From c23dcc35708f83267f851e33c134eee89a47021e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 5 Dec 2024 21:47:08 +0100 Subject: [PATCH 1/6] enhance batch 1 --- detections/endpoint/active_setup_registry_autostart.yml | 2 +- .../endpoint/add_defaultuser_and_password_in_registry.yml | 2 +- .../allow_inbound_traffic_by_firewall_rule_registry.yml | 2 +- .../endpoint/allow_operation_with_consent_admin.yml | 2 +- detections/endpoint/auto_admin_logon_registry_entry.yml | 2 +- detections/endpoint/disable_amsi_through_registry.yml | 2 +- .../endpoint/disable_defender_antivirus_registry.yml | 2 +- .../disable_defender_blockatfirstseen_feature.yml | 2 +- .../endpoint/disable_defender_mpengine_registry.yml | 2 +- detections/endpoint/disable_defender_spynet_reporting.yml | 2 +- .../disable_defender_submit_samples_consent_feature.yml | 2 +- detections/endpoint/disable_etw_through_registry.yml | 2 +- detections/endpoint/disable_registry_tool.yml | 2 +- .../disable_security_logs_using_minint_registry.yml | 2 +- detections/endpoint/disable_show_hidden_files.yml | 2 +- detections/endpoint/disable_uac_remote_restriction.yml | 2 +- detections/endpoint/disable_windows_app_hotkeys.yml | 2 +- .../endpoint/disable_windows_behavior_monitoring.yml | 2 +- .../endpoint/disable_windows_smartscreen_protection.yml | 2 +- detections/endpoint/disabling_cmd_application.yml | 2 +- detections/endpoint/disabling_controlpanel.yml | 2 +- detections/endpoint/disabling_defender_services.yml | 2 +- .../endpoint/disabling_folderoptions_windows_feature.yml | 2 +- detections/endpoint/disabling_norun_windows_app.yml | 2 +- .../endpoint/disabling_remote_user_account_control.yml | 6 +++--- .../endpoint/disabling_systemrestore_in_registry.yml | 2 +- detections/endpoint/disabling_task_manager.yml | 2 +- detections/endpoint/enable_rdp_in_other_port_number.yml | 8 ++++---- .../enable_wdigest_uselogoncredential_registry.yml | 2 +- detections/endpoint/etw_registry_disabled.yml | 2 +- .../endpoint/hide_user_account_from_sign_in_screen.yml | 2 +- .../endpoint/monitor_registry_keys_for_print_monitors.yml | 2 +- .../registry_keys_for_creating_shim_databases.yml | 2 +- .../endpoint/registry_keys_used_for_persistence.yml | 6 +++--- .../registry_keys_used_for_privilege_escalation.yml | 2 +- .../endpoint/time_provider_persistence_registry.yml | 2 +- .../windows_defender_exclusion_registry_entry.yml | 2 +- .../windows_disable_change_password_through_registry.yml | 2 +- ..._disable_lock_workstation_feature_through_registry.yml | 2 +- .../windows_disable_logoff_button_through_registry.yml | 2 +- .../endpoint/windows_disable_notification_center.yml | 2 +- .../windows_disable_shutdown_button_through_registry.yml | 2 +- ...ble_windows_group_policy_features_through_registry.yml | 2 +- ...indows_hide_notification_features_through_registry.yml | 2 +- .../windows_modify_registry_delete_firewall_rules.yml | 2 +- ...ows_modify_registry_to_add_or_modify_firewall_rule.yml | 2 +- .../windows_modify_registry_valleyrat_pwn_reg_entry.yml | 2 +- ...s_modify_show_compress_color_and_info_tip_registry.yml | 2 +- detections/endpoint/windows_proxy_via_registry.yml | 2 +- .../windows_registry_bootexecute_modification.yml | 6 +++--- .../windows_service_creation_using_registry_entry.yml | 2 +- 51 files changed, 60 insertions(+), 60 deletions(-) diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml index 534a1f30a8..e7083402ee 100644 --- a/detections/endpoint/active_setup_registry_autostart.yml +++ b/detections/endpoint/active_setup_registry_autostart.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: Active setup installer may add or modify this registry. references: diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml index 30b9e3336e..65a36286bc 100644 --- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml +++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `add_defaultuser_and_password_in_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 8f02b20d8f..403c015cb0 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml index b6ffd745f6..aa54b15647 100644 --- a/detections/endpoint/allow_operation_with_consent_admin.yml +++ b/detections/endpoint/allow_operation_with_consent_admin.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml index 33a6b01cd1..62d472b020 100644 --- a/detections/endpoint/auto_admin_logon_registry_entry.yml +++ b/detections/endpoint/auto_admin_logon_registry_entry.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `auto_admin_logon_registry_entry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml index 2b50f14777..4893d03eae 100644 --- a/detections/endpoint/disable_amsi_through_registry.yml +++ b/detections/endpoint/disable_amsi_through_registry.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `disable_amsi_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: network operator may disable this feature of windows but not so common. diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index bfafad4a51..4a1217a8cf 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable windows defender product references: diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 55f060c3b2..e1ac4a1c88 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -25,7 +25,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `disable_defender_blockatfirstseen_feature_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable windows defender product references: diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml index f151e8eb45..eca3d30a03 100644 --- a/detections/endpoint/disable_defender_mpengine_registry.yml +++ b/detections/endpoint/disable_defender_mpengine_registry.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable windows defender product references: diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml index 16ab615933..1ae68f6b65 100644 --- a/detections/endpoint/disable_defender_spynet_reporting.yml +++ b/detections/endpoint/disable_defender_spynet_reporting.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `disable_defender_spynet_reporting_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable windows defender product references: diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index 9beb36e080..42239ed2d4 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `disable_defender_submit_samples_consent_feature_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable windows defender product references: diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index 99173b1969..9afc7488fe 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: network operator may disable this feature of windows but not so common. diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index ce44015574..3a8464cdb4 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may disable this application for non technical user. references: diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml index 044bea08b0..3677f618f1 100644 --- a/detections/endpoint/disable_security_logs_using_minint_registry.yml +++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `disable_security_logs_using_minint_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: Unknown. references: diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index 8bc8ebad53..0b29ec79ac 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml index 422ca22fbb..ce8baf366f 100644 --- a/detections/endpoint/disable_uac_remote_restriction.yml +++ b/detections/endpoint/disable_uac_remote_restriction.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may set this policy for non-critical machine. references: diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml index a05cc054a0..b37fce8e1f 100644 --- a/detections/endpoint/disable_windows_app_hotkeys.yml +++ b/detections/endpoint/disable_windows_app_hotkeys.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 607f8ee214..b184009dc4 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -25,7 +25,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `disable_windows_behavior_monitoring_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable this windows features. references: diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml index 3a04cd3396..5ea2ff3c05 100644 --- a/detections/endpoint/disable_windows_smartscreen_protection.yml +++ b/detections/endpoint/disable_windows_smartscreen_protection.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable this windows features. references: diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index 2f0dbb0419..3142e8ca48 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may disable this application for non technical user. references: diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml index 6237d4c19f..13c37c0548 100644 --- a/detections/endpoint/disabling_controlpanel.yml +++ b/detections/endpoint/disabling_controlpanel.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may disable this application for non technical user. references: diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml index 856315d604..1b0ce374a7 100644 --- a/detections/endpoint/disabling_defender_services.yml +++ b/detections/endpoint/disabling_defender_services.yml @@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable windows defender product references: diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml index 0f76cee569..72d67f58f7 100644 --- a/detections/endpoint/disabling_folderoptions_windows_feature.yml +++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may disable this application for non technical user. references: diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml index fa9ae7b774..b6e00de585 100644 --- a/detections/endpoint/disabling_norun_windows_app.yml +++ b/detections/endpoint/disabling_norun_windows_app.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may disable this application for non technical user. references: diff --git a/detections/endpoint/disabling_remote_user_account_control.yml b/detections/endpoint/disabling_remote_user_account_control.yml index eebf924779..a00bc68678 100644 --- a/detections/endpoint/disabling_remote_user_account_control.yml +++ b/detections/endpoint/disabling_remote_user_account_control.yml @@ -1,7 +1,7 @@ name: Disabling Remote User Account Control id: bbc644bc-37df-4e1a-9c88-ec9a53e2038c -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-12-03' author: David Dorsey, Patrick Bareiss, Splunk status: production type: TTP @@ -9,7 +9,7 @@ description: The following analytic identifies modifications to the registry key data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* Registry.registry_value_data="0x00000000" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* Registry.registry_value_data="0x00000000" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications. known_false_positives: This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence. references: [] diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index 233bd12167..af2863335c 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -20,7 +20,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: in some cases admin can disable systemrestore on a machine. references: diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index b2b0870715..28de788486 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may disable this application for non technical user. references: diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml index 516b432328..f807d52480 100644 --- a/detections/endpoint/enable_rdp_in_other_port_number.yml +++ b/detections/endpoint/enable_rdp_in_other_port_number.yml @@ -1,7 +1,7 @@ name: Enable RDP In Other Port Number id: 99495452-b899-11eb-96dc-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-03' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -10,14 +10,14 @@ data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal + WHERE (Registry.registry_path="*\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp*" Registry.registry_value_name = "PortNumber") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml index 1dc8fb11b0..13aaef7d57 100644 --- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml +++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml index 634d70a037..2696140f32 100644 --- a/detections/endpoint/etw_registry_disabled.yml +++ b/detections/endpoint/etw_registry_disabled.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `etw_registry_disabled_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index 446a70d1fe..cedde8ad98 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `hide_user_account_from_sign_in_screen_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: Unknown. Filter as needed. references: diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml index f88eacec48..1379d8b646 100644 --- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml +++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `monitor_registry_keys_for_print_monitors_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: You will encounter noise from legitimate print-monitor registry entries. diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml index cfc8bf66dc..788fe47757 100644 --- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml +++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 7d91a58b07..2fa9ec64b9 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 11 -date: '2024-09-30' +version: 12 +date: '2024-12-03' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP @@ -9,7 +9,7 @@ description: The following analytic identifies modifications to registry keys co data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*" OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*" OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\* OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup" OR Registry.registry_path= *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler OR Registry.registry_path= *\\Classes\\htmlfile\\shell\\open\\command OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*" OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*" OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Netsh\\* OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup" OR Registry.registry_path= *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler OR Registry.registry_path= *\\Classes\\htmlfile\\shell\\open\\command OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. known_false_positives: There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task. references: [] diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml index d6f9e746bf..5bd326c36f 100644 --- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml +++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task. diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml index 69d6461b29..4d869ca9a5 100644 --- a/detections/endpoint/time_provider_persistence_registry.yml +++ b/detections/endpoint/time_provider_persistence_registry.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `time_provider_persistence_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index b3da3d6a8e..338fd0d8fd 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to use this windows features. references: diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index cef11e2561..bcf1ea2232 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index d67110ba37..0e238b5edb 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index f4548b9bd6..919f4d86eb 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index 6553bb5456..3f91ba6e3e 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable this windows features. references: diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index 92afa88d17..80ec58a860 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml index be4a054e3e..5e01fa4eec 100644 --- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml +++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\*" Registry.registry_value_name IN ("NoDesktop", "NoFind", "NoControlPanel", "NoFileMenu", "NoSetTaskbar", "NoTrayContextMenu", "TaskbarLockAll", "NoThemesTab","NoPropertiesMyDocuments","NoVisualStyleChoice","NoColorChoice","NoPropertiesMyDocuments") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed. references: - https://hybrid-analysis.com/sample/ef1c427394c205580576d18ba68d5911089c7da0386f19d1ca126929d3e671ab?environmentId=120&lang=en diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index aae8aacdbe..9587dd35ca 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `windows_hide_notification_features_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml index 4e6cf4097a..d45f51c82c 100644 --- a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml +++ b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml @@ -9,7 +9,7 @@ type: TTP status: production description: The following analytic detects a potential deletion of firewall rules, indicating a possible security breach or unauthorized access attempt. It identifies actions where firewall rules are removed using commands like netsh advfirewall firewall delete rule, which can expose the network to external threats by disabling critical security measures. Monitoring these activities helps maintain network integrity and prevent malicious attacks. search: '`sysmon` EventCode=12 TargetObject = "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" EventType=DeleteValue | rename Computer as dest | rename User as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode EventType TargetObject Image user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_delete_firewall_rules_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml index d4aa798e53..14328401cd 100644 --- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml +++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml @@ -23,7 +23,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `windows_modify_registry_to_add_or_modify_firewall_rule_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. diff --git a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml index f6c41c2dc2..5df8daf916 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml @@ -9,7 +9,7 @@ type: TTP status: production description: The following analytic detects modifications to the Windows Registry specifically targeting `.pwn` file associations related to the ValleyRAT malware. ValleyRAT may create or alter registry entries to associate `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to `.pwn` extensions, this detection enables security analysts to identify potential ValleyRAT infection attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system. search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*.pwn\\Shell\\Open\\command" OR Registry.registry_value_data = ".pwn") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_valleyrat_pwn_reg_entry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml index efb694a8b2..9b594a02bd 100644 --- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml +++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `windows_modify_show_compress_color_and_info_tip_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml index b55bf70c4a..3fcee796e5 100644 --- a/detections/endpoint/windows_proxy_via_registry.yml +++ b/detections/endpoint/windows_proxy_via_registry.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 13 description: The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path "*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml index 54110da946..12bec8b289 100644 --- a/detections/endpoint/windows_registry_bootexecute_modification.yml +++ b/detections/endpoint/windows_registry_bootexecute_modification.yml @@ -1,7 +1,7 @@ name: Windows Registry BootExecute Modification id: eabbac3a-45aa-4659-920f-6b8cff383fb8 -version: 4 -date: '2024-11-14' +version: 5 +date: '2024-12-03' author: Michael Haag, Teoderick Contreras, Splunk status: production type: TTP @@ -17,7 +17,7 @@ description: The following analytic detects modifications to the BootExecute reg confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code at boot, or disrupt system operations. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path="HKLM\\System\\CurrentControlSet\\Control\\Session + WHERE Registry.registry_path="*\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute" BY Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index ae49992523..3a77446722 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: Third party tools may used this technique to create services but not so common. From d1752d5535b19b1299eb0e7dbba47b063a52991f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Sun, 8 Dec 2024 01:19:37 +0100 Subject: [PATCH 2/6] additional updates and new analytic --- .../endpoint/lolbas_with_network_traffic.yml | 10 +-- ...ws_certutil_download_with_url_argument.yml | 85 +++++++++++++++++++ .../windows_sql_spawning_certutil.yml | 6 +- 3 files changed, 93 insertions(+), 8 deletions(-) create mode 100644 detections/endpoint/windows_certutil_download_with_url_argument.yml diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index 945c47dd7f..392d16e309 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -1,16 +1,16 @@ name: LOLBAS With Network Traffic id: 2820f032-19eb-497e-8642-25b04a880359 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-12-07' author: Steven Dick status: production type: TTP description: The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security. data_source: - Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "*Dnscmd.exe", "*\\At.exe", "*Pcalua.exe", "*Msconfig.exe", "*makecab.exe", "*cscript.exe", "*notepad.exe", "*\\cmd.exe", "*certutil.exe", "*\\powershell.exe", "*powershell_ise.exe")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app ".*\\\(?.*)$" | rename app as process | `lolbas_with_network_traffic_filter`' -how_to_implement: To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type. -known_false_positives: Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "*Dnscmd.exe", "*\\At.exe", "*Pcalua.exe", "*Msconfig.exe", "*makecab.exe", "*cscript.exe", "*notepad.exe", "*\\cmd.exe", "*certutil.exe", "*\\powershell.exe", "*powershell_ise.exe", "*\\pwsh.exe")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app ".*\\\(?.*)$" | rename app as process | `lolbas_with_network_traffic_filter`' +how_to_implement: To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app field. Relevant processes must also be ingested in the Endpoint data model with matching process_id field. Sysmon EID1 and EID3 are good examples of this type this data type. +known_false_positives: Legitimate usage of internal automation or scripting, especially powershell.exe or pwsh.exe, internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") references: - https://lolbas-project.github.io/# - https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/ diff --git a/detections/endpoint/windows_certutil_download_with_url_argument.yml b/detections/endpoint/windows_certutil_download_with_url_argument.yml new file mode 100644 index 0000000000..7ae9749bec --- /dev/null +++ b/detections/endpoint/windows_certutil_download_with_url_argument.yml @@ -0,0 +1,85 @@ +name: Windows CertUtil Download With URL Argument +id: 4fc5ca00-4c7c-46b3-8772-c98a4b8bd944 +version: 1 +date: '2024-12-08' +author: Nasreddine Bencherchali, Splunk +status: production +type: TTP +description: The following analytic detects the use of `certutil.exe` to download files using the `-URL` arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process="*-URL *" OR Processes.process="*/URL *") by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_certutil_download_with_url_argument_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. +references: +- https://attack.mitre.org/techniques/T1105/ +- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Living Off The Land + - Ingress Tool Transfer + asset_type: Endpoint + confidence: 100 + impact: 90 + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to download a file. + mitre_attack_id: + - T1105 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + - name: parent_process_name + type: Process + role: + - Attacker + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 90 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_sql_spawning_certutil.yml b/detections/endpoint/windows_sql_spawning_certutil.yml index ce2594020a..90317c4a6a 100644 --- a/detections/endpoint/windows_sql_spawning_certutil.yml +++ b/detections/endpoint/windows_sql_spawning_certutil.yml @@ -1,7 +1,7 @@ name: Windows SQL Spawning CertUtil id: dfc18a5a-946e-44ee-a373-c0f60d06e676 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-12-07' author: Michael Haag, Splunk status: experimental type: TTP @@ -10,7 +10,7 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 description: The following analytic detects the use of certutil to download software, specifically when spawned by SQL-related processes. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving certutil with parameters like *urlcache* and *split*. This activity is significant as it may indicate a compromise by threat actors, such as Flax Typhoon, who use certutil to establish persistent VPN connections. If confirmed malicious, this behavior could allow attackers to maintain access, monitor system availability, and potentially escalate to data theft or ransomware deployment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") `process_certutil` (Processes.process="*urlcache*" OR Processes.process="*verifyctl*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: The occurrence of false positives should be minimal, given that the SQL agent does not typically download software using CertUtil. references: From cea3aeee817a1b6e8b2b33e59dc441861b18e0ed Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Sun, 8 Dec 2024 18:39:47 +0100 Subject: [PATCH 3/6] add new analytic related to COMPlus_ETWEnabled --- ...f_shadow_copy_with_wmic_and_powershell.yml | 4 +- detections/endpoint/etw_registry_disabled.yml | 8 +-- ...y_dotnet_etw_disabled_via_env_variable.yml | 66 +++++++++++++++++++ 3 files changed, 72 insertions(+), 6 deletions(-) create mode 100644 detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml index 7297c39883..a99f59e9e5 100644 --- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml +++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml @@ -9,7 +9,7 @@ description: The following analytic detects the creation of shadow copies using or "Powershell" commands. It leverages the Endpoint.Processes data model in Splunk to identify processes where the command includes "shadowcopy" and "create". This activity is significant because it may indicate an attacker attempting to manipulate - or access data unauthorizedly, potentially leading to data theft or manipulation. + or access data in an unauthorized manner, potentially leading to data theft or manipulation. If confirmed malicious, this behavior could allow attackers to backup and exfiltrate sensitive data or hide their tracks by restoring files to a previous state after an attack. @@ -32,7 +32,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legtimate administrator usage of wmic to create a shadow copy. +known_false_positives: Legitimate administrator usage of wmic to create a shadow copy. references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml index 2696140f32..a00720eabd 100644 --- a/detections/endpoint/etw_registry_disabled.yml +++ b/detections/endpoint/etw_registry_disabled.yml @@ -1,13 +1,12 @@ name: ETW Registry Disabled id: 8ed523ac-276b-11ec-ac39-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects a registry modification that disables the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. +description: The following analytic detects a registry modification that disables the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. data_source: -- Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SOFTWARE\\Microsoft\\.NETFramework*" Registry.registry_value_name @@ -23,6 +22,7 @@ how_to_implement: To successfully implement this search, you need to be ingestin known_false_positives: unknown references: - https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 +- https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ drilldown_searches: - name: View the detection results for - "$dest$" and "$user$" search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' diff --git a/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml b/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml new file mode 100644 index 0000000000..f9675493ff --- /dev/null +++ b/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml @@ -0,0 +1,66 @@ +name: Windows Registry Dotnet ETW Disabled Via ENV Variable +id: 55502381-5cce-491b-9277-7cb1d10bc0df +version: 1 +date: '2024-12-08' +author: Nasreddine Bencherchali, Splunk +status: production +type: TTP +description: The following analytic detects a registry modification that disables the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the COMPlus_ETWEnabled registry value under the "Environment" registry key path for both user (HKCU\Environment) and machine (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment) scopes. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. +data_source: +- Sysmon EventID 13 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path="*\\Environment*" Registry.registry_value_name="COMPlus_ETWEnabled" (Registry.registry_value_data=0x000000000 OR Registry.registry_value_data=0) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_dotnet_etw_disabled_via_env_variable_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: Setting the "COMPlus_ETWEnabled" value as a global environment variable either in user or machine scope should only happens during debugging use cases, hence the false positives rate should be very minimal. +references: +- https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 +- https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ +- https://attack.mitre.org/techniques/T1562/006/ +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Windows Registry Abuse + - Windows Defense Evasion Tactics + asset_type: Endpoint + confidence: 100 + impact: 90 + message: Modified registry entry $registry_path$ in $dest$ + mitre_attack_id: + - T1562.006 + - T1562 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Registry.dest + - Registry.registry_value_name + - Registry.registry_key_name + - Registry.registry_path + - Registry.registry_value_data + - Registry.process_guid + risk_score: 90 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.006/dotnet_etw_bypass/dotnet_etw_bypass.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog From 9dd74b86ab187285d4fcf013d78e19bd541fbd2b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Sun, 8 Dec 2024 21:46:36 +0100 Subject: [PATCH 4/6] update version --- detections/endpoint/active_setup_registry_autostart.yml | 4 ++-- .../endpoint/add_defaultuser_and_password_in_registry.yml | 4 ++-- .../allow_inbound_traffic_by_firewall_rule_registry.yml | 4 ++-- detections/endpoint/allow_operation_with_consent_admin.yml | 4 ++-- detections/endpoint/auto_admin_logon_registry_entry.yml | 4 ++-- .../creation_of_shadow_copy_with_wmic_and_powershell.yml | 4 ++-- detections/endpoint/disable_amsi_through_registry.yml | 4 ++-- detections/endpoint/disable_defender_antivirus_registry.yml | 4 ++-- .../endpoint/disable_defender_blockatfirstseen_feature.yml | 4 ++-- detections/endpoint/disable_defender_mpengine_registry.yml | 4 ++-- detections/endpoint/disable_defender_spynet_reporting.yml | 4 ++-- .../disable_defender_submit_samples_consent_feature.yml | 4 ++-- detections/endpoint/disable_etw_through_registry.yml | 4 ++-- detections/endpoint/disable_registry_tool.yml | 4 ++-- .../endpoint/disable_security_logs_using_minint_registry.yml | 4 ++-- detections/endpoint/disable_show_hidden_files.yml | 4 ++-- detections/endpoint/disable_uac_remote_restriction.yml | 4 ++-- detections/endpoint/disable_windows_app_hotkeys.yml | 4 ++-- detections/endpoint/disable_windows_behavior_monitoring.yml | 4 ++-- .../endpoint/disable_windows_smartscreen_protection.yml | 4 ++-- detections/endpoint/disabling_cmd_application.yml | 4 ++-- detections/endpoint/disabling_controlpanel.yml | 4 ++-- detections/endpoint/disabling_defender_services.yml | 4 ++-- .../endpoint/disabling_folderoptions_windows_feature.yml | 4 ++-- detections/endpoint/disabling_norun_windows_app.yml | 4 ++-- detections/endpoint/disabling_systemrestore_in_registry.yml | 4 ++-- detections/endpoint/disabling_task_manager.yml | 4 ++-- .../endpoint/enable_wdigest_uselogoncredential_registry.yml | 4 ++-- detections/endpoint/hide_user_account_from_sign_in_screen.yml | 4 ++-- .../endpoint/monitor_registry_keys_for_print_monitors.yml | 4 ++-- .../endpoint/registry_keys_for_creating_shim_databases.yml | 4 ++-- .../endpoint/registry_keys_used_for_privilege_escalation.yml | 4 ++-- detections/endpoint/time_provider_persistence_registry.yml | 4 ++-- .../endpoint/windows_defender_exclusion_registry_entry.yml | 4 ++-- .../windows_disable_change_password_through_registry.yml | 4 ++-- ...dows_disable_lock_workstation_feature_through_registry.yml | 4 ++-- .../windows_disable_logoff_button_through_registry.yml | 4 ++-- detections/endpoint/windows_disable_notification_center.yml | 4 ++-- .../windows_disable_shutdown_button_through_registry.yml | 4 ++-- ...disable_windows_group_policy_features_through_registry.yml | 4 ++-- .../windows_hide_notification_features_through_registry.yml | 4 ++-- .../windows_modify_registry_delete_firewall_rules.yml | 4 ++-- ...windows_modify_registry_to_add_or_modify_firewall_rule.yml | 4 ++-- .../windows_modify_registry_valleyrat_pwn_reg_entry.yml | 4 ++-- ...ndows_modify_show_compress_color_and_info_tip_registry.yml | 4 ++-- detections/endpoint/windows_proxy_via_registry.yml | 4 ++-- .../windows_service_creation_using_registry_entry.yml | 4 ++-- 47 files changed, 94 insertions(+), 94 deletions(-) diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml index e7083402ee..e662e1a5ac 100644 --- a/detections/endpoint/active_setup_registry_autostart.yml +++ b/detections/endpoint/active_setup_registry_autostart.yml @@ -1,7 +1,7 @@ name: Active Setup Registry Autostart id: f64579c0-203f-11ec-abcc-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml index 65a36286bc..22d3994a11 100644 --- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml +++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml @@ -1,7 +1,7 @@ name: Add DefaultUser And Password In Registry id: d4a3eb62-0f1e-11ec-a971-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 403c015cb0..7539cd6939 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -1,7 +1,7 @@ name: Allow Inbound Traffic By Firewall Rule Registry id: 0a46537c-be02-11eb-92ca-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml index aa54b15647..02bbdada71 100644 --- a/detections/endpoint/allow_operation_with_consent_admin.yml +++ b/detections/endpoint/allow_operation_with_consent_admin.yml @@ -1,7 +1,7 @@ name: Allow Operation with Consent Admin id: 7de17d7a-c9d8-11eb-a812-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml index 62d472b020..8757ee7543 100644 --- a/detections/endpoint/auto_admin_logon_registry_entry.yml +++ b/detections/endpoint/auto_admin_logon_registry_entry.yml @@ -1,7 +1,7 @@ name: Auto Admin Logon Registry Entry id: 1379d2b8-0f18-11ec-8ca3-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml index a99f59e9e5..92e1cc6817 100644 --- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml +++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml @@ -1,7 +1,7 @@ name: Creation of Shadow Copy with wmic and powershell id: 2ed8b538-d284-449a-be1d-82ad1dbd186b -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-08' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml index 4893d03eae..2eadb8ac05 100644 --- a/detections/endpoint/disable_amsi_through_registry.yml +++ b/detections/endpoint/disable_amsi_through_registry.yml @@ -1,7 +1,7 @@ name: Disable AMSI Through Registry id: 9c27ec42-d338-11eb-9044-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index 4a1217a8cf..1fd8cf44b1 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -1,7 +1,7 @@ name: Disable Defender AntiVirus Registry id: aa4f695a-3024-11ec-9987-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index e1ac4a1c88..009a68ec32 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -1,7 +1,7 @@ name: Disable Defender BlockAtFirstSeen Feature id: 2dd719ac-3021-11ec-97b4-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml index eca3d30a03..2aeabde665 100644 --- a/detections/endpoint/disable_defender_mpengine_registry.yml +++ b/detections/endpoint/disable_defender_mpengine_registry.yml @@ -1,7 +1,7 @@ name: Disable Defender MpEngine Registry id: cc391750-3024-11ec-955a-acde48001122 -version: 7 -date: '2024-10-04' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml index 1ae68f6b65..6db3238af3 100644 --- a/detections/endpoint/disable_defender_spynet_reporting.yml +++ b/detections/endpoint/disable_defender_spynet_reporting.yml @@ -1,7 +1,7 @@ name: Disable Defender Spynet Reporting id: 898debf4-3021-11ec-ba7c-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index 42239ed2d4..cbbb8995f0 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -1,7 +1,7 @@ name: Disable Defender Submit Samples Consent Feature id: 73922ff8-3022-11ec-bf5e-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk,Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index 9afc7488fe..c70369f185 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -1,7 +1,7 @@ name: Disable ETW Through Registry id: f0eacfa4-d33f-11eb-8f9d-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index 3a8464cdb4..2c48111345 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -1,7 +1,7 @@ name: Disable Registry Tool id: cd2cf33c-9201-11eb-a10a-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml index 3677f618f1..4ec7d4929a 100644 --- a/detections/endpoint/disable_security_logs_using_minint_registry.yml +++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml @@ -1,7 +1,7 @@ name: Disable Security Logs Using MiniNt Registry id: 39ebdc68-25b9-11ec-aec7-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index 0b29ec79ac..2851b44e6f 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -1,7 +1,7 @@ name: Disable Show Hidden Files id: 6f3ccfa2-91fe-11eb-8f9b-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml index ce8baf366f..d63a070a78 100644 --- a/detections/endpoint/disable_uac_remote_restriction.yml +++ b/detections/endpoint/disable_uac_remote_restriction.yml @@ -1,7 +1,7 @@ name: Disable UAC Remote Restriction id: 9928b732-210e-11ec-b65e-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml index b37fce8e1f..45b8734a95 100644 --- a/detections/endpoint/disable_windows_app_hotkeys.yml +++ b/detections/endpoint/disable_windows_app_hotkeys.yml @@ -1,7 +1,7 @@ name: Disable Windows App Hotkeys id: 1490f224-ad8b-11eb-8c4f-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index b184009dc4..929da38fce 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -1,7 +1,7 @@ name: Disable Windows Behavior Monitoring id: 79439cae-9200-11eb-a4d3-acde48001122 -version: 9 -date: '2024-11-14' +version: 10 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml index 5ea2ff3c05..c7dd7878bd 100644 --- a/detections/endpoint/disable_windows_smartscreen_protection.yml +++ b/detections/endpoint/disable_windows_smartscreen_protection.yml @@ -1,7 +1,7 @@ name: Disable Windows SmartScreen Protection id: 664f0fd0-91ff-11eb-a56f-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index 3142e8ca48..ad1e666ab3 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -1,7 +1,7 @@ name: Disabling CMD Application id: ff86077c-9212-11eb-a1e6-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml index 13c37c0548..1ddfdff0c1 100644 --- a/detections/endpoint/disabling_controlpanel.yml +++ b/detections/endpoint/disabling_controlpanel.yml @@ -1,7 +1,7 @@ name: Disabling ControlPanel id: 6ae0148e-9215-11eb-a94a-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml index 1b0ce374a7..1c3a4ec1d8 100644 --- a/detections/endpoint/disabling_defender_services.yml +++ b/detections/endpoint/disabling_defender_services.yml @@ -1,7 +1,7 @@ name: Disabling Defender Services id: 911eacdc-317f-11ec-ad30-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml index 72d67f58f7..60199b1e52 100644 --- a/detections/endpoint/disabling_folderoptions_windows_feature.yml +++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml @@ -1,7 +1,7 @@ name: Disabling FolderOptions Windows Feature id: 83776de4-921a-11eb-868a-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml index b6e00de585..25af90e4ec 100644 --- a/detections/endpoint/disabling_norun_windows_app.yml +++ b/detections/endpoint/disabling_norun_windows_app.yml @@ -1,7 +1,7 @@ name: Disabling NoRun Windows App id: de81bc46-9213-11eb-adc9-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index af2863335c..a13052f1e7 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -1,7 +1,7 @@ name: Disabling SystemRestore In Registry id: f4f837e2-91fb-11eb-8bf6-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index 28de788486..abddcde476 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -1,7 +1,7 @@ name: Disabling Task Manager id: dac279bc-9202-11eb-b7fb-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml index 13aaef7d57..fe65e1ac2d 100644 --- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml +++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml @@ -1,7 +1,7 @@ name: Enable WDigest UseLogonCredential Registry id: 0c7d8ffe-25b1-11ec-9f39-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index cedde8ad98..0d785e5bc1 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -1,7 +1,7 @@ name: Hide User Account From Sign-In Screen id: 834ba832-ad89-11eb-937d-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml index 1379d8b646..4af4ccebb7 100644 --- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml +++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml @@ -1,7 +1,7 @@ name: Monitor Registry Keys for Print Monitors id: f5f6af30-7ba7-4295-bfe9-07de87c01bbc -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel status: production type: TTP diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml index 788fe47757..a4c021dc8f 100644 --- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml +++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml @@ -1,7 +1,7 @@ name: Registry Keys for Creating SHIM Databases id: f5f6af30-7aa7-4295-bfe9-07fe87c01bbb -version: 9 -date: '2024-11-14' +version: 10 +date: '2024-12-08' author: Patrick Bareiss, Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel status: production type: TTP diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml index 5bd326c36f..a07d06e623 100644 --- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml +++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Privilege Escalation id: c9f4b923-f8af-4155-b697-1354f5bcbc5e -version: 10 -date: '2024-11-14' +version: 11 +date: '2024-12-08' author: David Dorsey, Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml index 4d869ca9a5..8d712ffb64 100644 --- a/detections/endpoint/time_provider_persistence_registry.yml +++ b/detections/endpoint/time_provider_persistence_registry.yml @@ -1,7 +1,7 @@ name: Time Provider Persistence Registry id: 5ba382c4-2105-11ec-8d8f-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index 338fd0d8fd..421be8ea5e 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Defender Exclusion Registry Entry id: 13395a44-4dd9-11ec-9df7-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index bcf1ea2232..06a7feee8c 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Change Password Through Registry id: 0df33e1a-9ef6-11ec-a1ad-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index 0e238b5edb..2d6ee0fbc3 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Lock Workstation Feature Through Registry id: c82adbc6-9f00-11ec-a81f-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index 919f4d86eb..6cf2b86d0b 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable LogOff Button Through Registry id: b2fb6830-9ed1-11ec-9fcb-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index 3f91ba6e3e..8e833b67e7 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -1,7 +1,7 @@ name: Windows Disable Notification Center id: 1cd983c8-8fd6-11ec-a09d-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index 80ec58a860..630dd7b8bf 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Shutdown Button Through Registry id: 55fb2958-9ecd-11ec-a06a-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml index 5e01fa4eec..a819f3483f 100644 --- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml +++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Windows Group Policy Features Through Registry id: 63a449ae-9f04-11ec-945e-acde48001122 -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-12-08' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index 9587dd35ca..ee7774536f 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Hide Notification Features Through Registry id: cafa4bce-9f06-11ec-a7b2-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml index d45f51c82c..fe58a5674c 100644 --- a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml +++ b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Delete Firewall Rules id: 41c61539-98ca-4750-b3ec-7c29a2f06343 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-12-08' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 12 diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml index 14328401cd..7f4fd660c7 100644 --- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml +++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry to Add or Modify Firewall Rule id: 43254751-e2ce-409a-b6b4-4f851e8dcc26 -version: 3 -date: '2024-11-14' +version: 4 +date: '2024-12-08' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 12 diff --git a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml index 5df8daf916..aa14321c67 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry ValleyRat PWN Reg Entry id: 6947c44e-be1f-4dd9-b198-bc42be5be196 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-12-08' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml index 9b594a02bd..34d383fede 100644 --- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml +++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml @@ -1,7 +1,7 @@ name: Windows Modify Show Compress Color And Info Tip Registry id: b7548c2e-9a10-11ec-99e3-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml index 3fcee796e5..b9967aceae 100644 --- a/detections/endpoint/windows_proxy_via_registry.yml +++ b/detections/endpoint/windows_proxy_via_registry.yml @@ -1,7 +1,7 @@ name: Windows Proxy Via Registry id: 0270455b-1385-4579-9ac5-e77046c508ae -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-12-08' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index 3a77446722..d1a040c81b 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP From 3ef63392553198f4a9d0daf50bf34af3c4d1c36e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 9 Dec 2024 15:20:18 +0100 Subject: [PATCH 5/6] additional autologger analytic --- ..._defenses_disable_auto_logger_session_.yml | 65 +++++++++++++++++++ ...nses_disable_win_defender_auto_logging.yml | 7 +- stories/cisa_aa23_347a.yml | 6 +- 3 files changed, 72 insertions(+), 6 deletions(-) create mode 100644 detections/endpoint/windows_impair_defenses_disable_auto_logger_session_.yml diff --git a/detections/endpoint/windows_impair_defenses_disable_auto_logger_session_.yml b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session_.yml new file mode 100644 index 0000000000..b907454d9f --- /dev/null +++ b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session_.yml @@ -0,0 +1,65 @@ +name: Windows Impair Defenses Disable Auto Logger Session +id: dc6a5613-d024-47e7-9997-ab6477a483d3 +version: 1 +date: '2024-12-06' +author: Nasreddine Bencherchali, Splunk +status: production +type: Anomaly +description: The following analytic detects the disabling of an AutoLogger session or one of its providers, by identifying changes to the Registry values "Start" and "Enabled" part of the "\WMI\Autologger\" key path. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as attackers and adversaries can leverage this in order to evade defense and blind EDRs and log ingest tooling. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint. +data_source: +- Sysmon EventID 13 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\WMI\\Autologger\\*" (Registry.registry_value_name="Start" OR Registry.registry_value_name="Enabled") Registry.registry_value_data ="0x00000000" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_auto_logger_session_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +references: +- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ +- https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ +- https://isc.sans.edu/diary/rss/28628 +- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +- https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Windows Defense Evasion Tactics + - Windows Registry Abuse + asset_type: Endpoint + confidence: 90 + impact: 90 + message: Windows Auto Logger Session or Provider registry value set to 'disabled' on $dest$. + mitre_attack_id: + - T1562.001 + - T1562 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Registry.registry_key_name + - Registry.registry_value_name + - Registry.dest + - Registry.user + - Registry.registry_path + - Registry.action + risk_score: 81 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog + update_timestamp: true diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml index 3b2738b061..a13b77afc6 100644 --- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml +++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml @@ -1,13 +1,12 @@ name: Windows Impair Defenses Disable Win Defender Auto Logging id: 76406a0f-f5e0-4167-8e1f-337fdc0f1b0c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-12-09' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects the disabling of Windows Defender logging by identifying changes to the Registry keys DefenderApiLogger or DefenderAuditLogger set to disable. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to evade detection. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint. data_source: -- Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = "*WMI\\Autologger\\DefenderApiLogger\\Start" OR Registry.registry_path = "*WMI\\Autologger\\DefenderAuditLogger\\Start") Registry.registry_value_data ="0x00000000" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_win_defender_auto_logging_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -15,6 +14,8 @@ known_false_positives: It is unusual to turn this feature off a Windows system s references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ - https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ +- https://isc.sans.edu/diary/rss/28628 +- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' diff --git a/stories/cisa_aa23_347a.yml b/stories/cisa_aa23_347a.yml index 2c6497d453..b792b6a09a 100644 --- a/stories/cisa_aa23_347a.yml +++ b/stories/cisa_aa23_347a.yml @@ -1,7 +1,7 @@ name: CISA AA23-347A id: 257a2f28-fcbe-4226-8d1f-957880098331 -version: 2 -date: '2023-12-14' +version: 3 +date: '2024-12-09' author: Teoderick Contreras, Rod Soto, Splunk description: Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, @@ -14,7 +14,7 @@ narrative: SVR cyber operations pose a persistent threat to public and private o and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially - compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's + compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limiting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation. references: From ee35379cca06fb35cc80b9ea4552f6b2b9b9cf8a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 9 Dec 2024 15:35:29 +0100 Subject: [PATCH 6/6] fix filename --- ...ml => windows_impair_defenses_disable_auto_logger_session.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename detections/endpoint/{windows_impair_defenses_disable_auto_logger_session_.yml => windows_impair_defenses_disable_auto_logger_session.yml} (100%) diff --git a/detections/endpoint/windows_impair_defenses_disable_auto_logger_session_.yml b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml similarity index 100% rename from detections/endpoint/windows_impair_defenses_disable_auto_logger_session_.yml rename to detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml