows Remote Management,Lateral Movement,APT29|Chimera|Wizard Spider|Threat Group-3390 -T1021.005,VNC,Lateral Movement,Gamaredon Group|FIN7|Fox Kitten|GCMAN -T1021.004,SSH,Lateral Movement,BlackTech|Lazarus Group|TeamTNT|FIN7|Fox Kitten|Rocke|TEMP.Veles|Leviathan|APT39|OilRig|menuPass|GCMAN -T1021.003,Distributed Component Object Model,Lateral Movement,no -T1021.002,SMB/Windows Admin Shares,Lateral Movement,APT29|Sandworm Team|APT28|Fox Kitten|APT41|Operation Wocao|Wizard Spider|Chimera|Blue Mockingbird|APT39|APT32|Orangeworm|FIN8|APT3|Lazarus Group|Threat Group-1314|Turla|Deep Panda|Ke3chang -T1021.001,Remote Desktop Protocol,Lateral Movement,APT29|Dragonfly|Kimsuky|FIN7|Fox Kitten|Chimera|Blue Mockingbird|Wizard Spider|Silence|APT41|TEMP.Veles|Leviathan|APT39|Cobalt Group|Dragonfly 2.0|FIN8|APT3|OilRig|FIN10|menuPass|Patchwork|FIN6|Lazarus Group|APT1|Axiom -T1554,Compromise Client Software Binary,Persistence,no -T1036.006,Space after Filename,Defense Evasion,no -T1036.005,Match Legitimate Name or Location,Defense Evasion,Ke3chang|Kimsuky|Gamaredon Group|WIRTE|APT28|Ferocious Kitten|FIN7|BackdoorDiplomacy|Transparent Tribe|Naikon|APT29|Mustang Panda|Sidewinder|Darkhotel|Lazarus Group|Indrik Spider|Fox Kitten|Machete|Chimera|PROMETHIUM|Rocke|Sandworm Team|APT39|Blue Mockingbird|Whitefly|Tropic Trooper|Silence|APT41|menuPass|TEMP.Veles|MuddyWater|Sowbug|BRONZE BUTLER|APT32|Patchwork|Poseidon Group|admin@338|Carbanak|APT1 -T1036.004,Masquerade Task or Service,Defense Evasion,Lazarus Group|BackdoorDiplomacy|APT41|Naikon|ZIRCONIUM|APT29|Higaisa|Fox Kitten|Kimsuky|PROMETHIUM|Wizard Spider|APT-C-36|Carbanak|APT32|FIN6|FIN7 -T1036.003,Rename System Utilities,Defense Evasion,Lazarus Group|menuPass|APT32|GALLIUM -T1036.002,Right-to-Left Override,Defense Evasion,Ferocious Kitten|BRONZE BUTLER|BlackTech|Ke3chang|Scarlet Mimic -T1036.001,Invalid Code Signature,Defense Evasion,Windshift|APT37 -T1553.003,SIP and Trust Provider Hijacking,Defense Evasion,no -T1553.002,Code Signing,Defense Evasion,Lazarus Group|menuPass|APT29|GALLIUM|Wizard Spider|Kimsuky|PROMETHIUM|Patchwork|Silence|APT41|FIN6|TA505|FIN7|Honeybee|Leviathan|CopyKittens|Winnti Group|Suckfly|Molerats|Darkhotel -T1553.001,Gatekeeper Bypass,Defense Evasion,no -T1553,Subvert Trust Controls,Defense Evasion,Axiom -T1027.003,Steganography,Defense Evasion,Andariel|Leviathan|TA551|BRONZE BUTLER|Tropic Trooper|MuddyWater|APT37 -T1027.002,Software Packing,Defense Evasion,Threat Group-3390|Lazarus Group|Sandworm Team|Kimsuky|TeamTNT|ZIRCONIUM|TA505|Rocke|GALLIUM|The White Company|APT39|APT38|Dark Caracal|Elderwood|APT3|Patchwork|APT29|Night Dragon -T1027.001,Binary Padding,Defense Evasion,APT29|Mustang Panda|Higaisa|Gamaredon Group|Patchwork|APT32|Leviathan|BRONZE BUTLER|Moafee -T1222.002,Linux and Mac File and Directory Permissions Modification,Defense Evasion,TeamTNT|Rocke|APT32 -T1222.001,Windows File and Directory Permissions Modification,Defense Evasion,Wizard Spider -T1552.004,Private Keys,Credential Access,TeamTNT|APT29|Operation Wocao|Rocke -T1552.003,Bash History,Credential Access,no -T1552.002,Credentials in Registry,Credential Access,APT32 -T1552.001,Credentials In Files,Credential Access,TeamTNT|Kimsuky|Fox Kitten|Leafminer|APT33|OilRig|TA505|MuddyWater|APT3 -T1552,Unsecured Credentials,Credential Access,no +T1584.001,Domains,Resource Development,APT1|Kimsuky|SideCopy|Magic Hound|Transparent Tribe +T1070.001,Clear Windows Event Logs,Defense Evasion,FIN8|APT28|Indrik Spider|Dragonfly|FIN5|Chimera|APT41|APT38|APT32 +T1205.002,Socket Filters,Defense Evasion|Persistence|Command And Control,no +T1555.003,Credentials from Web Browsers,Credential Access,OilRig|APT37|Inception|TA505|Patchwork|FIN6|APT33|LAPSUS$|Molerats|APT3|ZIRCONIUM|MuddyWater|HEXANE|Sandworm Team|Ajax Security Team|Leafminer|Stealth Falcon|Kimsuky +T1132.002,Non-Standard Encoding,Command And Control,no +T1070.008,Clear Mailbox Data,Defense Evasion,no +T1583,Acquire Infrastructure,Resource Development,no +T1113,Screen Capture,Collection,Dragonfly|Gamaredon Group|FIN7|Magic Hound|MoustachedBouncer|BRONZE BUTLER|Dark Caracal|Silence|APT39|MuddyWater|OilRig|Group5|APT28|GOLD SOUTHFIELD +T1082,System Information Discovery,Discovery,APT3|Sidewinder|APT32|Inception|Windigo|Confucius|Chimera|APT18|Turla|Ke3chang|Higaisa|ZIRCONIUM|APT19|TA2541|Patchwork|Lazarus Group|Mustang Panda|admin@338|SideCopy|Kimsuky|OilRig|Blue Mockingbird|Darkhotel|FIN13|Rocke|Stealth Falcon|MuddyWater|APT37|Magic Hound|APT38|Volt Typhoon|TeamTNT|Aquatic Panda|Tropic Trooper|Sowbug|FIN8|Windshift|Wizard Spider|Moses Staff|HEXANE|Sandworm Team|Gamaredon Group +T1546.008,Accessibility Features,Privilege Escalation|Persistence,APT29|Fox Kitten|APT41|Deep Panda|Axiom|APT3 +T1499,Endpoint Denial of Service,Impact,Sandworm Team +T1561,Disk Wipe,Impact,no +T1590.005,IP Addresses,Reconnaissance,Andariel|HAFNIUM|Magic Hound +T1614,System Location Discovery,Discovery,SideCopy +T1497.003,Time Based Evasion,Defense Evasion|Discovery,no +T1496,Resource Hijacking,Impact,Rocke|TeamTNT|Blue Mockingbird|APT41 T1216.001,PubPrn,Defense Evasion,APT32 -T1070.006,Timestomp,Defense Evasion,APT38|APT29|Chimera|Kimsuky|Rocke|TEMP.Veles|APT32|Lazarus Group|APT28 -T1070.005,Network Share Connection Removal,Defense Evasion,Threat Group-3390 -T1070.004,File Deletion,Defense Evasion,Aquatic Panda|Dragonfly|TeamTNT|APT39|Mustang Panda|Chimera|Evilnum|Operation Wocao|FIN6|Sandworm Team|Rocke|Tropic Trooper|Gamaredon Group|Wizard Spider|APT41|Kimsuky|Silence|The White Company|TEMP.Veles|APT32|APT38|Cobalt Group|Dragonfly 2.0|Honeybee|Patchwork|menuPass|FIN8|OilRig|FIN5|BRONZE BUTLER|APT3|Magic Hound|Threat Group-3390|APT28|FIN10|Group5|Lazarus Group|APT18|APT29 -T1070.003,Clear Command History,Defense Evasion,Lazarus Group|TeamTNT|menuPass|APT41 -T1550.004,Web Session Cookie,Defense Evasion|Lateral Movement,APT29 -T1550.001,Application Access Token,Defense Evasion|Lateral Movement,APT29|APT28 -T1550.003,Pass the Ticket,Defense Evasion|Lateral Movement,APT32|BRONZE BUTLER|APT29 -T1550.002,Pass the Hash,Defense Evasion|Lateral Movement,Chimera|Kimsuky|GALLIUM|APT32|Night Dragon|APT28|APT1 -T1550,Use Alternate Authentication Material,Defense Evasion|Lateral Movement,APT29 +T1588.002,Tool,Resource Development,Ember Bear|Whitefly|CopyKittens|Metador|Aquatic Panda|BlackTech|APT28|LuminousMoth|APT38|Threat Group-3390|Lazarus Group|Dragonfly|BackdoorDiplomacy|Sandworm Team|APT41|POLONIUM|Blue Mockingbird|BITTER|DarkVishnya|Leafminer|FIN13|GALLIUM|FIN7|Ferocious Kitten|Silent Librarian|Ke3chang|APT-C-36|Cobalt Group|MuddyWater|TA2541|APT32|Earth Lusca|FIN6|Cleaver|Volt Typhoon|Silence|Kimsuky|Thrip|FIN8|PittyTiger|APT1|TA505|APT19|Turla|LAPSUS$|Wizard Spider|IndigoZebra|TEMP.Veles|Patchwork|WIRTE|FIN5|Moses Staff|BRONZE BUTLER|Gorgon Group|Carbanak|menuPass|HEXANE|Chimera|Inception|APT39|APT33|Aoqin Dragon|Magic Hound|FIN10|DarkHydrus|APT29 +T1591.001,Determine Physical Locations,Reconnaissance,Magic Hound +T1011,Exfiltration Over Other Network Medium,Exfiltration,no +T1613,Container and Resource Discovery,Discovery,TeamTNT T1548.004,Elevated Execution with Prompt,Privilege Escalation|Defense Evasion,no +T1127,Trusted Developer Utilities Proxy Execution,Defense Evasion,no +T1562.006,Indicator Blocking,Defense Evasion,no +T1124,System Time Discovery,Discovery,Sidewinder|Lazarus Group|Darkhotel|BRONZE BUTLER|Turla|The White Company|Chimera|ZIRCONIUM|Higaisa +T1055.004,Asynchronous Procedure Call,Defense Evasion|Privilege Escalation,FIN8 +T1651,Cloud Administration Command,Execution,APT29 +T1098.002,Additional Email Delegate Permissions,Persistence|Privilege Escalation,APT28|APT29|Magic Hound +T1591.002,Business Relationships,Reconnaissance,LAPSUS$|Dragonfly|Sandworm Team +T1505.003,Web Shell,Persistence,Tonto Team|Sandworm Team|APT29|Volatile Cedar|GALLIUM|Tropic Trooper|Leviathan|Threat Group-3390|Volt Typhoon|Deep Panda|BackdoorDiplomacy|APT38|APT39|TEMP.Veles|APT32|Magic Hound|OilRig|Dragonfly|APT28|Moses Staff|Kimsuky|HAFNIUM|Fox Kitten|FIN13 +T1574.007,Path Interception by PATH Environment Variable,Persistence|Privilege Escalation|Defense Evasion,no +T1137.002,Office Test,Persistence,APT28 +T1491.002,External Defacement,Impact,Sandworm Team +T1555.006,Cloud Secrets Management Stores,Credential Access,no T1548.003,Sudo and Sudo Caching,Privilege Escalation|Defense Evasion,no -T1548.002,Bypass User Account Control,Privilege Escalation|Defense Evasion,Evilnum|APT37|MuddyWater|Threat Group-3390|Honeybee|Cobalt Group|BRONZE BUTLER|Patchwork|APT29 +T1071.004,DNS,Command And Control,Chimera|FIN7|APT39|LazyScripter|Tropic Trooper|APT41|APT18|Cobalt Group|Ke3chang|OilRig +T1021.003,Distributed Component Object Model,Lateral Movement,no +T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,Exfiltration,APT28 +T1071.001,Web Protocols,Command And Control,Inception|Rancor|Lazarus Group|Threat Group-3390|FIN13|BRONZE BUTLER|TA505|Windshift|Dark Caracal|Gamaredon Group|Magic Hound|APT33|Chimera|Tropic Trooper|APT37|TA551|FIN8|Orangeworm|OilRig|FIN4|APT39|Wizard Spider|APT41|APT19|Sidewinder|Cobalt Group|Mustang Panda|TeamTNT|APT18|LuminousMoth|Ke3chang|WIRTE|SilverTerrier|Higaisa|Confucius|Metador|Stealth Falcon|Kimsuky|Sandworm Team|APT28|APT32|APT38|Rocke|BITTER|HAFNIUM|Turla|MuddyWater +T1587.002,Code Signing Certificates,Resource Development,PROMETHIUM|Patchwork T1548.001,Setuid and Setgid,Privilege Escalation|Defense Evasion,no -T1548,Abuse Elevation Control Mechanism,Privilege Escalation|Defense Evasion,no -T1136.003,Cloud Account,Persistence,APT29 -T1070.002,Clear Linux or Mac System Logs,Defense Evasion,TeamTNT|Rocke -T1070.001,Clear Windows Event Logs,Defense Evasion,Dragonfly|Indrik Spider|Chimera|Operation Wocao|APT41|APT38|Dragonfly 2.0|APT32|FIN8|FIN5|APT28 -T1136.002,Domain Account,Persistence,Sandworm Team|HAFNIUM|GALLIUM -T1136.001,Local Account,Persistence,Kimsuky|Dragonfly|TeamTNT|Fox Kitten|APT39|APT41|Leafminer|Dragonfly 2.0|APT3 -T1547.011,Plist Modification,Persistence|Privilege Escalation,no -T1547.010,Port Monitors,Persistence|Privilege Escalation,no -T1547.009,Shortcut Modification,Persistence|Privilege Escalation,Dragonfly|APT39|Darkhotel|APT29|Gorgon Group|Dragonfly 2.0|Lazarus Group|Leviathan -T1547.008,LSASS Driver,Persistence|Privilege Escalation,no -T1547.007,Re-opened Applications,Persistence|Privilege Escalation,no -T1547.006,Kernel Modules and Extensions,Persistence|Privilege Escalation,no -T1547.005,Security Support Provider,Persistence|Privilege Escalation,no -T1547.004,Winlogon Helper DLL,Persistence|Privilege Escalation,Wizard Spider|Tropic Trooper|Turla -T1547.003,Time Providers,Persistence|Privilege Escalation,no -T1546.014,Emond,Privilege Escalation|Persistence,no -T1546.013,PowerShell Profile,Privilege Escalation|Persistence,Turla -T1546.012,Image File Execution Options Injection,Privilege Escalation|Persistence,TEMP.Veles -T1218.008,Odbcconf,Defense Evasion,Cobalt Group -T1546.011,Application Shimming,Privilege Escalation|Persistence,FIN7 -T1547.002,Authentication Package,Persistence|Privilege Escalation,no -T1546.010,AppInit DLLs,Privilege Escalation|Persistence,APT39 -T1546.009,AppCert DLLs,Privilege Escalation|Persistence,Honeybee -T1218.007,Msiexec,Defense Evasion,ZIRCONIUM|Molerats|Machete|TA505|Rancor -T1546.008,Accessibility Features,Privilege Escalation|Persistence,Fox Kitten|APT41|APT3|APT29|Deep Panda|Axiom -T1546.007,Netsh Helper DLL,Privilege Escalation|Persistence,no -T1546.006,LC_LOAD_DYLIB Addition,Privilege Escalation|Persistence,no +T1543,Create or Modify System Process,Persistence|Privilege Escalation,no +T1498.002,Reflection Amplification,Impact,no +T1547,Boot or Logon Autostart Execution,Persistence|Privilege Escalation,no +T1059,Command and Scripting Interpreter,Execution,Dragonfly|Fox Kitten|APT37|APT39|Ke3chang|Whitefly|FIN6|FIN5|APT19|OilRig|FIN7|APT32|Windigo|Stealth Falcon +T1574.013,KernelCallbackTable,Persistence|Privilege Escalation|Defense Evasion,Lazarus Group +T1553.004,Install Root Certificate,Defense Evasion,no +T1653,Power Settings,Persistence,no +T1037.002,Login Hook,Persistence|Privilege Escalation,no +T1098,Account Manipulation,Persistence|Privilege Escalation,APT3|HAFNIUM|Kimsuky|Dragonfly|APT41|FIN13|Lazarus Group|Magic Hound +T1598.002,Spearphishing Attachment,Reconnaissance,Dragonfly|Sidewinder|SideCopy +T1220,XSL Script Processing,Defense Evasion,Cobalt Group|Higaisa +T1557.003,DHCP Spoofing,Credential Access|Collection,no +T1562.011,Spoof Security Alerting,Defense Evasion,no +T1003.005,Cached Domain Credentials,Credential Access,MuddyWater|OilRig|Leafminer|APT33 +T1041,Exfiltration Over C2 Channel,Exfiltration,Chimera|Lazarus Group|LuminousMoth|Confucius|Gamaredon Group|MuddyWater|Stealth Falcon|Sandworm Team|Ke3chang|APT32|Leviathan|Wizard Spider|APT39|Higaisa|APT3|ZIRCONIUM|GALLIUM|Kimsuky +T1055.002,Portable Executable Injection,Defense Evasion|Privilege Escalation,Gorgon Group|Rocke +T1027.006,HTML Smuggling,Defense Evasion,APT29 +T1656,Impersonation,Defense Evasion,LAPSUS$ +T1074.001,Local Data Staging,Collection,menuPass|Lazarus Group|APT39|Threat Group-3390|BackdoorDiplomacy|Sidewinder|FIN13|Volt Typhoon|FIN5|Wizard Spider|Mustang Panda|Kimsuky|Dragonfly|Patchwork|Leviathan|MuddyWater|GALLIUM|APT3|Chimera|TeamTNT|Indrik Spider|APT28|TEMP.Veles +T1608.002,Upload Tool,Resource Development,Threat Group-3390 +T1567.004,Exfiltration Over Webhook,Exfiltration,no +T1071.002,File Transfer Protocols,Command And Control,SilverTerrier|Dragonfly|Kimsuky|APT41 +T1111,Multi-Factor Authentication Interception,Credential Access,Chimera|LAPSUS$|Kimsuky T1546.005,Trap,Privilege Escalation|Persistence,no +T1593.002,Search Engines,Reconnaissance,Kimsuky +T1574.001,DLL Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,menuPass|Whitefly|Evilnum|RTM|BackdoorDiplomacy|Threat Group-3390|Aquatic Panda|Tonto Team|APT41 +T1598.001,Spearphishing Service,Reconnaissance,no +T1055.011,Extra Window Memory Injection,Defense Evasion|Privilege Escalation,no +T1074,Data Staged,Collection,Wizard Spider|Volt Typhoon +T1542,Pre-OS Boot,Defense Evasion|Persistence,no +T1092,Communication Through Removable Media,Command And Control,APT28 +T1014,Rootkit,Defense Evasion,Rocke|Winnti Group|TeamTNT|APT41|APT28 +T1189,Drive-by Compromise,Initial Access,Leviathan|Windshift|Windigo|Lazarus Group|Threat Group-3390|Andariel|Earth Lusca|RTM|Axiom|Patchwork|APT32|BRONZE BUTLER|Dark Caracal|Leafminer|APT19|PROMETHIUM|APT28|APT38|Elderwood|Transparent Tribe|Dragonfly|Magic Hound|APT37|Turla|PLATINUM|Darkhotel|Machete +T1137.006,Add-ins,Persistence,Naikon +T1087.002,Domain Account,Discovery,Turla|FIN13|Volt Typhoon|MuddyWater|Chimera|Dragonfly|Wizard Spider|Poseidon Group|BRONZE BUTLER|OilRig|FIN6|Sandworm Team|LAPSUS$|Fox Kitten|Ke3chang|menuPass +T1134.003,Make and Impersonate Token,Defense Evasion|Privilege Escalation,FIN13 +T1222.002,Linux and Mac File and Directory Permissions Modification,Defense Evasion,APT32|Rocke|TeamTNT +T1562.002,Disable Windows Event Logging,Defense Evasion,Threat Group-3390|Magic Hound +T1548,Abuse Elevation Control Mechanism,Privilege Escalation|Defense Evasion,no +T1555,Credentials from Password Stores,Credential Access,Leafminer|APT33|MuddyWater|Evilnum|OilRig|Stealth Falcon|APT39|FIN6|Volt Typhoon|HEXANE +T1561.001,Disk Content Wipe,Impact,Lazarus Group +T1098.004,SSH Authorized Keys,Persistence|Privilege Escalation,TeamTNT|Earth Lusca +T1021.001,Remote Desktop Protocol,Lateral Movement,Wizard Spider|Magic Hound|FIN13|Axiom|APT41|Patchwork|APT1|Cobalt Group|HEXANE|Dragonfly|Leviathan|FIN7|APT3|Kimsuky|OilRig|Chimera|FIN8|FIN10|TEMP.Veles|Lazarus Group|Fox Kitten|Blue Mockingbird|FIN6|APT39|Silence|menuPass +T1213.003,Code Repositories,Collection,LAPSUS$ +T1205.001,Port Knocking,Defense Evasion|Persistence|Command And Control,PROMETHIUM +T1505.004,IIS Components,Persistence,no +T1569.002,Service Execution,Execution,APT32|Blue Mockingbird|APT38|Chimera|FIN6|APT41|Wizard Spider|APT39|Ke3chang|Silence +T1565.002,Transmitted Data Manipulation,Impact,APT38 +T1569,System Services,Execution,TeamTNT +T1499.004,Application or System Exploitation,Impact,no +T1037.005,Startup Items,Persistence|Privilege Escalation,no +T1553.003,SIP and Trust Provider Hijacking,Defense Evasion,no +T1595.001,Scanning IP Blocks,Reconnaissance,TeamTNT T1546.004,Unix Shell Configuration Modification,Privilege Escalation|Persistence,no -T1546.003,Windows Management Instrumentation Event Subscription,Privilege Escalation|Persistence,FIN8|Mustang Panda|APT33|Blue Mockingbird|Turla|Leviathan|APT29 -T1546.002,Screensaver,Privilege Escalation|Persistence,no -T1546.001,Change Default File Association,Privilege Escalation|Persistence,Kimsuky -T1547.001,Registry Run Keys / Startup Folder,Persistence|Privilege Escalation,Confucius|Dragonfly|LazyScripter|TeamTNT|Naikon|Windshift|Mustang Panda|ZIRCONIUM|Higaisa|Sidewinder|APT28|Wizard Spider|PROMETHIUM|Rocke|Tropic Trooper|Gamaredon Group|Sharpshooter|Molerats|Silence|RTM|Inception|APT41|Kimsuky|APT33|APT39|APT32|APT18|Dark Caracal|Threat Group-3390|Honeybee|Turla|Cobalt Group|Ke3chang|Dragonfly 2.0|APT19|Gorgon Group|MuddyWater|APT37|Leviathan|BRONZE BUTLER|APT3|Magic Hound|FIN10|FIN7|Patchwork|FIN6|Lazarus Group|Putter Panda|APT29|Darkhotel -T1218.002,Control Panel,Defense Evasion,no -T1218.010,Regsvr32,Defense Evasion,Kimsuky|Lazarus Group|TA551|Blue Mockingbird|Inception|WIRTE|Cobalt Group|APT19|Leviathan|APT32|Deep Panda +T1053.003,Cron,Execution|Persistence|Privilege Escalation,APT38|Rocke +T1560,Archive Collected Data,Collection,Axiom|Dragonfly|APT28|APT32|menuPass|Ke3chang|FIN6|Patchwork|Leviathan|Lazarus Group|LuminousMoth +T1565,Data Manipulation,Impact,FIN13 +T1610,Deploy Container,Defense Evasion|Execution,TeamTNT +T1587.001,Malware,Resource Development,Ke3chang|TeamTNT|Indrik Spider|Moses Staff|APT29|Lazarus Group|Kimsuky|Aoqin Dragon|Cleaver|LuminousMoth|FIN13|FIN7|Sandworm Team|Turla +T1558.002,Silver Ticket,Credential Access,no T1218.009,Regsvcs/Regasm,Defense Evasion,no -T1218.005,Mshta,Defense Evasion,Gamaredon Group|Confucius|Lazarus Group|APT29|LazyScripter|Mustang Panda|TA551|Sidewinder|Inception|Kimsuky|APT32|MuddyWater|FIN7 -T1218.004,InstallUtil,Defense Evasion,Mustang Panda|menuPass -T1218.001,Compiled HTML File,Defense Evasion,APT38|APT41|Silence|Dark Caracal|OilRig|Lazarus Group -T1218.003,CMSTP,Defense Evasion,Cobalt Group|MuddyWater -T1218.011,Rundll32,Defense Evasion,Kimsuky|Lazarus Group|LazyScripter|APT38|HAFNIUM|TA551|APT41|Gamaredon Group|APT32|Sandworm Team|Blue Mockingbird|TA505|MuddyWater|APT29|APT19|CopyKittens|APT3|Carbanak|APT28 -T1547,Boot or Logon Autostart Execution,Persistence|Privilege Escalation,no -T1546,Event Triggered Execution,Privilege Escalation|Persistence,no -T1098.003,Add Office 365 Global Administrator Role,Persistence,APT29 -T1098.002,Exchange Email Delegate Permissions,Persistence,APT28|APT29|Magic Hound -T1098.001,Additional Cloud Credentials,Persistence,APT29 +T1001.002,Steganography,Command And Control,Axiom +T1078.002,Domain Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT3|TA505|Threat Group-1314|Sandworm Team|Naikon|Magic Hound|Wizard Spider|Indrik Spider|Volt Typhoon|Chimera +T1557.002,ARP Cache Poisoning,Credential Access|Collection,Cleaver|LuminousMoth +T1608.005,Link Target,Resource Development,LuminousMoth|Silent Librarian +T1584.002,DNS Server,Resource Development,LAPSUS$ +T1560.001,Archive via Utility,Collection,Fox Kitten|APT33|MuddyWater|Aquatic Panda|APT3|Kimsuky|Gallmaker|Ke3chang|menuPass|Sowbug|FIN13|FIN8|Volt Typhoon|CopyKittens|APT28|BRONZE BUTLER|Magic Hound|HAFNIUM|Chimera|Earth Lusca|APT1|Wizard Spider|Mustang Panda|APT41|Turla|APT39|GALLIUM +T1489,Service Stop,Impact,Indrik Spider|LAPSUS$|Lazarus Group|Wizard Spider +T1207,Rogue Domain Controller,Defense Evasion,no +T1204,User Execution,Execution,LAPSUS$ +T1553.001,Gatekeeper Bypass,Defense Evasion,no +T1553.005,Mark-of-the-Web Bypass,Defense Evasion,TA505|APT29 +T1018,Remote System Discovery,Discovery,Sandworm Team|Threat Group-3390|Ke3chang|Chimera|menuPass|Deep Panda|HEXANE|BRONZE BUTLER|HAFNIUM|Turla|Fox Kitten|Wizard Spider|GALLIUM|APT3|Naikon|FIN5|Magic Hound|Rocke|APT39|Leafminer|FIN8|Indrik Spider|Earth Lusca|Volt Typhoon|Dragonfly|FIN6|Silence|APT32 +T1547.002,Authentication Package,Persistence|Privilege Escalation,no +T1091,Replication Through Removable Media,Lateral Movement|Initial Access,FIN7|Darkhotel|APT28|Aoqin Dragon|Tropic Trooper|Mustang Panda|LuminousMoth +T1600,Weaken Encryption,Defense Evasion,no +T1659,Content Injection,Initial Access|Command And Control,MoustachedBouncer +T1543.001,Launch Agent,Persistence|Privilege Escalation,no +T1555.002,Securityd Memory,Credential Access,no +T1555.005,Password Managers,Credential Access,LAPSUS$|Fox Kitten|Threat Group-3390 +T1048,Exfiltration Over Alternative Protocol,Exfiltration,TeamTNT +T1525,Implant Internal Image,Persistence,no +T1053.006,Systemd Timers,Execution|Persistence|Privilege Escalation,no +T1021.008,Direct Cloud VM Connections,Lateral Movement,no +T1583.006,Web Services,Resource Development,Lazarus Group|APT29|FIN7|Turla|APT32|APT17|APT28|ZIRCONIUM|MuddyWater|POLONIUM|LazyScripter|TA2541|Magic Hound|Confucius|Kimsuky|HAFNIUM|Earth Lusca|IndigoZebra +T1574.004,Dylib Hijacking,Persistence|Privilege Escalation|Defense Evasion,no +T1550.003,Pass the Ticket,Defense Evasion|Lateral Movement,APT32|APT29|BRONZE BUTLER +T1480,Execution Guardrails,Defense Evasion,no +T1558.001,Golden Ticket,Credential Access,Ke3chang +T1600.001,Reduce Key Space,Defense Evasion,no +T1546.006,LC_LOAD_DYLIB Addition,Privilege Escalation|Persistence,no +T1556,Modify Authentication Process,Credential Access|Defense Evasion|Persistence,FIN13 +T1087,Account Discovery,Discovery,FIN13 +T1574.005,Executable Installer File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no +T1564.001,Hidden Files and Directories,Defense Evasion,HAFNIUM|Rocke|Tropic Trooper|APT28|Mustang Panda|Lazarus Group|FIN13|Transparent Tribe|LuminousMoth|APT32 +T1564.007,VBA Stomping,Defense Evasion,no +T1593,Search Open Websites/Domains,Reconnaissance,Sandworm Team +T1546.007,Netsh Helper DLL,Privilege Escalation|Persistence,no +T1059.009,Cloud API,Execution,APT29|TeamTNT +T1090,Proxy,Command And Control,Sandworm Team|POLONIUM|MoustachedBouncer|APT41|LAPSUS$|Fox Kitten|Magic Hound|CopyKittens|Earth Lusca|Blue Mockingbird|Turla|Windigo|Volt Typhoon +T1498,Network Denial of Service,Impact,APT28 +T1027.005,Indicator Removal from Tools,Defense Evasion,APT3|Patchwork|OilRig|Turla|TEMP.Veles|GALLIUM|Deep Panda T1543.004,Launch Daemon,Persistence|Privilege Escalation,no -T1543.003,Windows Service,Persistence|Privilege Escalation,TeamTNT|APT38|PROMETHIUM|Blue Mockingbird|DarkVishnya|Wizard Spider|APT32|APT41|Kimsuky|Tropic Trooper|Cobalt Group|Ke3chang|FIN7|APT19|Threat Group-3390|Honeybee|APT3|Lazarus Group|Carbanak +T1027,Obfuscated Files or Information,Defense Evasion,Moses Staff|APT18|Dark Caracal|Leviathan|menuPass|APT37|APT33|Higaisa|APT39|APT3|APT-C-36|Tropic Trooper|BlackOasis|Lazarus Group|Magic Hound|Fox Kitten|Molerats|APT28|Kimsuky|BackdoorDiplomacy|TA2541|TeamTNT|Darkhotel|Group5|APT41|Putter Panda|Threat Group-3390|Inception|Metador|Ember Bear|Ke3chang|BITTER|Elderwood|TA505|Gamaredon Group|Windshift|Sandworm Team|APT19|Mustang Panda|Blue Mockingbird|Mofang|Transparent Tribe|Sidewinder|Gallmaker|Rocke|GALLIUM|Earth Lusca|Whitefly|OilRig|APT32 +T1566.003,Spearphishing via Service,Initial Access,CURIUM|Windshift|OilRig|Lazarus Group|Ajax Security Team|APT29|EXOTIC LILY|FIN6|Dark Caracal|Magic Hound +T1588.006,Vulnerabilities,Resource Development,Sandworm Team +T1546,Event Triggered Execution,Privilege Escalation|Persistence,no +T1556.002,Password Filter DLL,Credential Access|Defense Evasion|Persistence,Strider +T1176,Browser Extensions,Persistence,Kimsuky +T1562,Impair Defenses,Defense Evasion,Magic Hound +T1187,Forced Authentication,Credential Access,DarkHydrus|Dragonfly +T1027.008,Stripped Payloads,Defense Evasion,no +T1070.006,Timestomp,Defense Evasion,TEMP.Veles|APT29|Lazarus Group|APT38|APT28|Rocke|Kimsuky|APT32|Chimera +T1057,Process Discovery,Discovery,OilRig|Stealth Falcon|Earth Lusca|Higaisa|APT37|Lazarus Group|Andariel|Ke3chang|Darkhotel|Molerats|Mustang Panda|Magic Hound|Poseidon Group|Rocke|Windshift|APT38|APT28|TeamTNT|Gamaredon Group|HAFNIUM|Tropic Trooper|MuddyWater|Turla|Sidewinder|Kimsuky|Volt Typhoon|APT1|HEXANE|Winnti Group|Chimera|Deep Panda|APT3|Inception T1543.002,Systemd Service,Persistence|Privilege Escalation,TeamTNT|Rocke -T1543.001,Launch Agent,Persistence|Privilege Escalation,no -T1037.005,Startup Items,Persistence|Privilege Escalation,no -T1037.004,RC Scripts,Persistence|Privilege Escalation,no -T1055.012,Process Hollowing,Defense Evasion|Privilege Escalation,Kimsuky|Threat Group-3390|menuPass|Gorgon Group|Patchwork -T1055.013,Process Doppelgänging,Defense Evasion|Privilege Escalation,Leafminer -T1055.011,Extra Window Memory Injection,Defense Evasion|Privilege Escalation,no -T1055.014,VDSO Hijacking,Defense Evasion|Privilege Escalation,no -T1055.009,Proc Memory,Defense Evasion|Privilege Escalation,no -T1055.008,Ptrace System Calls,Defense Evasion|Privilege Escalation,no -T1055.005,Thread Local Storage,Defense Evasion|Privilege Escalation,no -T1055.004,Asynchronous Procedure Call,Defense Evasion|Privilege Escalation,FIN8 -T1055.003,Thread Execution Hijacking,Defense Evasion|Privilege Escalation,no -T1055.002,Portable Executable Injection,Defense Evasion|Privilege Escalation,Rocke|Gorgon Group -T1055.001,Dynamic-link Library Injection,Defense Evasion|Privilege Escalation,BackdoorDiplomacy|Leviathan|Wizard Spider|TA505|Turla|Tropic Trooper|Lazarus Group|Putter Panda +T1585,Establish Accounts,Resource Development,APT17|Fox Kitten +T1591,Gather Victim Org Information,Reconnaissance,Kimsuky|Lazarus Group +T1574.010,Services File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no +T1010,Application Window Discovery,Discovery,Lazarus Group|HEXANE +T1565.003,Runtime Data Manipulation,Impact,APT38 +T1056.001,Keylogging,Collection|Credential Access,PLATINUM|Kimsuky|Ke3chang|APT41|APT39|APT32|HEXANE|Sowbug|Group5|Threat Group-3390|menuPass|APT38|Magic Hound|FIN4|FIN13|APT28|APT3|Sandworm Team|Tonto Team|Lazarus Group|Darkhotel|OilRig|Ajax Security Team +T1110.003,Password Spraying,Credential Access,APT29|APT28|Leafminer|APT33|Chimera|HEXANE|Lazarus Group|Silent Librarian +T1547.006,Kernel Modules and Extensions,Persistence|Privilege Escalation,no +T1556.006,Multi-Factor Authentication,Credential Access|Defense Evasion|Persistence,no T1037.003,Network Logon Script,Persistence|Privilege Escalation,no -T1543,Create or Modify System Process,Persistence|Privilege Escalation,no -T1037.002,Logon Script (Mac),Persistence|Privilege Escalation,no -T1037.001,Logon Script (Windows),Persistence|Privilege Escalation,Cobalt Group|APT28 -T1542.003,Bootkit,Persistence|Defense Evasion,APT41|Lazarus Group|APT28 -T1542.002,Component Firmware,Persistence|Defense Evasion,Equation -T1542.001,System Firmware,Persistence|Defense Evasion,no -T1505.003,Web Shell,Persistence,Dragonfly|BackdoorDiplomacy|APT38|APT29|APT28|Tonto Team|Sandworm Team|HAFNIUM|Volatile Cedar|Fox Kitten|Operation Wocao|Kimsuky|Tropic Trooper|GALLIUM|Threat Group-3390|TEMP.Veles|Leviathan|APT39|Dragonfly 2.0|APT32|OilRig|Deep Panda -T1505.002,Transport Agent,Persistence,no -T1505.001,SQL Stored Procedures,Persistence,Sandworm Team -T1053.003,Cron,Execution|Persistence|Privilege Escalation,APT38|Rocke -T1053.001,At (Linux),Execution|Persistence|Privilege Escalation,no -T1053.005,Scheduled Task,Execution|Persistence|Privilege Escalation,Kimsuky|Lazarus Group|Confucius|Dragonfly|APT37|APT38|Naikon|CostaRicto|Mustang Panda|Higaisa|Fox Kitten|Molerats|Machete|Operation Wocao|Chimera|Gamaredon Group|Blue Mockingbird|MuddyWater|Wizard Spider|Frankenstein|APT-C-36|BRONZE BUTLER|APT41|GALLIUM|Silence|TEMP.Veles|APT33|APT39|Rancor|OilRig|Patchwork|Dragonfly 2.0|Cobalt Group|FIN8|menuPass|FIN10|FIN7|APT32|Stealth Falcon|FIN6|APT3|APT29 -T1053.002,At (Windows),Execution|Persistence|Privilege Escalation,BRONZE BUTLER|Threat Group-3390|APT18 -T1542,Pre-OS Boot,Defense Evasion|Persistence,no +T1071.003,Mail Protocols,Command And Control,Kimsuky|APT28|SilverTerrier|APT32|Turla +T1027.003,Steganography,Defense Evasion,Leviathan|MuddyWater|Andariel|BRONZE BUTLER|Earth Lusca|TA551|APT37|Tropic Trooper +T1055.012,Process Hollowing,Defense Evasion|Privilege Escalation,Patchwork|Kimsuky|TA2541|Gorgon Group|menuPass|Threat Group-3390 +T1056.003,Web Portal Capture,Collection|Credential Access,no +T1090.004,Domain Fronting,Command And Control,APT29 +T1137,Office Application Startup,Persistence,APT32|Gamaredon Group +T1485,Data Destruction,Impact,APT38|Sandworm Team|Gamaredon Group|Lazarus Group|LAPSUS$ +T1110.001,Password Guessing,Credential Access,APT29|APT28 +T1204.001,Malicious Link,Execution,Earth Lusca|Confucius|Molerats|APT32|Kimsuky|Sidewinder|Magic Hound|Elderwood|Machete|APT29|TA505|APT28|Mustang Panda|BlackTech|Evilnum|Patchwork|TA2541|APT3|Wizard Spider|Turla|LazyScripter|Leviathan|FIN7|Mofang|APT39|Windshift|LuminousMoth|Ember Bear|Transparent Tribe|APT33|ZIRCONIUM|OilRig|MuddyWater|Sandworm Team|FIN4|EXOTIC LILY|FIN8|Cobalt Group +T1609,Container Administration Command,Execution,TeamTNT +T1222.001,Windows File and Directory Permissions Modification,Defense Evasion,Wizard Spider T1137.001,Office Template Macros,Persistence,MuddyWater -T1137.004,Outlook Home Page,Persistence,OilRig -T1137.003,Outlook Forms,Persistence,no +T1027.009,Embedded Payloads,Defense Evasion,no +T1588.004,Digital Certificates,Resource Development,LuminousMoth|Lazarus Group|BlackTech|Silent Librarian +T1027.004,Compile After Delivery,Defense Evasion,Gamaredon Group|Rocke|MuddyWater +T1106,Native API,Execution,Lazarus Group|SideCopy|Gorgon Group|Turla|TA505|Chimera|APT37|menuPass|Tropic Trooper|Silence|Higaisa|APT38|BlackTech|Gamaredon Group +T1036.005,Match Legitimate Name or Location,Defense Evasion,admin@338|APT32|Earth Lusca|APT39|Sidewinder|WIRTE|PROMETHIUM|Tropic Trooper|Machete|Silence|APT41|APT29|APT28|MuddyWater|FIN13|BackdoorDiplomacy|Gamaredon Group|Patchwork|Magic Hound|TEMP.Veles|Chimera|TA2541|Poseidon Group|Lazarus Group|Volt Typhoon|Ferocious Kitten|LuminousMoth|Carbanak|Darkhotel|Naikon|Transparent Tribe|TeamTNT|Rocke|APT1|menuPass|Whitefly|Ke3chang|Mustang Panda|BRONZE BUTLER|Kimsuky|Blue Mockingbird|Indrik Spider|Sandworm Team|SideCopy|Fox Kitten|FIN7|Sowbug|Aoqin Dragon +T1553.002,Code Signing,Defense Evasion,Winnti Group|Wizard Spider|Patchwork|Silence|Scattered Spider|LuminousMoth|menuPass|Moses Staff|Ember Bear|FIN7|Lazarus Group|Kimsuky|APT41|FIN6|CopyKittens|Leviathan|GALLIUM|Darkhotel|Molerats|TA505|PROMETHIUM|Suckfly +T1070.003,Clear Command History,Defense Evasion,menuPass|APT41|TeamTNT|Lazarus Group|Magic Hound +T1218.001,Compiled HTML File,Defense Evasion,OilRig|Silence|APT38|APT41|Dark Caracal +T1562.012,Disable or Modify Linux Audit System,Defense Evasion,no +T1482,Domain Trust Discovery,Discovery,Earth Lusca|FIN8|Magic Hound|Chimera T1137.005,Outlook Rules,Persistence,no -T1137.006,Add-ins,Persistence,Naikon -T1137.002,Office Test,Persistence,APT28 -T1531,Account Access Removal,Impact,no -T1539,Steal Web Session Cookie,Credential Access,APT29|Evilnum -T1529,System Shutdown/Reboot,Impact,Lazarus Group|APT38|APT37 -T1518,Software Discovery,Discovery,Mustang Panda|Windshift|MuddyWater|Windigo|Sidewinder|Operation Wocao|BRONZE BUTLER|Tropic Trooper|Inception -T1547.013,XDG Autostart Entries,Persistence|Privilege Escalation,no -T1534,Internal Spearphishing,Lateral Movement,Kimsuky|Lazarus Group|Leviathan|Gamaredon Group +T1203,Exploitation for Client Execution,Execution,Higaisa|Mustang Panda|APT3|Leviathan|APT29|APT37|Sandworm Team|BlackTech|EXOTIC LILY|Lazarus Group|TA459|APT32|APT28|Inception|BITTER|APT12|Cobalt Group|Patchwork|Elderwood|Threat Group-3390|admin@338|BRONZE BUTLER|Tonto Team|Transparent Tribe|Axiom|Aoqin Dragon|Tropic Trooper|Darkhotel|Confucius|APT33|Dragonfly|MuddyWater|Sidewinder|Andariel|Ember Bear|APT41|The White Company +T1556.008,Network Provider DLL,Credential Access|Defense Evasion|Persistence,no +T1123,Audio Capture,Collection,APT37 +T1021.005,VNC,Lateral Movement,GCMAN|FIN7|Gamaredon Group|Fox Kitten +T1574.006,Dynamic Linker Hijacking,Persistence|Privilege Escalation|Defense Evasion,APT41|Rocke +T1592.001,Hardware,Reconnaissance,no +T1012,Query Registry,Discovery,Turla|Kimsuky|OilRig|Stealth Falcon|Threat Group-3390|Dragonfly|APT32|APT39|Volt Typhoon|ZIRCONIUM|Chimera|Lazarus Group|Fox Kitten +T1597.002,Purchase Technical Data,Reconnaissance,LAPSUS$ +T1590.001,Domain Properties,Reconnaissance,Sandworm Team +T1027.010,Command Obfuscation,Defense Evasion,Chimera|Magic Hound|Sandworm Team|TA505|Sidewinder|Leafminer|Cobalt Group|Aquatic Panda|FIN7|FIN8|Fox Kitten|MuddyWater|TA551|Gamaredon Group|FIN6|Turla|LazyScripter|Wizard Spider|Silence|APT19|GOLD SOUTHFIELD|APT32|Ember Bear|HEXANE|Patchwork +T1059.008,Network Device CLI,Execution,no +T1499.003,Application Exhaustion Flood,Impact,no +T1218.004,InstallUtil,Defense Evasion,Mustang Panda|menuPass +T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,Exfiltration,no +T1222,File and Directory Permissions Modification,Defense Evasion,no +T1543.003,Windows Service,Persistence|Privilege Escalation,Kimsuky|Carbanak|Wizard Spider|APT19|APT38|PROMETHIUM|DarkVishnya|APT41|Ke3chang|APT32|Cobalt Group|Lazarus Group|TeamTNT|Threat Group-3390|Tropic Trooper|FIN7|APT3|Blue Mockingbird|Earth Lusca +T1134.002,Create Process with Token,Defense Evasion|Privilege Escalation,Lazarus Group|Turla +T1055.003,Thread Execution Hijacking,Defense Evasion|Privilege Escalation,no +T1480.001,Environmental Keying,Defense Evasion,APT41|Equation +T1570,Lateral Tool Transfer,Lateral Movement,FIN10|GALLIUM|Sandworm Team|APT32|Aoqin Dragon|Wizard Spider|Chimera|Magic Hound|Turla|Volt Typhoon +T1029,Scheduled Transfer,Exfiltration,Higaisa +T1584.003,Virtual Private Server,Resource Development,Turla +T1534,Internal Spearphishing,Lateral Movement,HEXANE|Kimsuky|Leviathan|Gamaredon Group +T1036.009,Break Process Trees,Defense Evasion,no +T1556.001,Domain Controller Authentication,Credential Access|Defense Evasion|Persistence,Chimera +T1491.001,Internal Defacement,Impact,Gamaredon Group|Lazarus Group +T1564.010,Process Argument Spoofing,Defense Evasion,no +T1056.002,GUI Input Capture,Collection|Credential Access,FIN4 +T1008,Fallback Channels,Command And Control,FIN7|Lazarus Group|OilRig|APT41 +T1036.004,Masquerade Task or Service,Defense Evasion,Kimsuky|BackdoorDiplomacy|Magic Hound|APT41|Wizard Spider|Higaisa|APT-C-36|APT32|ZIRCONIUM|Carbanak|FIN7|Fox Kitten|FIN6|Naikon|BITTER|Lazarus Group|PROMETHIUM|FIN13 +T1590.006,Network Security Appliances,Reconnaissance,no +T1195.003,Compromise Hardware Supply Chain,Initial Access,no +T1055,Process Injection,Defense Evasion|Privilege Escalation,Cobalt Group|Silence|TA2541|APT32|Turla|Wizard Spider|APT37|PLATINUM|Kimsuky|APT41 +T1606.001,Web Cookies,Credential Access,no +T1568.003,DNS Calculation,Command And Control,APT12 +T1583.003,Virtual Private Server,Resource Development,Axiom|LAPSUS$|TEMP.Veles|HAFNIUM|Dragonfly +T1596.003,Digital Certificates,Reconnaissance,no +T1601.002,Downgrade System Image,Defense Evasion,no +T1007,System Service Discovery,Discovery,Ke3chang|TeamTNT|BRONZE BUTLER|APT1|Chimera|Earth Lusca|OilRig|Indrik Spider|admin@338|Kimsuky|Turla|Aquatic Panda|Poseidon Group +T1597.001,Threat Intel Vendors,Reconnaissance,no +T1589.001,Credentials,Reconnaissance,LAPSUS$|APT28|Magic Hound|Chimera|Leviathan +T1574.011,Services Registry Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no +T1619,Cloud Storage Object Discovery,Discovery,no +T1505.001,SQL Stored Procedures,Persistence,no +T1016.002,Wi-Fi Discovery,Discovery,Magic Hound +T1564.003,Hidden Window,Defense Evasion,DarkHydrus|Higaisa|Deep Panda|APT19|CopyKittens|Gamaredon Group|APT32|Nomadic Octopus|APT28|Magic Hound|Gorgon Group|APT3|Kimsuky +T1114.003,Email Forwarding Rule,Collection,LAPSUS$|Silent Librarian|Kimsuky T1528,Steal Application Access Token,Credential Access,APT28 -T1535,Unused/Unsupported Cloud Regions,Defense Evasion,no -T1525,Implant Internal Image,Persistence,no +T1542.004,ROMMONkit,Defense Evasion|Persistence,no +T1020.001,Traffic Duplication,Exfiltration,no +T1592.003,Firmware,Reconnaissance,no +T1583.001,Domains,Resource Development,TeamTNT|Lazarus Group|IndigoZebra|APT28|LazyScripter|TA505|Silent Librarian|menuPass|ZIRCONIUM|Mustang Panda|HEXANE|APT1|Gamaredon Group|TA2541|Earth Lusca|Transparent Tribe|Ferocious Kitten|FIN7|Kimsuky|Dragonfly|Threat Group-3390|APT32|Sandworm Team|BITTER|EXOTIC LILY|Leviathan|Winnti Group|Magic Hound +T1652,Device Driver Discovery,Discovery,no +T1021.007,Cloud Services,Lateral Movement,APT29 +T1037.001,Logon Script (Windows),Persistence|Privilege Escalation,Cobalt Group|APT28 +T1578.005,Modify Cloud Compute Configurations,Defense Evasion,no +T1059.005,Visual Basic,Execution,HEXANE|SideCopy|Windshift|Gamaredon Group|FIN7|TA2541|Lazarus Group|Silence|FIN13|Turla|BRONZE BUTLER|Transparent Tribe|APT38|Machete|Mustang Panda|Leviathan|Patchwork|FIN4|Cobalt Group|Magic Hound|OilRig|Inception|Sidewinder|Earth Lusca|Confucius|Molerats|WIRTE|Kimsuky|APT33|MuddyWater|Sandworm Team|APT32|APT-C-36|TA505|LazyScripter|TA459|Rancor|APT37|Higaisa|Gorgon Group|APT39 +T1608.006,SEO Poisoning,Resource Development,no +T1110.004,Credential Stuffing,Credential Access,Chimera +T1591.004,Identify Roles,Reconnaissance,LAPSUS$|HEXANE +T1593.001,Social Media,Reconnaissance,EXOTIC LILY|Kimsuky +T1562.009,Safe Mode Boot,Defense Evasion,no +T1055.008,Ptrace System Calls,Defense Evasion|Privilege Escalation,no +T1548.005,Temporary Elevated Cloud Access,Privilege Escalation|Defense Evasion,no +T1568,Dynamic Resolution,Command And Control,APT29|TA2541|Gamaredon Group|Transparent Tribe|BITTER +T1055.001,Dynamic-link Library Injection,Defense Evasion|Privilege Escalation,BackdoorDiplomacy|Leviathan|Tropic Trooper|Lazarus Group|Putter Panda|Turla|Wizard Spider|TA505 +T1218.011,Rundll32,Defense Evasion,APT28|Blue Mockingbird|Kimsuky|Sandworm Team|Lazarus Group|TA551|TA505|APT3|APT19|MuddyWater|Wizard Spider|APT41|FIN7|CopyKittens|Carbanak|APT32|Magic Hound|Gamaredon Group|HAFNIUM|LazyScripter|APT38 +T1546.010,AppInit DLLs,Privilege Escalation|Persistence,APT39 +T1039,Data from Network Shared Drive,Collection,menuPass|Gamaredon Group|Sowbug|APT28|BRONZE BUTLER|Chimera|Fox Kitten +T1573.001,Symmetric Cryptography,Command And Control,BRONZE BUTLER|APT33|APT28|Inception|ZIRCONIUM|Stealth Falcon|Darkhotel|MuddyWater|Lazarus Group|Higaisa|Mustang Panda|Volt Typhoon +T1053.005,Scheduled Task,Execution|Persistence|Privilege Escalation,MuddyWater|APT38|APT39|FIN8|APT32|APT29|BITTER|Naikon|FIN7|APT33|Fox Kitten|Mustang Panda|Silence|Confucius|APT41|Cobalt Group|FIN10|menuPass|FIN13|APT3|Rancor|FIN6|Blue Mockingbird|Machete|Higaisa|Stealth Falcon|OilRig|Magic Hound|Kimsuky|TEMP.Veles|APT37|GALLIUM|Patchwork|BRONZE BUTLER|Wizard Spider|TA2541|Molerats|Gamaredon Group|LuminousMoth|Chimera|HEXANE|Dragonfly|Lazarus Group|APT-C-36 +T1547.012,Print Processors,Persistence|Privilege Escalation,Earth Lusca +T1546.001,Change Default File Association,Privilege Escalation|Persistence,Kimsuky +T1550.001,Application Access Token,Defense Evasion|Lateral Movement,APT28 +T1003.001,LSASS Memory,Credential Access,APT1|Kimsuky|Silence|OilRig|Leviathan|Whitefly|FIN13|APT32|GALLIUM|Threat Group-3390|Cleaver|Earth Lusca|MuddyWater|BRONZE BUTLER|Leafminer|HAFNIUM|APT28|PLATINUM|APT41|Magic Hound|FIN8|APT33|Sandworm Team|Wizard Spider|Aquatic Panda|APT39|Volt Typhoon|APT3|Fox Kitten|Blue Mockingbird|Indrik Spider|Ke3chang|TEMP.Veles|FIN6 T1538,Cloud Service Dashboard,Discovery,no -T1530,Data from Cloud Storage Object,Collection,Fox Kitten -T1578,Modify Cloud Compute Infrastructure,Defense Evasion,no -T1537,Transfer Data to Cloud Account,Exfiltration,no -T1526,Cloud Service Discovery,Discovery,no -T1505,Server Software Component,Persistence,no -T1499,Endpoint Denial of Service,Impact,Sandworm Team -T1497,Virtualization/Sandbox Evasion,Defense Evasion|Discovery,Darkhotel -T1498,Network Denial of Service,Impact,APT28 -T1496,Resource Hijacking,Impact,TeamTNT|Blue Mockingbird|Rocke|APT41 -T1495,Firmware Corruption,Impact,no -T1491,Defacement,Impact,no -T1490,Inhibit System Recovery,Impact,no -T1489,Service Stop,Impact,Indrik Spider|Wizard Spider|Lazarus Group -T1486,Data Encrypted for Impact,Impact,FIN7|Indrik Spider|APT41|TA505|APT38 -T1485,Data Destruction,Impact,Gamaredon Group|Sandworm Team|Lazarus Group|APT38 +T1001,Data Obfuscation,Command And Control,no +T1622,Debugger Evasion,Defense Evasion|Discovery,no +T1098.001,Additional Cloud Credentials,Persistence|Privilege Escalation,no +T1568.002,Domain Generation Algorithms,Command And Control,APT41|TA551 +T1547.008,LSASS Driver,Persistence|Privilege Escalation,no +T1133,External Remote Services,Persistence|Initial Access,APT29|LAPSUS$|APT41|GALLIUM|APT18|Wizard Spider|Leviathan|APT28|TeamTNT|Chimera|Dragonfly|Sandworm Team|Threat Group-3390|Kimsuky|Ke3chang|FIN13|Scattered Spider|TEMP.Veles|OilRig|FIN5|GOLD SOUTHFIELD +T1559.002,Dynamic Data Exchange,Execution,FIN7|Patchwork|Gallmaker|APT28|Leviathan|BITTER|MuddyWater|TA505|Sidewinder|APT37|Cobalt Group +T1567,Exfiltration Over Web Service,Exfiltration,Magic Hound|APT28 +T1547.013,XDG Autostart Entries,Persistence|Privilege Escalation,no +T1606,Forge Web Credentials,Credential Access,no +T1584.004,Server,Resource Development,Dragonfly|Turla|Lazarus Group|Indrik Spider|APT16|Earth Lusca|Volt Typhoon +T1588,Obtain Capabilities,Resource Development,no +T1587,Develop Capabilities,Resource Development,Kimsuky +T1114,Email Collection,Collection,Silent Librarian|Magic Hound +T1070.002,Clear Linux or Mac System Logs,Defense Evasion,Rocke|TeamTNT +T1535,Unused/Unsupported Cloud Regions,Defense Evasion,no +T1586,Compromise Accounts,Resource Development,no +T1564.002,Hidden Users,Defense Evasion,Kimsuky|Dragonfly T1484,Domain Policy Modification,Defense Evasion|Privilege Escalation,no -T1482,Domain Trust Discovery,Discovery,FIN8|APT29|Chimera -T1480,Execution Guardrails,Defense Evasion,no -T1221,Template Injection,Defense Evasion,Lazarus Group|Confucius|Dragonfly|Gamaredon Group|Frankenstein|Inception|APT28|Tropic Trooper|DarkHydrus|Dragonfly 2.0 -T1222,File and Directory Permissions Modification,Defense Evasion,no -T1220,XSL Script Processing,Defense Evasion,Lazarus Group|Higaisa|Cobalt Group -T1217,Browser Bookmark Discovery,Discovery,APT38|Chimera|Fox Kitten -T1212,Exploitation for Credential Access,Credential Access,no -T1189,Drive-by Compromise,Initial Access,Magic Hound|APT28|Axiom|Transparent Tribe|Andariel|Leviathan|Machete|Windigo|Dragonfly|PROMETHIUM|Turla|Windshift|RTM|Darkhotel|APT38|APT19|Lazarus Group|Threat Group-3390|BRONZE BUTLER|APT32|Dark Caracal|Dragonfly 2.0|Leafminer|Patchwork|APT37|Elderwood|PLATINUM -T1211,Exploitation for Defense Evasion,Defense Evasion,APT28 -T1197,BITS Jobs,Defense Evasion|Persistence,APT39|Patchwork|APT41|Leviathan -T1203,Exploitation for Client Execution,Execution,Axiom|Confucius|Dragonfly|Andariel|Transparent Tribe|APT3|Tonto Team|Mustang Panda|Darkhotel|Higaisa|HAFNIUM|Sidewinder|Sandworm Team|MuddyWater|Frankenstein|Inception|BlackTech|APT41|admin@338|Threat Group-3390|APT12|The White Company|APT33|APT32|APT28|Tropic Trooper|BRONZE BUTLER|Cobalt Group|Lazarus Group|Patchwork|Elderwood|APT29|TA459|APT37|Leviathan -T1201,Password Policy Discovery,Discovery,Chimera|Turla|OilRig +T1055.009,Proc Memory,Defense Evasion|Privilege Escalation,no +T1135,Network Share Discovery,Discovery,Dragonfly|Chimera|FIN13|APT39|Tonto Team|Wizard Spider|APT41|Tropic Trooper|Sowbug|APT32|DarkVishnya|APT1|APT38 +T1574.012,COR_PROFILER,Persistence|Privilege Escalation|Defense Evasion,Blue Mockingbird +T1564.004,NTFS File Attributes,Defense Evasion,APT32 +T1562.007,Disable or Modify Cloud Firewall,Defense Evasion,no +T1003.002,Security Account Manager,Credential Access,Dragonfly|Ke3chang|GALLIUM|APT29|menuPass|FIN13|Threat Group-3390|Wizard Spider +T1650,Acquire Access,Resource Development,no +T1090.002,External Proxy,Command And Control,Tonto Team|APT39|MuddyWater|FIN5|Lazarus Group|APT28|Silence|GALLIUM|menuPass|APT3 +T1564.006,Run Virtual Instance,Defense Evasion,no +T1595,Active Scanning,Reconnaissance,no +T1055.013,Process Doppelgänging,Defense Evasion|Privilege Escalation,Leafminer +T1491,Defacement,Impact,no +T1592,Gather Victim Host Information,Reconnaissance,no +T1546.012,Image File Execution Options Injection,Privilege Escalation|Persistence,TEMP.Veles +T1602.002,Network Device Configuration Dump,Collection,no +T1596.005,Scan Databases,Reconnaissance,no +T1197,BITS Jobs,Defense Evasion|Persistence,Wizard Spider|APT39|APT41|Leviathan|Patchwork +T1547.010,Port Monitors,Persistence|Privilege Escalation,no +T1016,System Network Configuration Discovery,Discovery,Kimsuky|Threat Group-3390|Sidewinder|Chimera|Magic Hound|Moses Staff|Lazarus Group|FIN13|TeamTNT|Stealth Falcon|Higaisa|SideCopy|ZIRCONIUM|APT19|APT1|APT32|Naikon|Darkhotel|Earth Lusca|Dragonfly|APT3|menuPass|MuddyWater|Volt Typhoon|HEXANE|OilRig|Wizard Spider|GALLIUM|Ke3chang|Mustang Panda|HAFNIUM|Turla|Tropic Trooper|APT41|admin@338 +T1484.002,Domain Trust Modification,Defense Evasion|Privilege Escalation,no +T1584,Compromise Infrastructure,Resource Development,no +T1596,Search Open Technical Databases,Reconnaissance,no +T1499.001,OS Exhaustion Flood,Impact,no +T1573,Encrypted Channel,Command And Control,APT29|Tropic Trooper|BITTER|Magic Hound +T1127.001,MSBuild,Defense Evasion,no +T1588.003,Code Signing Certificates,Resource Development,Ember Bear|Threat Group-3390|Wizard Spider|FIN8|BlackTech +T1027.001,Binary Padding,Defense Evasion,APT32|Moafee|FIN7|Higaisa|Leviathan|Patchwork|Gamaredon Group|Ember Bear|Mustang Panda|APT29|BRONZE BUTLER +T1546.014,Emond,Privilege Escalation|Persistence,no +T1596.002,WHOIS,Reconnaissance,no +T1590.004,Network Topology,Reconnaissance,FIN13 +T1559,Inter-Process Communication,Execution,no T1195,Supply Chain Compromise,Initial Access,no -T1199,Trusted Relationship,Initial Access,Threat Group-3390|APT29|Sandworm Team|GOLD SOUTHFIELD|APT28|menuPass -T1218,Signed Binary Proxy Execution,Defense Evasion,Lazarus Group -T1204,User Execution,Execution,no -T1213,Data from Information Repositories,Collection,APT29|APT28|Fox Kitten|FIN6|Turla -T1190,Exploit Public-Facing Application,Initial Access,Threat Group-3390|Ke3chang|Kimsuky|Magic Hound|Dragonfly|BackdoorDiplomacy|menuPass|Volatile Cedar|Fox Kitten|Operation Wocao|APT28|APT29|GOLD SOUTHFIELD|Blue Mockingbird|Rocke|APT39|BlackTech|APT41|GALLIUM|Night Dragon|Axiom -T1210,Exploitation of Remote Services,Lateral Movement,Dragonfly|Tonto Team|FIN7|Fox Kitten|menuPass|Wizard Spider|Threat Group-3390|APT28 -T1200,Hardware Additions,Initial Access,DarkVishnya -T1202,Indirect Command Execution,Defense Evasion,Lazarus Group -T1219,Remote Access Software,Command And Control,TeamTNT|Mustang Panda|MuddyWater|Evilnum|GOLD SOUTHFIELD|Sandworm Team|DarkVishnya|RTM|Kimsuky|Night Dragon|Cobalt Group|Thrip|Carbanak -T1207,Rogue Domain Controller,Defense Evasion,no -T1216,Signed Script Proxy Execution,Defense Evasion,no -T1205,Traffic Signaling,Defense Evasion|Persistence|Command And Control,no -T1176,Browser Extensions,Persistence,Kimsuky -T1187,Forced Authentication,Credential Access,Dragonfly|DarkHydrus|Dragonfly 2.0 -T1185,Browser Session Hijacking,Collection,no -T1140,Deobfuscate/Decode Files or Information,Defense Evasion,Lazarus Group|Ke3chang|Kimsuky|APT39|APT29|ZIRCONIUM|Higaisa|Rocke|Sandworm Team|Gamaredon Group|Molerats|Frankenstein|Turla|WIRTE|Darkhotel|Tropic Trooper|Honeybee|Gorgon Group|Threat Group-3390|menuPass|APT19|Leviathan|MuddyWater|APT28|OilRig|BRONZE BUTLER -T1134,Access Token Manipulation,Defense Evasion|Privilege Escalation,FIN6|Blue Mockingbird -T1136,Create Account,Persistence,Sandworm Team|Indrik Spider -T1135,Network Share Discovery,Discovery,Dragonfly|Tonto Team|APT38|Chimera|Operation Wocao|Wizard Spider|APT32|APT39|DarkVishnya|APT41|Tropic Trooper|APT1|Dragonfly 2.0|Sowbug -T1137,Office Application Startup,Persistence,Gamaredon Group|APT32 -T1133,External Remote Services,Persistence|Initial Access,Dragonfly|TeamTNT|Leviathan|APT28|APT29|Operation Wocao|Wizard Spider|Kimsuky|GOLD SOUTHFIELD|Chimera|Sandworm Team|APT41|GALLIUM|TEMP.Veles|Night Dragon|Ke3chang|OilRig|Dragonfly 2.0|FIN5|Threat Group-3390|APT18 -T1132,Data Encoding,Command And Control,no -T1129,Shared Modules,Execution,no -T1127,Trusted Developer Utilities Proxy Execution,Defense Evasion,no -T1125,Video Capture,Collection,Silence|FIN7 -T1124,System Time Discovery,Discovery,Darkhotel|ZIRCONIUM|Higaisa|Sidewinder|Chimera|Operation Wocao|The White Company|Lazarus Group|BRONZE BUTLER|Turla -T1123,Audio Capture,Collection,APT37 -T1120,Peripheral Device Discovery,Discovery,OilRig|BackdoorDiplomacy|Operation Wocao|Turla|APT37|Gamaredon Group|Equation|APT28 -T1119,Automated Collection,Collection,Ke3chang|Confucius|Mustang Panda|Sidewinder|Chimera|menuPass|Operation Wocao|Gamaredon Group|Tropic Trooper|Frankenstein|APT1|APT28|Patchwork|OilRig|FIN5|Threat Group-3390|FIN6 -T1115,Clipboard Data,Collection,Operation Wocao|APT39|APT38 -T1114,Email Collection,Collection,Magic Hound|Silent Librarian -T1113,Screen Capture,Collection,Dragonfly|GOLD SOUTHFIELD|Gamaredon Group|APT39|Silence|MuddyWater|Dragonfly 2.0|OilRig|Dark Caracal|FIN7|BRONZE BUTLER|Magic Hound|Group5|APT28 -T1112,Modify Registry,Defense Evasion,Dragonfly|Operation Wocao|Kimsuky|Gamaredon Group|Blue Mockingbird|Wizard Spider|Silence|APT41|Turla|APT32|APT38|Patchwork|Gorgon Group|Threat Group-3390|Dragonfly 2.0|APT19|Honeybee|FIN8 -T1111,Two-Factor Authentication Interception,Credential Access,Kimsuky|Chimera|Operation Wocao -T1110,Brute Force,Credential Access,Lazarus Group|Dragonfly|APT38|APT28|Fox Kitten|DarkVishnya|APT39|OilRig|FIN5|Turla -T1106,Native API,Execution,BlackTech|Lazarus Group|APT38|Higaisa|menuPass|Operation Wocao|Chimera|Gamaredon Group|Tropic Trooper|Sharpshooter|Turla|Silence|APT37|Gorgon Group -T1105,Ingress Tool Transfer,Command And Control,LazyScripter|Ke3chang|Aquatic Panda|Winnti Group|Confucius|Dragonfly|TeamTNT|Nomadic Octopus|IndigoZebra|Andariel|BackdoorDiplomacy|Tonto Team|HAFNIUM|APT29|Ajax Security Team|Mustang Panda|Windshift|Darkhotel|ZIRCONIUM|TA551|Volatile Cedar|Indrik Spider|Evilnum|Sidewinder|Fox Kitten|Kimsuky|Operation Wocao|Chimera|Sandworm Team|Whitefly|Rocke|APT39|Tropic Trooper|Sharpshooter|Molerats|Frankenstein|Silence|APT-C-36|APT41|GALLIUM|TA505|WIRTE|APT33|MuddyWater|APT18|APT38|Rancor|Gorgon Group|OilRig|Turla|Cobalt Group|Dragonfly 2.0|FIN8|PLATINUM|APT37|Elderwood|Leviathan|APT32|Magic Hound|BRONZE BUTLER|APT3|menuPass|FIN7|Gamaredon Group|Patchwork|Lazarus Group|Threat Group-3390|APT28 -T1104,Multi-Stage Channels,Command And Control,Lazarus Group|APT41|MuddyWater|APT3 -T1102,Web Service,Command And Control,Mustang Panda|LazyScripter|TeamTNT|FIN8|Fox Kitten|Turla|APT32|Gamaredon Group|Rocke|Inception|FIN6 -T1098,Account Manipulation,Persistence,Kimsuky|Dragonfly|Sandworm Team|APT3|Dragonfly 2.0|Lazarus Group -T1095,Non-Application Layer Protocol,Command And Control,BackdoorDiplomacy|HAFNIUM|Operation Wocao|FIN6|APT29|PLATINUM|APT3 -T1092,Communication Through Removable Media,Command And Control,APT28 -T1091,Replication Through Removable Media,Lateral Movement|Initial Access,FIN7|Mustang Panda|Tropic Trooper|Darkhotel|APT28 -T1090,Proxy,Command And Control,Windigo|Fox Kitten|Operation Wocao|Sandworm Team|Blue Mockingbird|APT41|Turla -T1087,Account Discovery,Discovery,APT29 -T1083,File and Directory Discovery,Discovery,Winnti Group|Confucius|Dragonfly|APT38|APT29|Mustang Panda|Darkhotel|Windigo|Sidewinder|Chimera|Fox Kitten|menuPass|APT39|Sandworm Team|Operation Wocao|Gamaredon Group|Tropic Trooper|Inception|APT41|Kimsuky|APT32|MuddyWater|APT18|Leafminer|Honeybee|Dark Caracal|Dragonfly 2.0|APT3|Sowbug|Magic Hound|BRONZE BUTLER|APT28|Patchwork|Lazarus Group|Dust Storm|admin@338|Turla|Ke3chang -T1082,System Information Discovery,Discovery,Aquatic Panda|Confucius|TeamTNT|APT38|APT29|Mustang Panda|Windshift|ZIRCONIUM|Higaisa|Windigo|Sidewinder|Chimera|Operation Wocao|Wizard Spider|Rocke|Sandworm Team|Blue Mockingbird|Tropic Trooper|Frankenstein|Inception|Kimsuky|Darkhotel|MuddyWater|APT18|APT32|APT37|Honeybee|APT19|Magic Hound|Sowbug|OilRig|APT3|Gamaredon Group|Patchwork|Stealth Falcon|Lazarus Group|admin@338|Turla|Ke3chang -T1080,Taint Shared Content,Lateral Movement,Gamaredon Group|BRONZE BUTLER|Darkhotel -T1078,Valid Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Ke3chang|Lazarus Group|Axiom|Dragonfly|FIN7|Leviathan|APT29|Silent Librarian|Fox Kitten|Operation Wocao|Chimera|Sandworm Team|Wizard Spider|Silence|APT41|GALLIUM|TEMP.Veles|APT39|FIN4|Night Dragon|Dragonfly 2.0|FIN8|APT33|FIN5|OilRig|APT28|menuPass|FIN10|Suckfly|FIN6|Threat Group-3390|APT18|PittyTiger|Carbanak -T1074,Data Staged,Collection,Wizard Spider -T1072,Software Deployment Tools,Execution|Lateral Movement,Silence|APT32|Threat Group-1314 -T1071,Application Layer Protocol,Command And Control,Dragonfly|TeamTNT|Rocke|Magic Hound|Dragonfly 2.0 -T1070,Indicator Removal on Host,Defense Evasion,Lazarus Group|APT29 -T1069,Permission Groups Discovery,Discovery,APT29|TA505|APT3 -T1068,Exploitation for Privilege Escalation,Privilege Escalation,APT29|Tonto Team|ZIRCONIUM|Turla|Whitefly|APT33|Cobalt Group|PLATINUM|FIN8|APT32|Threat Group-3390|FIN6|APT28 -T1059,Command and Scripting Interpreter,Execution,Dragonfly|APT37|Windigo|Fox Kitten|APT32|Whitefly|APT39|Dragonfly 2.0|FIN7|APT19|OilRig|FIN5|Stealth Falcon|FIN6|Ke3chang -T1057,Process Discovery,Discovery,Gamaredon Group|Kimsuky|TeamTNT|Andariel|APT29|Mustang Panda|Windshift|Higaisa|Sidewinder|Chimera|Operation Wocao|Rocke|Frankenstein|Inception|Darkhotel|MuddyWater|APT1|APT38|Tropic Trooper|APT37|Honeybee|OilRig|APT3|Magic Hound|APT28|Winnti Group|Stealth Falcon|Poseidon Group|Lazarus Group|Molerats|Turla|Deep Panda|Ke3chang -T1056,Input Capture,Collection|Credential Access,APT39 -T1055,Process Injection,Defense Evasion|Privilege Escalation,Operation Wocao|APT32|Sharpshooter|Silence|APT41|Kimsuky|Cobalt Group|Turla|APT37|Honeybee|PLATINUM -T1053,Scheduled Task/Job,Execution|Persistence|Privilege Escalation,no -T1052,Exfiltration Over Physical Medium,Exfiltration,no -T1049,System Network Connections Discovery,Discovery,Lazarus Group|TeamTNT|Andariel|BackdoorDiplomacy|Mustang Panda|MuddyWater|Chimera|Sandworm Team|Operation Wocao|Tropic Trooper|APT41|APT38|GALLIUM|APT32|APT1|OilRig|APT3|menuPass|Threat Group-3390|Poseidon Group|admin@338|Turla|Ke3chang -T1048,Exfiltration Over Alternative Protocol,Exfiltration,no -T1047,Windows Management Instrumentation,Execution,Gamaredon Group|Sandworm Team|FIN7|Indrik Spider|Naikon|Mustang Panda|Windshift|Operation Wocao|Chimera|Blue Mockingbird|Wizard Spider|Frankenstein|APT41|FIN6|GALLIUM|APT32|MuddyWater|Threat Group-3390|OilRig|FIN8|Leviathan|menuPass|Stealth Falcon|Lazarus Group|APT29|Deep Panda -T1046,Network Service Scanning,Discovery,BlackTech|Lazarus Group|TeamTNT|BackdoorDiplomacy|Naikon|CostaRicto|Chimera|Fox Kitten|Operation Wocao|Rocke|DarkVishnya|APT41|Tropic Trooper|APT39|APT32|OilRig|Cobalt Group|Leafminer|menuPass|Suckfly|FIN6|Threat Group-3390 -T1041,Exfiltration Over C2 Channel,Exfiltration,Confucius|Leviathan|ZIRCONIUM|Higaisa|Chimera|APT39|Operation Wocao|Sandworm Team|MuddyWater|Wizard Spider|Frankenstein|Kimsuky|GALLIUM|APT32|APT3|Gamaredon Group|Stealth Falcon|Lazarus Group|Ke3chang -T1040,Network Sniffing,Credential Access|Discovery,Kimsuky|Sandworm Team|DarkVishnya|APT33|APT28 -T1039,Data from Network Shared Drive,Collection,APT28|Chimera|Fox Kitten|Gamaredon Group|BRONZE BUTLER|Sowbug|menuPass -T1037,Boot or Logon Initialization Scripts,Persistence|Privilege Escalation,Rocke -T1036,Masquerading,Defense Evasion,Kimsuky|Lazarus Group|Dragonfly|LazyScripter|APT28|Nomadic Octopus|OilRig|APT29|ZIRCONIUM|TA551|Windshift|APT32|BRONZE BUTLER|menuPass|PLATINUM|Dragonfly 2.0 -T1033,System Owner/User Discovery,Discovery,Threat Group-3390|Ke3chang|Dragonfly|APT38|Windshift|ZIRCONIUM|Sidewinder|Chimera|Sandworm Team|Operation Wocao|Wizard Spider|Frankenstein|APT41|GALLIUM|Tropic Trooper|APT39|MuddyWater|APT37|Dragonfly 2.0|APT19|APT32|Magic Hound|OilRig|FIN10|Gamaredon Group|Patchwork|Stealth Falcon|Lazarus Group|APT3 -T1030,Data Transfer Size Limits,Exfiltration,APT28|Threat Group-3390 -T1029,Scheduled Transfer,Exfiltration,Higaisa -T1027,Obfuscated Files or Information,Defense Evasion,Aquatic Panda|Ke3chang|LazyScripter|TeamTNT|BackdoorDiplomacy|Transparent Tribe|APT39|Mustang Panda|Windshift|TA551|Higaisa|Sidewinder|Fox Kitten|GOLD SOUTHFIELD|Operation Wocao|Kimsuky|FIN6|Chimera|Gamaredon Group|Rocke|Sandworm Team|Blue Mockingbird|Whitefly|Molerats|Wizard Spider|Mofang|Frankenstein|Inception|APT-C-36|APT41|GALLIUM|Turla|TA505|Silence|APT33|Night Dragon|Darkhotel|Gallmaker|APT29|APT18|Tropic Trooper|Patchwork|menuPass|APT37|Threat Group-3390|Cobalt Group|Dark Caracal|Leafminer|Honeybee|APT19|BlackOasis|Leviathan|FIN8|MuddyWater|FIN7|Elderwood|OilRig|Magic Hound|APT3|APT32|Group5|Dust Storm|Lazarus Group|Putter Panda|APT28 -T1025,Data from Removable Media,Collection,Turla|Gamaredon Group|APT28 -T1021,Remote Services,Lateral Movement,no -T1020,Automated Exfiltration,Exfiltration,Ke3chang|Sidewinder|Gamaredon Group|Tropic Trooper|Frankenstein|Honeybee -T1018,Remote System Discovery,Discovery,Dragonfly|Indrik Spider|Naikon|APT29|Chimera|Fox Kitten|Operation Wocao|Sandworm Team|Rocke|Wizard Spider|Silence|GALLIUM|APT39|APT32|Deep Panda|Ke3chang|Threat Group-3390|Dragonfly 2.0|Leafminer|FIN8|FIN5|APT3|BRONZE BUTLER|menuPass|FIN6|Turla -T1016,System Network Configuration Discovery,Discovery,Kimsuky|Dragonfly|TeamTNT|ZIRCONIUM|Mustang Panda|Higaisa|Sidewinder|Chimera|Operation Wocao|Wizard Spider|Sandworm Team|Tropic Trooper|Frankenstein|APT41|GALLIUM|APT32|Darkhotel|MuddyWater|APT1|APT19|Dragonfly 2.0|Magic Hound|OilRig|Threat Group-3390|menuPass|Stealth Falcon|Lazarus Group|APT3|Naikon|admin@338|Turla|Ke3chang -T1014,Rootkit,Defense Evasion,TeamTNT|Rocke|APT41|APT28|Winnti Group -T1012,Query Registry,Discovery,Kimsuky|Dragonfly|ZIRCONIUM|Chimera|Fox Kitten|APT39|Operation Wocao|APT32|Dragonfly 2.0|Threat Group-3390|OilRig|Stealth Falcon|Lazarus Group|Turla -T1011,Exfiltration Over Other Network Medium,Exfiltration,no -T1010,Application Window Discovery,Discovery,Lazarus Group -T1008,Fallback Channels,Command And Control,FIN7|APT41|OilRig|Lazarus Group -T1007,System Service Discovery,Discovery,Kimsuky|Aquatic Panda|Indrik Spider|Chimera|Operation Wocao|BRONZE BUTLER|APT1|OilRig|Poseidon Group|admin@338|Turla|Ke3chang +T1047,Windows Management Instrumentation,Execution,APT41|FIN7|APT32|GALLIUM|Sandworm Team|Volt Typhoon|Blue Mockingbird|Mustang Panda|Deep Panda|TA2541|Indrik Spider|OilRig|MuddyWater|Gamaredon Group|menuPass|FIN6|Leviathan|Stealth Falcon|Windshift|Earth Lusca|Threat Group-3390|FIN13|Magic Hound|Chimera|Lazarus Group|APT29|Wizard Spider|FIN8|Naikon +T1560.002,Archive via Library,Collection,Lazarus Group|Threat Group-3390 +T1583.005,Botnet,Resource Development,no +T1621,Multi-Factor Authentication Request Generation,Credential Access,Scattered Spider|LAPSUS$|APT29 +T1110.002,Password Cracking,Credential Access,APT3|Dragonfly|FIN6|APT41 +T1566,Phishing,Initial Access,Axiom|GOLD SOUTHFIELD +T1059.007,JavaScript,Execution,Kimsuky|Cobalt Group|Indrik Spider|Leafminer|FIN7|MuddyWater|Molerats|TA505|Silence|FIN6|APT32|Earth Lusca|LazyScripter|Turla|Evilnum|Higaisa|Ember Bear|MoustachedBouncer|Sidewinder +T1592.004,Client Configurations,Reconnaissance,HAFNIUM +T1529,System Shutdown/Reboot,Impact,Lazarus Group|APT37|APT38 +T1218.012,Verclsid,Defense Evasion,no +T1550.004,Web Session Cookie,Defense Evasion|Lateral Movement,no +T1217,Browser Information Discovery,Discovery,Chimera|Fox Kitten|APT38 +T1218,System Binary Proxy Execution,Defense Evasion,Lazarus Group +T1578,Modify Cloud Compute Infrastructure,Defense Evasion,no +T1546.015,Component Object Model Hijacking,Privilege Escalation|Persistence,APT28 T1006,Direct Volume Access,Defense Evasion,no -T1005,Data from Local System,Collection,Axiom|Dragonfly|FIN7|APT41|APT38|Andariel|APT29|Windigo|Fox Kitten|Sandworm Team|Operation Wocao|FIN6|Gamaredon Group|APT39|Frankenstein|Inception|Kimsuky|GALLIUM|Turla|menuPass|Dark Caracal|Dragonfly 2.0|Honeybee|APT37|APT28|APT3|BRONZE BUTLER|Patchwork|Stealth Falcon|Lazarus Group|Dust Storm|Threat Group-3390|APT1|Ke3chang -T1003,OS Credential Dumping,Credential Access,Tonto Team|APT39|Frankenstein|APT32|APT28|Leviathan|Sowbug|Suckfly|Poseidon Group|Axiom -T1001,Data Obfuscation,Command And Control,Operation Wocao|Axiom +T1586.002,Email Accounts,Resource Development,APT29|APT28|Leviathan|LAPSUS$|IndigoZebra|HEXANE|Kimsuky|Magic Hound +T1137.003,Outlook Forms,Persistence,no +T1584.006,Web Services,Resource Development,Turla|Earth Lusca +T1134.001,Token Impersonation/Theft,Defense Evasion|Privilege Escalation,APT28|FIN8 +T1070,Indicator Removal,Defense Evasion,Lazarus Group +T1550.002,Pass the Hash,Defense Evasion|Lateral Movement,APT1|FIN13|APT28|APT32|Chimera|GALLIUM|Kimsuky|Wizard Spider +T1567.003,Exfiltration to Text Storage Sites,Exfiltration,no +T1030,Data Transfer Size Limits,Exfiltration,Threat Group-3390|LuminousMoth|APT28 +T1137.004,Outlook Home Page,Persistence,OilRig +T1036.006,Space after Filename,Defense Evasion,no +T1539,Steal Web Session Cookie,Credential Access,Evilnum|LuminousMoth +T1518.001,Security Software Discovery,Discovery,Cobalt Group|Kimsuky|TA2541|Tropic Trooper|APT38|Sidewinder|MuddyWater|Darkhotel|TeamTNT|Patchwork|Windshift|Rocke|The White Company|Naikon|Aquatic Panda|Wizard Spider|Turla|FIN8|SideCopy +T1578.002,Create Cloud Instance,Defense Evasion,LAPSUS$ +T1037.004,RC Scripts,Persistence|Privilege Escalation,APT29 +T1036.008,Masquerade File Type,Defense Evasion,Volt Typhoon +T1556.007,Hybrid Identity,Credential Access|Defense Evasion|Persistence,APT29 +T1114.001,Local Email Collection,Collection,APT1|Chimera|Magic Hound +T1490,Inhibit System Recovery,Impact,Wizard Spider +T1027.012,LNK Icon Smuggling,Defense Evasion,no +T1558.004,AS-REP Roasting,Credential Access,no +T1601.001,Patch System Image,Defense Evasion,no +T1132.001,Standard Encoding,Command And Control,MuddyWater|Tropic Trooper|HAFNIUM|BRONZE BUTLER|APT19|Lazarus Group|Sandworm Team|APT33|TA551|Patchwork +T1003.004,LSA Secrets,Credential Access,APT33|OilRig|Leafminer|menuPass|Threat Group-3390|Dragonfly|MuddyWater|Ke3chang|APT29 +T1566.001,Spearphishing Attachment,Initial Access,Ember Bear|Gorgon Group|OilRig|Naikon|Wizard Spider|Machete|Nomadic Octopus|IndigoZebra|RTM|Confucius|Gamaredon Group|APT28|FIN4|Rancor|Mustang Panda|TA551|DarkHydrus|Cobalt Group|APT12|menuPass|WIRTE|APT39|APT29|APT19|Tropic Trooper|Inception|LazyScripter|Silence|APT38|APT30|APT33|APT1|Patchwork|Sandworm Team|Leviathan|Windshift|APT37|Lazarus Group|Darkhotel|PLATINUM|Gallmaker|APT32|FIN6|Dragonfly|BITTER|Sidewinder|Tonto Team|Andariel|The White Company|FIN8|Transparent Tribe|BRONZE BUTLER|Threat Group-3390|TA505|EXOTIC LILY|Elderwood|SideCopy|Molerats|Ajax Security Team|MuddyWater|Ferocious Kitten|APT-C-36|Mofang|Higaisa|APT41|FIN7|TA2541|BlackTech|admin@338|Kimsuky|TA459 +T1102,Web Service,Command And Control,FIN6|EXOTIC LILY|Turla|APT32|Mustang Panda|Rocke|FIN8|TeamTNT|LazyScripter|Gamaredon Group|Inception|Fox Kitten|Ember Bear +T1649,Steal or Forge Authentication Certificates,Credential Access,APT29 +T1590,Gather Victim Network Information,Reconnaissance,HAFNIUM +T1562.010,Downgrade Attack,Defense Evasion,no +T1003,OS Credential Dumping,Credential Access,Axiom|Leviathan|APT28|Tonto Team|Poseidon Group|Suckfly|APT32|Sowbug|APT39 +T1087.004,Cloud Account,Discovery,APT29 +T1552.005,Cloud Instance Metadata API,Credential Access,TeamTNT +T1562.003,Impair Command History Logging,Defense Evasion,APT38 +T1608.004,Drive-by Target,Resource Development,FIN7|Threat Group-3390|APT32|Transparent Tribe|LuminousMoth|Dragonfly +T1553,Subvert Trust Controls,Defense Evasion,Axiom +T1547.001,Registry Run Keys / Startup Folder,Persistence|Privilege Escalation,Leviathan|Ke3chang|RTM|TeamTNT|Inception|Threat Group-3390|MuddyWater|FIN6|PROMETHIUM|Higaisa|Magic Hound|APT3|Sidewinder|APT29|TA2541|FIN10|Dark Caracal|Dragonfly|BRONZE BUTLER|FIN13|Tropic Trooper|LazyScripter|Rocke|APT33|APT19|ZIRCONIUM|APT28|Confucius|APT39|Turla|LuminousMoth|Darkhotel|APT37|Gamaredon Group|Mustang Panda|Patchwork|FIN7|Naikon|APT18|Silence|Kimsuky|Wizard Spider|Lazarus Group|Gorgon Group|Putter Panda|APT41|Windshift|Cobalt Group|Molerats|APT32 +T1526,Cloud Service Discovery,Discovery,no +T1027.011,Fileless Storage,Defense Evasion,Turla|APT32 +T1599,Network Boundary Bridging,Defense Evasion,no +T1218.014,MMC,Defense Evasion,no +T1216,System Script Proxy Execution,Defense Evasion,no +T1036.003,Rename System Utilities,Defense Evasion,Lazarus Group|GALLIUM|APT32|menuPass +T1569.001,Launchctl,Execution,no +T1571,Non-Standard Port,Command And Control,Silence|Lazarus Group|Magic Hound|Rocke|APT-C-36|DarkVishnya|TEMP.Veles|APT32|WIRTE|Sandworm Team|APT33|FIN7 +T1069.002,Domain Groups,Discovery,OilRig|Inception|Ke3chang|FIN7|Dragonfly|Turla|Volt Typhoon|LAPSUS$ +T1003.006,DCSync,Credential Access,LAPSUS$|Earth Lusca +T1497.002,User Activity Based Checks,Defense Evasion|Discovery,Darkhotel|FIN7 +T1110,Brute Force,Credential Access,APT38|OilRig|HEXANE|APT28|FIN5|Fox Kitten|APT39|Dragonfly|Turla|DarkVishnya +T1531,Account Access Removal,Impact,LAPSUS$ +T1596.004,CDNs,Reconnaissance,no +T1132,Data Encoding,Command And Control,no +T1589,Gather Victim Identity Information,Reconnaissance,Magic Hound|APT32|FIN13|HEXANE|LAPSUS$ +T1546.013,PowerShell Profile,Privilege Escalation|Persistence,Turla +T1036,Masquerading,Defense Evasion,OilRig|APT28|Nomadic Octopus|menuPass|ZIRCONIUM|FIN13|Windshift|TA551|APT32|Kimsuky|TeamTNT|PLATINUM|LazyScripter|BRONZE BUTLER|Dragonfly +T1102.002,Bidirectional Communication,Command And Control,APT28|APT37|Carbanak|Lazarus Group|APT12|FIN7|APT39|ZIRCONIUM|POLONIUM|HEXANE|Turla|Sandworm Team|MuddyWater|Magic Hound|Kimsuky +T1588.001,Malware,Resource Development,TA2541|LuminousMoth|LazyScripter|APT1|LAPSUS$|Aquatic Panda|Metador|Andariel|BackdoorDiplomacy|Earth Lusca|Turla|TA505 +T1033,System Owner/User Discovery,Discovery,ZIRCONIUM|APT37|Gamaredon Group|Magic Hound|FIN10|Sidewinder|HAFNIUM|HEXANE|GALLIUM|Stealth Falcon|Dragonfly|APT32|Tropic Trooper|APT19|Sandworm Team|APT39|OilRig|Patchwork|Ke3chang|APT41|FIN8|APT38|Earth Lusca|Wizard Spider|FIN7|Windshift|MuddyWater|Lazarus Group|Threat Group-3390|APT3|LuminousMoth|Chimera|Volt Typhoon +T1021.006,Windows Remote Management,Lateral Movement,Wizard Spider|Chimera|FIN13|Threat Group-3390 +T1497,Virtualization/Sandbox Evasion,Defense Evasion|Discovery,Darkhotel +T1136.002,Domain Account,Persistence,GALLIUM|Wizard Spider|HAFNIUM +T1556.004,Network Device Authentication,Credential Access|Defense Evasion|Persistence,no +T1078.004,Cloud Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT28|Ke3chang|APT29|APT33|LAPSUS$ diff --git a/pipeline/.app_inspect.yml b/pipeline/.app_inspect.yml new file mode 100644 index 0000000000..5c796aa342 --- /dev/null +++ b/pipeline/.app_inspect.yml @@ -0,0 +1,23 @@ +app_inspect: + stage: app_inspect + needs: + - validate_escu + - generate_escu + artifacts: + when: always + paths: + - artifacts/* + before_script: + - pip3 install poetry + - git submodule update --init contentctl + - cd contentctl + - git checkout main + - poetry install + script: + - poetry run contentctl -p ../ build --appinspect_api_username $APPINSPECT_USERNAME --appinspect_api_password $APPINSPECT_PASSWORD + after_script: + - mkdir -p artifacts/app_inspect_report + - cp -r dist/*.{json,html,log} artifacts/app_inspect_report + rules: + - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' + when: on_success diff --git a/pipeline/.generate.yml b/pipeline/.generate.yml new file mode 100644 index 0000000000..0f4b889cda --- /dev/null +++ b/pipeline/.generate.yml @@ -0,0 +1,61 @@ +generate_escu: + stage: generate + needs: + - validate_escu + artifacts: + when: always + paths: + - artifacts/* + before_script: + - pip3 install poetry + - git submodule update --init contentctl + - cd contentctl + - git checkout main + - poetry install + script: + - poetry run contentctl -p ../ build + - cd .. + - mkdir artifacts + - mv dist/DA-ESS-ContentUpdate-latest.tar.gz artifacts/ + +generate_ba: + stage: generate + needs: + - validate_ba + artifacts: + when: always + paths: + - artifacts/* + before_script: + - pip3 install poetry + - git submodule update --init contentctl + - cd contentctl + - git checkout main + - poetry install + script: + - poetry run contentctl -p ../ build -t ssa + - cd .. + - mkdir -p artifacts/ssa + - cp -r dist/ssa/* artifacts/ssa + +generate_api: + stage: generate + needs: + - validate_escu + artifacts: + when: always + paths: + - artifacts/* + before_script: + - pip3 install poetry + - git submodule update --init contentctl + - cd contentctl + - git checkout main + - poetry install + script: + - poetry run contentctl -p ../ build -t api + - cd .. + - mkdir -p artifacts/api + - cp -r dist/api/* artifacts/api + + diff --git a/pipeline/.release.yml b/pipeline/.release.yml new file mode 100644 index 0000000000..0aa1b7be04 --- /dev/null +++ b/pipeline/.release.yml @@ -0,0 +1,128 @@ +# Run reporting +reporting: + stage: release + needs: + - app_inspect + variables: + BUCKET: "security-content" + before_script: + - pip3 install poetry + - git submodule update --init contentctl + - cd contentctl + - git checkout main + - poetry install + - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + - unzip awscliv2.zip + - ./aws/install + script: + - poetry run contentctl -p ../ report + - cd .. + - aws s3 cp reporting s3://$BUCKET/reporting --recursive --exclude "*" --include "*.svg" + rules: + - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' + when: on_success + +# Security Content API Update +security_content_api: + stage: release + needs: + - app_inspect + artifacts: + when: always + paths: + - artifacts/* + variables: + BUCKET: "security-content" + before_script: + - pip3 install poetry + - git submodule update --init contentctl + - cd contentctl + - git checkout main + - poetry install + - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + - unzip awscliv2.zip + - ./aws/install + script: + - poetry run contentctl -p ../ build -t api + - cd .. + - aws s3 rm s3://$BUCKET --recursive --exclude "*" --include "*.yml" + - aws s3 cp stories s3://$BUCKET/stories --recursive --exclude "*" --include "*.yml" + - aws s3 cp baselines s3://$BUCKET/baselines --recursive --exclude "*" --include "*.yml" + - aws s3 cp detections s3://$BUCKET/detections --recursive --exclude "*" --include "*.yml" + - aws s3 cp playbooks s3://$BUCKET/playbooks --recursive --exclude "*" --include "*.yml" + - aws s3 cp lookups s3://$BUCKET/lookups --recursive --exclude "*" --include "*.yml" + - aws s3 cp lookups s3://$BUCKET/lookups --recursive --exclude "*" --include "*.csv" + - aws s3 cp lookups s3://$BUCKET/lookups --recursive --exclude "*" --include "*.mlmodel" + - aws s3 cp macros s3://$BUCKET/macros --recursive --exclude "*" --include "*.yml" + - aws s3 cp deployments s3://$BUCKET/deployments --recursive --exclude "*" --include "*.yml" + - aws s3 cp dist/api s3://$BUCKET/json --recursive --exclude "*" --include "*.json" + rules: + - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' + when: on_success + +# Update Attack Range ESCU App +attack_range_escu_app: + stage: release + needs: + - app_inspect + artifacts: + when: always + paths: + - artifacts/* + variables: + BUCKET: "attack-range-appbinaries" + before_script: + - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + - unzip awscliv2.zip + - ./aws/install + script: + - aws s3 cp artifacts/DA-ESS-ContentUpdate-latest.tar.gz s3://$BUCKET/ + - aws s3api put-object-acl --bucket $BUCKET --key DA-ESS-ContentUpdate-latest.tar.gz --acl public-read + rules: + - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' + when: on_success + +# Sync change to GitHub develop +github_push_develop: + stage: release + needs: + - app_inspect + variables: + BRANCH: "gitlab_release_$CI_COMMIT_TAG" + before_script: + - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )' + - eval $(ssh-agent -s) + - echo "$SSH_PRIVATE_KEY" | ssh-add - + - mkdir -p ~/.ssh + - chmod 700 ~/.ssh + - ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts + - chmod 644 ~/.ssh/known_hosts + script: + - git config user.email "research@splunk.com" + - git config user.name "research bot" + - git remote add github_origin git@github.com:splunk/security_content.git + - git fetch --all + - git checkout -b $BRANCH + - git push -u github_origin $BRANCH + # - 'curl -X POST -H "Authorization: token $CREATE_GH_RELEASE_PR" -H "Accept: application/vnd.github.v3+json" -d "{\"title\":\"Release $CI_COMMIT_TAG\", \"body\":\"This PR contains content for ESCU - $CI_COMMIT_TAG\", \"head\":\"develop\", \"base\":\"gitlab_release_$CI_COMMIT_TAG\"}" https://api.github.com/repos/splunk/security_content/pulls' + rules: + - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' + when: on_success + +# Create Package GitLab +release_job: + stage: release + needs: + - app_inspect + image: registry.gitlab.com/gitlab-org/release-cli:latest + script: + - echo "running release_job" + # See https://docs.gitlab.com/ee/ci/yaml/#release for available properties + release: + tag_name: '$CI_COMMIT_TAG' + description: '$CI_COMMIT_TAG' + rules: + - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' + when: on_success + + \ No newline at end of file diff --git a/pipeline/.validate.yml b/pipeline/.validate.yml new file mode 100644 index 0000000000..7dbd4c97c2 --- /dev/null +++ b/pipeline/.validate.yml @@ -0,0 +1,22 @@ +validate_escu: + stage: validate + before_script: + - pip3 install poetry + - git submodule update --init contentctl + - cd contentctl + - git checkout main + - poetry install + script: + - poetry run contentctl -p ../ validate + + +validate_ba: + stage: validate + before_script: + - pip3 install poetry + - git submodule update --init contentctl + - cd contentctl + - git checkout main + - poetry install + script: + - poetry run contentctl -p ../ validate -t ssa \ No newline at end of file diff --git a/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml new file mode 100644 index 0000000000..f5ba4422be --- /dev/null +++ b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml @@ -0,0 +1,99 @@ +name: Detect Prohibited Applications Spawning cmd exe browsers +id: c10a18cb-fd70-4ffa-a844-25026e0a0c94 +version: 1 +date: '2023-10-26' +author: Lou Stella, Splunk +type: Anomaly +status: validation +description: The following analytic identifies parent processes that are browsers, + spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or + built into macros. Much of this will need to be tuned to further enhance the risk. +data_source: +- Windows Security 4688 +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line + = lower(process.cmd_line) | eval actor_user = actor.user | eval actor_user_name + = actor_user.name | eval actor_process = actor.process | eval actor_process_pid + = actor_process.pid | eval actor_process_file = actor_process.file | eval actor_process_file_path + = actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name) + | eval device_hostname = device.hostname | where ((actor_process_file_name="iexplore.exe" + OR actor_process_file_name="opera.exe" OR actor_process_file_name="firefox.exe") + OR (actor_process_file_name="chrome.exe" AND (NOT process_cmd_line="chrome-extension"))) + AND process_file_name="cmd.exe" --finding_report--' +how_to_implement: In order to successfully implement this analytic, you will need + endpoint process data from a EDR product or Sysmon. This search has been modified + to process raw sysmon data from attack_range's nxlogs on DSP. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. +references: +- https://attack.mitre.org/techniques/T1059/ +tags: + analytic_story: + - Suspicious Command-Line Executions + - Insider Threat + asset_type: Endpoint + confidence: 50 + impact: 70 + mitre_attack_id: + - T1059 + observable: + - name: process.pid + type: Other + - name: process.file.path + type: File + - name: process.file.name + type: File + - name: process.cmd_line + type: Other + - name: actor.user.name + type: User Name + - name: actor.process.pid + type: Other + - name: actor.process.file.path + type: File Name + - name: actor.process.file.name + type: File Name + - name: device.hostname + type: Hostname + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event + that warrants investigating. + product: + - Splunk Behavioral Analytics + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 35 + security_domain: endpoint + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ssa_validation/browsers/windows-security.log + source: WinEventLog:Security diff --git a/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml new file mode 100644 index 0000000000..18cc724066 --- /dev/null +++ b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml @@ -0,0 +1,100 @@ +name: Detect Prohibited Applications Spawning cmd exe office +id: c10a18cb-fd70-4ffa-a844-25026e0b0c94 +version: 1 +date: '2023-10-26' +author: Lou Stella, Splunk +type: Anomaly +status: validation +description: The following analytic identifies parent processes that are office/productivity + applications, spawning cmd.exe. By its very nature, many applications spawn cmd.exe + natively or built into macros. Much of this will need to be tuned to further enhance + the risk. +data_source: +- Windows Security 4688 +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name) + | eval device_hostname = device.hostname | where (actor_process_file_name="winword.exe" + OR actor_process_file_name="excel.exe" OR actor_process_file_name="outlook.exe" + OR actor_process_file_name="acrobat.exe" OR actor_process_file_name="acrord32.exe") + AND process_file_name="cmd.exe" --finding_report--' +how_to_implement: In order to successfully implement this analytic, you will need + endpoint process data from a EDR product or Sysmon. This search has been modified + to process raw sysmon data from attack_range's nxlogs on DSP. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. +references: +- https://attack.mitre.org/techniques/T1059/ +tags: + analytic_story: + - Suspicious Command-Line Executions + - Insider Threat + asset_type: Endpoint + confidence: 50 + impact: 70 + mitre_attack_id: + - T1059 + observable: + - name: process.pid + type: Other + - name: process.file.path + type: File + - name: process.file.name + type: File + - name: process.cmd_line + type: Other + - name: actor.user.name + type: User Name + - name: actor.process.pid + type: Other + - name: actor.process.file.path + type: File Name + - name: actor.process.file.name + type: File Name + - name: device.hostname + type: Hostname + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event + that warrants investigating. + product: + - Splunk Behavioral Analytics + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 35 + security_domain: endpoint + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ssa_validation/office/windows-security.log + source: WinEventLog:Security diff --git a/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml new file mode 100644 index 0000000000..e048a142af --- /dev/null +++ b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml @@ -0,0 +1,97 @@ +name: Detect Prohibited Applications Spawning cmd exe powershell +id: c10a18cb-fd70-4ffa-a844-25126e0b0d94 +version: 1 +date: '2023-10-26' +author: Lou Stella, Splunk +type: Anomaly +status: validation +description: The following analytic identifies parent processes that are powershell, + spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or + built into macros. Much of this will need to be tuned to further enhance the risk. +data_source: +- Windows Security 4688 +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name) + | eval device_hostname = device.hostname | where actor_process_file_name="powershell.exe" + AND process_file_name="cmd.exe" --finding_report--' +how_to_implement: In order to successfully implement this analytic, you will need + endpoint process data from a EDR product or Sysmon. This search has been modified + to process raw sysmon data from attack_range's nxlogs on DSP. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. +references: +- https://attack.mitre.org/techniques/T1059/ +tags: + analytic_story: + - Suspicious Command-Line Executions + - Insider Threat + asset_type: Endpoint + confidence: 50 + impact: 70 + mitre_attack_id: + - T1059 + observable: + - name: process.pid + type: Other + - name: process.file.path + type: File + - name: process.file.name + type: File + - name: process.cmd_line + type: Other + - name: actor.user.name + type: User Name + - name: actor.process.pid + type: Other + - name: actor.process.file.path + type: File Name + - name: actor.process.file.name + type: File Name + - name: device.hostname + type: Hostname + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event + that warrants investigating. + product: + - Splunk Behavioral Analytics + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 35 + security_domain: endpoint + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-security.log + source: WinEventLog:Security diff --git a/stories/plugx.yml b/stories/plugx.yml new file mode 100644 index 0000000000..3d2de036d4 --- /dev/null +++ b/stories/plugx.yml @@ -0,0 +1,35 @@ +name: PlugX +id: a2c94c99-b93b-4bc7-a749-e2198743d0d6 +version: 2 +date: '2023-10-12' +author: Teoderick Contreras, Splunk +description: PlugX, also referred to as "PlugX RAT" or "Kaba," is a highly sophisticated remote access Trojan (RAT) discovered in 2012. + This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. + PlugX provides attackers with comprehensive remote control capabilities over compromised systems, + granting them the ability to execute commands, collect sensitive data, and manipulate the infected host. +narrative: PlugX, known as the "silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. + This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. + It's the go-to tool for sophisticated hackers with one goal in mind, espionage. + PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; + it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, + it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, + they can access your data, capture your screen, and silently watch your every move. + In the hands of skilled hackers, it's a versatile instrument for cyber espionage. + This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. + Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx + - https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/ + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse + - https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf + - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets + - https://attack.mitre.org/software/S0013/ +tags: + analytic_story: PlugX + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection