splunk · pyth0n1c · Feb 19, 2025 · Feb 17, 2025 · Feb 17, 2025 · Feb 18, 2025
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: This detection identifies an Active Directory access-control list (ACL)
   modification event, which applies permissions that deny the ability to enumerate
   permissions of the object.

@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: 'This detection monitors the addition of the following ACLs to an Active
   Directory group object: "Full control", "All extended rights", "All validated writes",  "Create
   all child objects", "Delete all child objects", "Delete subtree", "Delete", "Modify

@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: 'This detection monitors the addition of the following ACLs to an Active
   Directory user object: "Full control","All extended rights","All validated writes",
   "Create all child objects","Delete all child objects","Delete subtree","Delete","Modify

@@ -1,12 +1,12 @@
 name: Windows AD DCShadow Privileges ACL Addition
 id: ae915743-1aa8-4a94-975c-8062ebc8b723
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-17'
 author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: This detection identifies an Active Directory access-control list (ACL)
   modification event, which applies the minimum required extended rights to perform
   the DCShadow attack.

@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: ACL deletion performed on the domain root object, significant AD change
   with high impact. Following MS guidance all changes at this level should be reviewed.
   Drill into the logonID within EventCode 4624 for information on the source device

@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: ACL modification performed on the domain root object, significant AD
   change with high impact. Following MS guidance all changes at this level should
   be reviewed. Drill into the logonID within EventCode 4624 for information on the

@@ -1,12 +1,12 @@
 name: Windows AD GPO Deleted
 id: 0d41772b-35ab-4e1c-a2ba-d0b455481aee
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-17'
 author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: This detection identifies when an Active Directory Group Policy is deleted
   using the Group Policy Management Console.
 search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=gpLink | eval  ObjectDN=upper(ObjectDN)

@@ -1,12 +1,12 @@
 name: Windows AD GPO Disabled
 id: 72793bc0-c0cd-400e-9e60-fdf36f278917
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-17'
 author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: This detection identifies when an Active Directory Group Policy is disabled
   using the Group Policy Management Console.
 search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=flags OperationType="%%14674"

@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: This detection identifies when a a new client side extension is added
   to an Active Directory Group Policy using the Group Policy Management Console.
 search: '`wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=gPCMachineExtensionNames

@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: This analytic is looking for when an ACL is applied to an OU which denies
   listing the objects residing in the OU. This activity combined with modifying the
   owner of the OU will hide AD objects even from domain administrators.

@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: AD Object Owner Updated. The owner provides Full control level privileges
   over the target AD Object. This event has significant impact alone and is also a
   precursor activity for hiding an AD object.

@@ -1,12 +1,12 @@
 name: Windows AD Self DACL Assignment
 id: 16132445-da9f-4d03-ad44-56d717dcd67d
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-17'
 author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: Detect when a user creates a new DACL in AD for their own AD object.
 search: "`wineventlog_security` EventCode=5136  | stats min(_time) as _time values(eval(if(OperationType==\"\
   %%14675\",AttributeValue,null))) as old_value values(eval(if(OperationType==\"%%14674\"\

@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: 'This detection monitors changes to the following Active Directory attributes:
   "msDS-AllowedToDelegateTo", "msDS-AllowedToActOnBehalfOfOtherIdentity", "msDS-KeyCredentialLink",
   "scriptPath", and "msTSInitialProgram".  Modifications to these attributes can indicate

@@ -6,8 +6,8 @@ author: Dean Luxton
 status: experimental
 type: TTP
 data_source:
-- Windows Security 5136
-- Windows Security 5145
+- Windows Event Log Security 5136
+- Windows Event Log Security 5145
 description: This analytic looks for a the creation of potentially harmful GPO which
   could lead to persistence or code execution on remote hosts. Note, this analyic
   is looking for the absence of the corresponding 5136 events which is evidence of

@@ -4,7 +4,7 @@ version: 2
 date: '2025-02-10'
 author: Dean Luxton
 data_source:
-- O365 Add app role assignment grant to user
+- O365 Add app role assignment grant to user.
 type: TTP
 status: production
 description: This detection identifies when an Azure Service Principal elevates privileges

@@ -6,7 +6,7 @@ author: Dean Luxton
 type: TTP
 status: production
 data_source:
-- Windows Security 5136
+- Windows Event Log Security 5136
 description: The following analytic detects the addition of permissions required for
   a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All,
   and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136 from

@@ -1,10 +1,10 @@
 name: Windows Archived Collected Data In TEMP Folder
 id: cb56a1ea-e0b1-46d5-913f-e024cba40cbe
-version: 2
-date: '2024-11-13'
+version: 3
+date: '2025-02-17'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11
 type: TTP
 status: production
 description: The following analytic detects the creation of archived files in a temporary

@@ -1,10 +1,10 @@
 name: Windows BitLockerToGo with Network Activity
 id: 14e3a089-cc23-4f4d-a770-26e44a31fbac
-version: 2
-date: '2025-01-21'
+version: 3
+date: '2025-02-17'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 data_source:
-- Sysmon Event ID 22
+- Sysmon EventID 22
 type: Hunting
 status: production
 description: The following analytic detects suspicious usage of BitLockerToGo.exe,

@@ -1,10 +1,10 @@
 name: Windows Credentials Access via VaultCli Module
 id: c0d89118-3f89-4cd7-8140-1f39e7210681
-version: 2
-date: '2025-01-21'
+version: 3
+date: '2025-02-17'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 7
+- Sysmon EventID 7
 type: Anomaly
 status: production
 description: The following analytic detects potentially abnormal interactions with

@@ -4,7 +4,7 @@ version: 3
 date: '2025-02-10'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11
 type: TTP
 status: production
 description: The following analytic detects the copying of Chrome's Local State and

@@ -4,7 +4,7 @@ version: 3
 date: '2025-02-10'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11
 type: TTP
 status: production
 description: The following analytic detects the creation of files containing passwords,

@@ -1,10 +1,10 @@
 name: Windows Obfuscated Files or Information via RAR SFX
 id: 4ab6862b-ce88-4223-96c0-f6da2cffb898
-version: 1
-date: '2024-12-12'
+version: 2
+date: '2025-02-17'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11
 type: Anomaly
 status: production
 description: The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery.

@@ -8,9 +8,9 @@ type: Anomaly
 description: This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.
 data_source: 
 - Windows Security Event ID 4688
-- Sysmon Event ID 1
-- Sysmon Event ID 12
-- Sysmon Event ID 13
+- Sysmon EventID 1
+- Sysmon EventID 12
+- Sysmon EventID 13
 - CrowdStrike ProcessRollup2
 search: |-
   | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_current_directory=* AND NOT Processes.process_current_directory IN ("C:\\*","*\\sysvol\\*") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name Processes.process_current_directory

@@ -1,11 +1,11 @@
 name: Windows RunMRU Command Execution
 id: a15aa1ab-2b79-467f-8201-65e0f32d5b1a
-version: 2
-date: '2025-01-21'
+version: 3
+date: '2025-02-17'
 author: Nasreddine Bencherchali, Michael Haag, Splunk
 data_source:
-- Sysmon Event ID 11
-- Sysmon Event ID 13
+- Sysmon EventID 11
+- Sysmon EventID 13
 type: Anomaly
 status: production
 description: The following analytic detects modifications to the Windows RunMRU registry

@@ -1,10 +1,10 @@
 name: Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
 id: feb43b86-8c38-46cd-865e-20ce8a96c26c
-version: 4
-date: '2024-11-13'
+version: 5
+date: '2025-02-17'
 author: Teoderick Contreras, Splunk
 data_source:
-- Windows Security 4698
+- Windows Event Log Security 4698
 type: TTP
 status: production
 description: The following analytic detects the creation or modification of Windows

@@ -1,10 +1,10 @@
 name: Windows Screen Capture in TEMP folder
 id: 00524d1f-a032-46f5-9108-e7d9f01bfb3c
-version: 2
-date: '2024-11-13'
+version: 3
+date: '2025-02-17'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11
 type: TTP
 status: production
 description: The following analytic detects the creation of screen capture files by

@@ -7,7 +7,7 @@ status: production
 type: Anomaly
 description: The following analytic detects the execution of `query.exe` with command-line arguments aimed at discovering data on remote devices. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use `query.exe` to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to identify various details about a system, aiding in further lateral movement and privilege escalation within the network.
 data_source: 
-- Sysmon Event ID 1
+- Sysmon EventID 1
 - Windows Security Event ID 4688
 - CrowdStrike ProcessRollup2
 search: |-

@@ -7,8 +7,8 @@ status: production
 type: Anomaly
 description: This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ key. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.
 data_source: 
-- Sysmon Event ID 12
-- Sysmon Event ID 13
+- Sysmon EventID 12
+- Sysmon EventID 13
 search: |-
   | tstats `security_content_summariesonly` values(Registry.registry_value_data) as registry_value_data, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*") AND Registry.registry_value_name ="FriendlyName" by Registry.dest,Registry.registry_value_data,Registry.registry_path
   | `drop_dm_object_name(Registry)`

@@ -7,8 +7,8 @@ status: production
 type: Anomaly
 description: This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the Windows Portable Device keys HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ . Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.
 data_source: 
-- Sysmon Event ID 12
-- Sysmon Event ID 13
+- Sysmon EventID 12
+- Sysmon EventID 13
 search: |-
   | tstats `security_content_summariesonly` latest(Registry.registry_path) as registry_path, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") AND Registry.registry_value_name ="FriendlyName" AND Registry.registry_path="*USBSTOR*" by Registry.dest,Registry.registry_value_data 
   | `drop_dm_object_name(Registry)`