From bc09282fb498cc298ce52b2ce3a41f72b6f1ef93 Mon Sep 17 00:00:00 2001 From: tccontre Date: Tue, 24 Sep 2024 16:54:19 +0200 Subject: [PATCH 01/30] auditd_sourcetype_update --- data_sources/linux_auditd_add_user.yml | 6 +++--- data_sources/linux_auditd_execve.yml | 6 +++--- data_sources/linux_auditd_path.yml | 6 +++--- data_sources/linux_auditd_proctitle.yml | 6 +++--- data_sources/linux_auditd_service_stop.yml | 6 +++--- data_sources/linux_auditd_syscall.yml | 6 +++--- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/data_sources/linux_auditd_add_user.yml b/data_sources/linux_auditd_add_user.yml index 00f77c2930..4a1c98bf92 100644 --- a/data_sources/linux_auditd_add_user.yml +++ b/data_sources/linux_auditd_add_user.yml @@ -1,11 +1,11 @@ name: Linux Auditd Add User id: 30f79353-e1d2-4585-8735-1e0359559f3f version: 1 -date: '2024-08-08' +date: '2024-08-24' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Add User Type -source: /var/log/audit/audit.log -sourcetype: linux:audit +source: auditd +sourcetype: auditd supported_TA: - name: Splunk Add-on for Unix and Linux url: https://splunkbase.splunk.com/app/833 diff --git a/data_sources/linux_auditd_execve.yml b/data_sources/linux_auditd_execve.yml index c9287b2adf..26e02de1d5 100644 --- a/data_sources/linux_auditd_execve.yml +++ b/data_sources/linux_auditd_execve.yml @@ -1,11 +1,11 @@ name: Linux Auditd Execve id: 9ef6364d-cc67-480e-8448-3306829a6a24 version: 1 -date: '2024-08-08' +date: '2024-09-24' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Execve Type -source: /var/log/audit/audit.log -sourcetype: linux:audit +source: auditd +sourcetype: auditd supported_TA: - name: Splunk Add-on for Unix and Linux url: https://splunkbase.splunk.com/app/833 diff --git a/data_sources/linux_auditd_path.yml b/data_sources/linux_auditd_path.yml index 14e850d8b0..802ab70ba2 100644 --- a/data_sources/linux_auditd_path.yml +++ b/data_sources/linux_auditd_path.yml @@ -1,11 +1,11 @@ name: Linux Auditd Path id: 3d86125c-0496-4a5a-aae3-0d355a4f3d7d version: 1 -date: '2024-08-08' +date: '2024-09-24' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Path Type -source: /var/log/audit/audit.log -sourcetype: linux:audit +source: auditd +sourcetype: auditd supported_TA: - name: Splunk Add-on for Unix and Linux url: https://splunkbase.splunk.com/app/833 diff --git a/data_sources/linux_auditd_proctitle.yml b/data_sources/linux_auditd_proctitle.yml index d4e194e9bf..ce39a87af1 100644 --- a/data_sources/linux_auditd_proctitle.yml +++ b/data_sources/linux_auditd_proctitle.yml @@ -1,11 +1,11 @@ name: Linux Auditd Proctitle id: 5a25984a-2789-400a-858b-d75c923e06b1 version: 1 -date: '2024-08-08' +date: '2024-09-24' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Proctitle Type -source: /var/log/audit/audit.log -sourcetype: linux:audit +source: auditd +sourcetype: auditd supported_TA: - name: Splunk Add-on for Unix and Linux url: https://splunkbase.splunk.com/app/833 diff --git a/data_sources/linux_auditd_service_stop.yml b/data_sources/linux_auditd_service_stop.yml index d06f7b7ccb..13fe397643 100644 --- a/data_sources/linux_auditd_service_stop.yml +++ b/data_sources/linux_auditd_service_stop.yml @@ -1,11 +1,11 @@ name: Linux Auditd Service Stop id: 0643483c-bc62-455c-8d6e-1630e5f0e00d version: 1 -date: '2024-08-08' +date: '2024-09-24' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Service Stop Type -source: /var/log/audit/audit.log -sourcetype: linux:audit +source: auditd +sourcetype: auditd supported_TA: - name: Splunk Add-on for Unix and Linux url: https://splunkbase.splunk.com/app/833 diff --git a/data_sources/linux_auditd_syscall.yml b/data_sources/linux_auditd_syscall.yml index 326bb8910a..ab772f977d 100644 --- a/data_sources/linux_auditd_syscall.yml +++ b/data_sources/linux_auditd_syscall.yml @@ -1,11 +1,11 @@ name: Linux Auditd Syscall id: 4dff7047-0d43-4096-bb3f-b756c889bbad version: 1 -date: '2024-08-08' +date: '2024-09-24' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Syscall Type -source: /var/log/audit/audit.log -sourcetype: linux:audit +source: auditd +sourcetype: auditd supported_TA: - name: Splunk Add-on for Unix and Linux url: https://splunkbase.splunk.com/app/833 From 3b3c0da4d54966f2ece7a5ef457764a41231531c Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 25 Sep 2024 14:53:39 +0200 Subject: [PATCH 02/30] auditd_sourcetype_update --- macros/linux_auditd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/macros/linux_auditd.yml b/macros/linux_auditd.yml index 70ce2b76cd..333f91208f 100644 --- a/macros/linux_auditd.yml +++ b/macros/linux_auditd.yml @@ -1,4 +1,4 @@ -definition: sourcetype="linux:audit" +definition: sourcetype="auditd" description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. name: linux_auditd \ No newline at end of file From f909be7cce1463eb3c85c075942686cbc9b00129 Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 18 Feb 2025 14:41:27 -0800 Subject: [PATCH 03/30] updating sourcetype, version and date --- .../linux_auditd_add_user_account.yml | 6 +- .../linux_auditd_add_user_account_type.yml | 6 +- .../linux_auditd_at_application_execution.yml | 6 +- .../linux_auditd_auditd_service_stop.yml | 6 +- .../linux_auditd_base64_decode_files.yml | 6 +- ...linux_auditd_change_file_owner_to_root.yml | 6 +- .../linux_auditd_clipboard_data_copy.yml | 45 ++++++++++++--- .../linux_auditd_data_destruction_command.yml | 42 +++++++++++--- ...td_data_transfer_size_limits_via_split.yml | 44 ++++++++++++--- ...transfer_size_limits_via_split_syscall.yml | 6 +- ..._database_file_and_directory_discovery.yml | 51 ++++++++++++++--- .../linux_auditd_dd_file_overwrite.yml | 6 +- ...ditd_disable_or_modify_system_firewall.yml | 6 +- .../linux_auditd_doas_conf_file_creation.yml | 6 +- .../linux_auditd_doas_tool_execution.yml | 6 +- ...linux_auditd_edit_cron_table_parameter.yml | 6 +- ...ux_auditd_file_and_directory_discovery.yml | 55 ++++++++++++++++--- ...file_permission_modification_via_chmod.yml | 6 +- ...le_permissions_modification_via_chattr.yml | 15 +++-- ...ind_credentials_from_password_managers.yml | 31 +++++++++-- ..._find_credentials_from_password_stores.yml | 6 +- .../linux_auditd_find_ssh_private_keys.yml | 6 +- ...linux_auditd_hardware_addition_swapoff.yml | 45 ++++++++++++--- ..._hidden_files_and_directories_creation.yml | 47 +++++++++++++--- ...ert_kernel_module_using_insmod_utility.yml | 6 +- ...l_kernel_module_using_modprobe_utility.yml | 6 +- ...linux_auditd_kernel_module_enumeration.yml | 12 ++-- ...ditd_kernel_module_using_rmmod_utility.yml | 6 +- ..._auditd_nopasswd_entry_in_sudoers_file.yml | 6 +- .../linux_auditd_osquery_service_stop.yml | 6 +- ...ss_or_modification_of_sshd_config_file.yml | 6 +- ...td_possible_access_to_credential_files.yml | 6 +- ...auditd_possible_access_to_sudoers_file.yml | 6 +- ...cronjob_entry_on_existing_cronjob_file.yml | 6 +- ...ux_auditd_preload_hijack_library_calls.yml | 6 +- ...auditd_preload_hijack_via_preload_file.yml | 6 +- ...ivate_keys_and_certificate_enumeration.yml | 6 +- .../linux_auditd_service_restarted.yml | 6 +- .../endpoint/linux_auditd_service_started.yml | 6 +- ...inux_auditd_setuid_using_chmod_utility.yml | 6 +- ...nux_auditd_setuid_using_setcap_utility.yml | 6 +- .../linux_auditd_shred_overwrite_command.yml | 6 +- .../endpoint/linux_auditd_stop_services.yml | 41 +++++++++++--- .../linux_auditd_sudo_or_su_execution.yml | 6 +- .../linux_auditd_sysmon_service_stop.yml | 6 +- ...system_network_configuration_discovery.yml | 6 +- ..._unix_shell_configuration_modification.yml | 6 +- ...inux_auditd_unload_module_via_modprobe.yml | 6 +- ...tual_disk_file_and_directory_discovery.yml | 45 ++++++++++++--- .../linux_auditd_whoami_user_discovery.yml | 6 +- 50 files changed, 491 insertions(+), 210 deletions(-) diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index c29d67571e..e04c7ab89e 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -1,7 +1,7 @@ name: Linux Auditd Add User Account id: aae66dc0-74b4-4807-b480-b35f8027abb4 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -72,4 +72,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index 7bf00799da..163a6db549 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -1,7 +1,7 @@ name: Linux Auditd Add User Account Type id: f8c325ea-506e-4105-8ccf-da1492e90115 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -71,4 +71,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index e9c76689ff..c8512e0076 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd At Application Execution id: 9f306e0a-1c36-469e-8892-968ca12470dd -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -77,4 +77,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index 8efe47b2f9..ee684d33d5 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Auditd Service Stop id: 6cb9d0e1-eabe-41de-a11a-5efade354e9d -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -72,4 +72,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index 57b3c91b7f..6664ffb42b 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -1,7 +1,7 @@ name: Linux Auditd Base64 Decode Files id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -76,4 +76,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml index b4733004c9..6dcef1ef1d 100644 --- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -1,7 +1,7 @@ name: Linux Auditd Change File Owner To Root id: 7b87c556-0ca4-47e0-b84c-6cd62a0a3e90 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -75,4 +75,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml index 0a32d1b5d3..3084c03416 100644 --- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -1,16 +1,37 @@ name: Linux Auditd Clipboard Data Copy id: 9ddfe470-c4d0-4e60-8668-7337bd699edd -version: 3 -date: '2025-01-16' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Linux Auditd telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment. +description: The following analytic detects the use of the Linux 'xclip' command to + copy data from the clipboard. It leverages Linux Auditd telemetry, focusing on process + names and command-line arguments related to clipboard operations. This activity + is significant because adversaries can exploit clipboard data to capture sensitive + information such as passwords or IP addresses. If confirmed malicious, this technique + could lead to unauthorized data exfiltration, compromising sensitive information + and potentially aiding further attacks within the environment. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%xclip%") AND (LIKE(process_exec, "%clipboard%") OR LIKE(process_exec, "%-o%") OR LIKE(process_exec, "%clip %") OR LIKE(process_exec, "%-selection %") OR LIKE(process_exec, "%sel %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_clipboard_data_copy_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed. +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, + "%xclip%") AND (LIKE(process_exec, "%clipboard%") OR LIKE(process_exec, "%-o%") + OR LIKE(process_exec, "%clip %") OR LIKE(process_exec, "%-selection %") OR LIKE(process_exec, + "%sel %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc + process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_clipboard_data_copy_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: False positives may be present on Linux desktop as it may commonly + be used by administrators or end users. Filter as needed. references: - https://attack.mitre.org/techniques/T1115/ - https://linux.die.net/man/1/xclip @@ -20,7 +41,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -46,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml index 94d554eb0a..5f597bd5f7 100644 --- a/detections/endpoint/linux_auditd_data_destruction_command.yml +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -1,15 +1,35 @@ name: Linux Auditd Data Destruction Command id: 4da5ce1a-f71b-4e71-bb73-c0a3c73f3c3c -version: 3 -date: '2025-01-15' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of a Unix shell command designed to wipe root directories on a Linux host. It leverages data from Linux Auditd, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' option. This activity is significant as it indicates potential data destruction attempts, often associated with malware like Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, system instability, and compromised integrity of the affected Linux host. Immediate investigation and response are crucial to mitigate potential damage. +description: The following analytic detects the execution of a Unix shell command + designed to wipe root directories on a Linux host. It leverages data from Linux + Auditd, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' + option. This activity is significant as it indicates potential data destruction + attempts, often associated with malware like Awfulshred. If confirmed malicious, + this behavior could lead to severe data loss, system instability, and compromised + integrity of the affected Linux host. Immediate investigation and response are crucial + to mitigate potential damage. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, "%rm %") AND LIKE (process_exec, "% -rf %") AND LIKE (process_exec, "%--no-preserve-root%") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_destruction_command_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, + "%rm %") AND LIKE (process_exec, "% -rf %") AND LIKE (process_exec, "%--no-preserve-root%") + | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_data_destruction_command_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed known_false_positives: unknown references: - https://cert.gov.ua/article/3718487 @@ -20,7 +40,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -46,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index 2c7f2eee4e..58ea787511 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -1,16 +1,36 @@ name: Linux Auditd Data Transfer Size Limits Via Split id: 4669561d-3bbd-44e3-857c-0e3c6ef2120c -version: 3 -date: '2025-01-15' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious data transfer activities that involve the use of the `split` syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network. +description: The following analytic detects suspicious data transfer activities that + involve the use of the `split` syscall, potentially indicating an attempt to evade + detection by breaking large files into smaller parts. Attackers may use this technique + to bypass size-based security controls, facilitating the covert exfiltration of + sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, + this analytic helps identify potential data exfiltration attempts, allowing security + teams to intervene and prevent the unauthorized transfer of critical information + from the network. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%split %") AND LIKE(process_exec, "% -b %") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_transfer_size_limits_via_split_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, + "%split %") AND LIKE(process_exec, "% -b %") | stats count min(_time) as firstTime + max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_data_transfer_size_limits_via_split_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,7 +39,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -46,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index 835309e3f6..31d7c48728 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -1,7 +1,7 @@ name: Linux Auditd Data Transfer Size Limits Via Split Syscall id: c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -74,4 +74,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index d9643341cb..ba7c83913e 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -1,16 +1,43 @@ name: Linux Auditd Database File And Directory Discovery id: f616c4f3-bde9-41cf-856c-019b65f668bb -version: 4 -date: '2025-01-15' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious database file and directory discovery activities, which may signal an attacker attempt to locate and assess critical database assets on a compromised system. This behavior is often a precursor to data theft, unauthorized access, or privilege escalation, as attackers seek to identify valuable information stored in databases. By monitoring for unusual or unauthorized attempts to locate database files and directories, this analytic aids in early detection of potential reconnaissance or data breach efforts, enabling security teams to respond swiftly and mitigate the risk of further compromise. +description: The following analytic detects suspicious database file and directory + discovery activities, which may signal an attacker attempt to locate and assess + critical database assets on a compromised system. This behavior is often a precursor + to data theft, unauthorized access, or privilege escalation, as attackers seek to + identify valuable information stored in databases. By monitoring for unusual or + unauthorized attempts to locate database files and directories, this analytic aids + in early detection of potential reconnaissance or data breach efforts, enabling + security teams to respond swiftly and mitigate the risk of further compromise. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.db%") OR LIKE (process_exec, "%.sql%") OR LIKE (process_exec, "%.sqlite%") OR LIKE (process_exec, "%.mdb%")OR LIKE (process_exec, "%.accdb%")OR LIKE (process_exec, "%.mdf%")OR LIKE (process_exec, "%.ndf%")OR LIKE (process_exec, "%.ldf%")OR LIKE (process_exec, "%.frm%")OR LIKE (process_exec, "%.idb%")OR LIKE (process_exec, "%.myd%")OR LIKE (process_exec, "%.myi%")OR LIKE (process_exec, "%.dbf%")OR LIKE (process_exec, "%.db2%")OR LIKE (process_exec, "%.dbc%")OR LIKE (process_exec, "%.fpt%")OR LIKE (process_exec, "%.ora%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_database_file_and_directory_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, + "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.db%") OR + LIKE (process_exec, "%.sql%") OR LIKE (process_exec, "%.sqlite%") OR LIKE (process_exec, + "%.mdb%")OR LIKE (process_exec, "%.accdb%")OR LIKE (process_exec, "%.mdf%")OR LIKE + (process_exec, "%.ndf%")OR LIKE (process_exec, "%.ldf%")OR LIKE (process_exec, "%.frm%")OR + LIKE (process_exec, "%.idb%")OR LIKE (process_exec, "%.myd%")OR LIKE (process_exec, + "%.myi%")OR LIKE (process_exec, "%.dbf%")OR LIKE (process_exec, "%.db2%")OR LIKE + (process_exec, "%.dbc%")OR LIKE (process_exec, "%.fpt%")OR LIKE (process_exec, "%.ora%")) + | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_database_file_and_directory_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS @@ -20,7 +47,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -48,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml index a37c14e655..e394dc7342 100644 --- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -1,7 +1,7 @@ name: Linux Auditd Dd File Overwrite id: d1b74420-4cea-4752-a123-9b40dfcca49a -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -73,4 +73,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index a825c4c9fe..7223685898 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -1,7 +1,7 @@ name: Linux Auditd Disable Or Modify System Firewall id: 07052556-d4b5-4bae-89aa-cbdc1bb11250 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -73,4 +73,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index ce27362871..ea4f76b632 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -1,7 +1,7 @@ name: Linux Auditd Doas Conf File Creation id: 61059783-574b-40d2-ac2f-69b898afd6b4 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -72,4 +72,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index d955c86264..8389a88052 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd Doas Tool Execution id: 91b8ca78-f205-4826-a3ef-cd8d6b24e97b -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -73,4 +73,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index e3a2452cda..f25d93556a 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -1,7 +1,7 @@ name: Linux Auditd Edit Cron Table Parameter id: f4bb7321-7e64-4d1e-b1aa-21f8b019a91f -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -75,4 +75,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml index f117d9113f..4e6e8baf46 100644 --- a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml @@ -1,16 +1,47 @@ name: Linux Auditd File And Directory Discovery id: 0bbfb79c-a755-49a5-a38a-1128d0a452f1 -version: 3 -date: '2025-01-15' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious file and directory discovery activities, which may indicate an attacker's effort to locate sensitive documents and files on a compromised system. This behavior often precedes data exfiltration, as adversaries seek to identify valuable or confidential information for theft. By identifying unusual or unauthorized attempts to browse or enumerate files and directories, this analytic helps security teams detect potential reconnaissance or preparatory actions by an attacker, enabling timely intervention to prevent data breaches or unauthorized access. +description: The following analytic detects suspicious file and directory discovery + activities, which may indicate an attacker's effort to locate sensitive documents + and files on a compromised system. This behavior often precedes data exfiltration, + as adversaries seek to identify valuable or confidential information for theft. + By identifying unusual or unauthorized attempts to browse or enumerate files and + directories, this analytic helps security teams detect potential reconnaissance + or preparatory actions by an attacker, enabling timely intervention to prevent data + breaches or unauthorized access. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.tif%") OR LIKE (process_exec, "%.tiff%") OR LIKE (process_exec, "%.gif%") OR LIKE (process_exec, "%.jpeg%")OR LIKE (process_exec, "%.jpg%")OR LIKE (process_exec, "%.jif%")OR LIKE (process_exec, "%.jfif%")OR LIKE (process_exec, "%.jp2%")OR LIKE (process_exec, "%.jpx%")OR LIKE (process_exec, "%.j2k%")OR LIKE (process_exec, "%.j2c%")OR LIKE (process_exec, "%.fpx%")OR LIKE (process_exec, "%.pcd%")OR LIKE (process_exec, "%.png%")OR LIKE (process_exec, "%.flv%") OR LIKE (process_exec, "%.pdf%")OR LIKE (process_exec, "%.mp4%")OR LIKE (process_exec, "%.mp3%")OR LIKE (process_exec, "%.gifv%")OR LIKE (process_exec, "%.avi%")OR LIKE (process_exec, "%.mov%")OR LIKE (process_exec, "%.mpeg%")OR LIKE (process_exec, "%.wav%")OR LIKE (process_exec, "%.doc%")OR LIKE (process_exec, "%.docx%")OR LIKE (process_exec, "%.xls%")OR LIKE (process_exec, "%.xlsx%")OR LIKE (process_exec, "%.svg%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_and_directory_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, + "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.tif%") OR + LIKE (process_exec, "%.tiff%") OR LIKE (process_exec, "%.gif%") OR LIKE (process_exec, + "%.jpeg%")OR LIKE (process_exec, "%.jpg%")OR LIKE (process_exec, "%.jif%")OR LIKE + (process_exec, "%.jfif%")OR LIKE (process_exec, "%.jp2%")OR LIKE (process_exec, + "%.jpx%")OR LIKE (process_exec, "%.j2k%")OR LIKE (process_exec, "%.j2c%")OR LIKE + (process_exec, "%.fpx%")OR LIKE (process_exec, "%.pcd%")OR LIKE (process_exec, "%.png%")OR + LIKE (process_exec, "%.flv%") OR LIKE (process_exec, "%.pdf%")OR LIKE (process_exec, + "%.mp4%")OR LIKE (process_exec, "%.mp3%")OR LIKE (process_exec, "%.gifv%")OR LIKE + (process_exec, "%.avi%")OR LIKE (process_exec, "%.mov%")OR LIKE (process_exec, "%.mpeg%")OR + LIKE (process_exec, "%.wav%")OR LIKE (process_exec, "%.doc%")OR LIKE (process_exec, + "%.docx%")OR LIKE (process_exec, "%.xls%")OR LIKE (process_exec, "%.xlsx%")OR LIKE + (process_exec, "%.svg%")) | stats count min(_time) as firstTime max(_time) as lastTime + by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_file_and_directory_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS @@ -20,7 +51,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -48,6 +84,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml index 7ce6b582fc..b4094061b4 100644 --- a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml +++ b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml @@ -1,7 +1,7 @@ name: Linux Auditd File Permission Modification Via Chmod id: 5f1d2ea7-eec0-4790-8b24-6875312ad492 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-02-18' author: Teoderick Contreras, Splunk, Ivar Nygård status: production type: Anomaly @@ -79,4 +79,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml index de8a0c8bc8..b81308c893 100644 --- a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml +++ b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml @@ -1,11 +1,18 @@ name: Linux Auditd File Permissions Modification Via Chattr id: f2d1110d-b01c-4a58-9975-90a9edeb083a -version: 4 -date: '2025-02-03' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious file permissions modifications using the chattr command, which may indicate an attacker attempting to manipulate file attributes to evade detection or prevent alteration. The chattr command can be used to make files immutable or restrict deletion, which can be leveraged to protect malicious files or disrupt system operations. By monitoring for unusual or unauthorized chattr usage, this analytic helps identify potential tampering with critical files, enabling security teams to quickly respond to and mitigate threats associated with unauthorized file attribute changes. +description: The following analytic detects suspicious file permissions modifications + using the chattr command, which may indicate an attacker attempting to manipulate + file attributes to evade detection or prevent alteration. The chattr command can + be used to make files immutable or restrict deletion, which can be leveraged to + protect malicious files or disrupt system operations. By monitoring for unusual + or unauthorized chattr usage, this analytic helps identify potential tampering with + critical files, enabling security teams to quickly respond to and mitigate threats + associated with unauthorized file attribute changes. data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host @@ -69,4 +76,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml index 91a4468484..7521acc681 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml @@ -1,7 +1,7 @@ name: Linux Auditd Find Credentials From Password Managers id: 784241aa-85a5-4782-a503-d071bd3446f9 -version: 4 -date: '2025-02-03' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,9 +15,28 @@ description: The following analytic detects suspicious attempts to find credenti further unauthorized access. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_managers_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, + "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") + OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%.enforced%") OR LIKE + (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, + "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR + LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, + "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR + LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) | stats count min(_time) + as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_managers_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS @@ -63,4 +82,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml index 9ae67754ae..38e3559db8 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml @@ -1,7 +1,7 @@ name: Linux Auditd Find Credentials From Password Stores id: 4de73044-9a1d-4a51-a1c2-85267d8dcab3 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -78,4 +78,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml index 96e7d7d952..dcba36202d 100644 --- a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml @@ -1,7 +1,7 @@ name: Linux Auditd Find Ssh Private Keys id: e2d2bd10-dcd1-4b2f-8a76-0198eab32ba5 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -78,4 +78,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml index 11a767918e..2502120edd 100644 --- a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml @@ -1,16 +1,37 @@ name: Linux Auditd Hardware Addition Swapoff id: 5728bb16-1a0b-4b66-bce2-0074ac839770 -version: 3 -date: '2025-01-16' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the "swapoff" command, which disables the swapping of paging devices on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because disabling swap can be a tactic used by malware, such as Awfulshred, to evade detection and hinder forensic analysis. If confirmed malicious, this action could allow an attacker to manipulate system memory management, potentially leading to data corruption, system instability, or evasion of memory-based detection mechanisms. +description: The following analytic detects the execution of the "swapoff" command, + which disables the swapping of paging devices on a Linux system. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs. This activity is significant because disabling swap can be a tactic used by + malware, such as Awfulshred, to evade detection and hinder forensic analysis. If + confirmed malicious, this action could allow an attacker to manipulate system memory + management, potentially leading to data corruption, system instability, or evasion + of memory-based detection mechanisms. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%swapoff %") AND LIKE(process_exec, "% -a%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_hardware_addition_swapoff_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: administrator may disable swapping of devices in a linux host. Filter is needed. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, + "%swapoff %") AND LIKE(process_exec, "% -a%") | stats count min(_time) as firstTime + max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_hardware_addition_swapoff_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: administrator may disable swapping of devices in a linux host. + Filter is needed. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ drilldown_searches: @@ -19,7 +40,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -46,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index 483150c621..1001e093ff 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -1,16 +1,39 @@ name: Linux Auditd Hidden Files And Directories Creation id: 555cc358-bf16-4e05-9b3a-0f89c73b7261 -version: 5 -date: '2025-02-03' +version: 6 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious creation of hidden files and directories, which may indicate an attacker's attempt to conceal malicious activities or unauthorized data. Hidden files and directories are often used to evade detection by security tools and administrators, providing a stealthy means for storing malware, logs, or sensitive information. By monitoring for unusual or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide malicious operations, enabling security teams to uncover and address hidden threats effectively. +description: The following analytic detects suspicious creation of hidden files and + directories, which may indicate an attacker's attempt to conceal malicious activities + or unauthorized data. Hidden files and directories are often used to evade detection + by security tools and administrators, providing a stealthy means for storing malware, + logs, or sensitive information. By monitoring for unusual or unauthorized creation + of hidden files and directories, this analytic helps identify potential attempts + to hide or unauthorized creation of hidden files and directories, this analytic + helps identify potential attempts to hide malicious operations, enabling security + teams to uncover and address hidden threats effectively. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec,"%touch %") OR LIKE (process_exec,"%mkdir %")OR LIKE (process_exec,"%vim %") OR LIKE (process_exec,"%vi %") OR LIKE (process_exec,"%nano %")) AND (LIKE (process_exec,"% ./.%") OR LIKE (process_exec," .%")OR LIKE (process_exec," /.%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_hidden_files_and_directories_creation_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec,"%touch + %") OR LIKE (process_exec,"%mkdir %")OR LIKE (process_exec,"%vim %") OR LIKE (process_exec,"%vi + %") OR LIKE (process_exec,"%nano %")) AND (LIKE (process_exec,"% ./.%") OR LIKE + (process_exec," .%")OR LIKE (process_exec," /.%")) | stats count min(_time) as firstTime + max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_hidden_files_and_directories_creation_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS @@ -20,7 +43,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -47,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml index 0b168373bc..a2c18e1942 100644 --- a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Insert Kernel Module Using Insmod Utility id: bc0ca53f-dea6-4906-9b12-09c396fdf1d3 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -76,4 +76,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml index a57cd34a93..297fe3d34c 100644 --- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Install Kernel Module Using Modprobe Utility id: 95165985-ace5-4d42-9c42-93a89a5af901 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -75,4 +75,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml index 266495693a..921ac3198d 100644 --- a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml @@ -1,7 +1,7 @@ name: Linux Auditd Kernel Module Enumeration id: d1b088de-c47a-4572-9339-bdcc26493b32 -version: 4 -date: '2024-12-17' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -19,9 +19,9 @@ search: '`linux_auditd` type=SYSCALL comm=lsmod | rename host as dest | stats c success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `linux_auditd_kernel_module_enumeration_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line - executions and process details on Unix/Linux systems. These logs should be ingested - and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources @@ -73,4 +73,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index 0d437219d2..2e6e291b58 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Kernel Module Using Rmmod Utility id: 31810b7a-0abe-42be-a210-0dec8106afee -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -74,4 +74,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index 2470ddfe8f..d2d339d1dc 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Nopasswd Entry In Sudoers File id: 651df959-ad17-4b73-a323-90cb96d5fa1b -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -76,4 +76,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index edf2a44c84..496cefeb0d 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Osquery Service Stop id: 0c320fea-6e87-4b99-a884-74d09d4b655d -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -74,4 +74,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index a9323c6d19..caf001c3a8 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access Or Modification Of Sshd Config File id: acb3ea33-70f7-47aa-b335-643b3aebcb2f -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -75,4 +75,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index 62158c07f3..4cf7383b3e 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Credential Files id: 0419cb7a-57ea-467b-974f-77c303dfe2a3 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -78,4 +78,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index ce58e5dae8..b3fd3c4ce1 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Sudoers File id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -75,4 +75,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml index 7fac278e2a..27b2115196 100644 --- a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File id: fea71cf0-fa10-4ef6-9202-9682b2e0c477 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -56,4 +56,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited2.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml index 8eb1a95ce2..adaa8ec351 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml @@ -1,7 +1,7 @@ name: Linux Auditd Preload Hijack Library Calls id: 35c50572-a70b-452f-afa9-bebdf3c3ce36 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -76,4 +76,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index d850271d2d..10e5fbf725 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Preload Hijack Via Preload File id: c1b7abca-55cb-4a39-bdfb-e28c1c12745f -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -74,4 +74,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index 3734df8760..c0930e5665 100644 --- a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -1,7 +1,7 @@ name: Linux Auditd Private Keys and Certificate Enumeration id: 892eb674-3344-4143-8e52-4775b1daf3f1 -version: 2 -date: '2025-02-10' +version: 3 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -79,4 +79,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml index 63fbdd633c..4672ad9b50 100644 --- a/detections/endpoint/linux_auditd_service_restarted.yml +++ b/detections/endpoint/linux_auditd_service_restarted.yml @@ -1,7 +1,7 @@ name: Linux Auditd Service Restarted id: 8eb3e858-18d3-44a4-a514-52cfa39f154a -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -79,4 +79,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml index d157eebc41..b38578b8cd 100644 --- a/detections/endpoint/linux_auditd_service_started.yml +++ b/detections/endpoint/linux_auditd_service_started.yml @@ -1,7 +1,7 @@ name: Linux Auditd Service Started id: b5eed06d-5c97-4092-a3a1-fa4b7e77c71a -version: 4 -date: '2025-02-03' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -75,4 +75,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml index db1157d54e..51558c89a0 100644 --- a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Setuid Using Chmod Utility id: 8230c407-1b47-4d95-ac2e-718bd6381386 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -75,4 +75,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml index 08a69f6ca0..39195c0413 100644 --- a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Setuid Using Setcap Utility id: 1474459a-302b-4255-8add-d82f96d14cd9 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -76,4 +76,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setcap_priv.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_shred_overwrite_command.yml b/detections/endpoint/linux_auditd_shred_overwrite_command.yml index 6d09005763..60086684e8 100644 --- a/detections/endpoint/linux_auditd_shred_overwrite_command.yml +++ b/detections/endpoint/linux_auditd_shred_overwrite_command.yml @@ -1,7 +1,7 @@ name: Linux Auditd Shred Overwrite Command id: ce2bde4d-a1d4-4452-8c87-98440e5adfb3 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -78,4 +78,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_stop_services.yml b/detections/endpoint/linux_auditd_stop_services.yml index 23004f47e1..757f3b7435 100644 --- a/detections/endpoint/linux_auditd_stop_services.yml +++ b/detections/endpoint/linux_auditd_stop_services.yml @@ -1,16 +1,33 @@ name: Linux Auditd Stop Services id: 43bc9281-753b-4743-b4b7-60af84f085f3 -version: 3 -date: '2024-12-16' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects attempts to stop a service on Linux systems. It leverages data from Linux Auditd. This activity is significant as adversaries often stop or terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability. +description: The following analytic detects attempts to stop a service on Linux systems. + It leverages data from Linux Auditd. This activity is significant as adversaries + often stop or terminate security or critical services to disable defenses or disrupt + operations, as seen in malware like Industroyer2. If confirmed malicious, this could + lead to the disabling of security mechanisms, allowing attackers to persist, escalate + privileges, or deploy destructive payloads, severely impacting system integrity + and availability. data_source: - Linux Auditd Service Stop -search: '`linux_auditd` type=SERVICE_STOP | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_stop_services_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SERVICE_STOP | rename host as dest | stats count min(_time) + as firstTime max(_time) as lastTime by type pid UID comm exe dest | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `linux_auditd_stop_services_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 @@ -20,7 +37,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -40,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml index ebf46c26c5..b0f9818651 100644 --- a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd Sudo Or Su Execution id: 817a5c89-5b92-4818-a22d-aa35e1361afe -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -73,4 +73,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml index 64021b8def..6a0f9b6f14 100644 --- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Sysmon Service Stop id: 20901256-633a-40de-8753-7b88811a460f -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -73,4 +73,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index b518e8fa93..e0449ab6a2 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd System Network Configuration Discovery id: 5db16825-81bd-4923-a8d6-d6a13a59832a -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -77,4 +77,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index 664416e29d..c84e3bcd6f 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -1,7 +1,7 @@ name: Linux Auditd Unix Shell Configuration Modification id: 66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -80,4 +80,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml index cdd0c0c95c..4deebf7ac4 100644 --- a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml +++ b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml @@ -1,7 +1,7 @@ name: Linux Auditd Unload Module Via Modprobe id: 90964d6a-4b5f-409a-85bd-95e261e03fe9 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: TTP @@ -75,4 +75,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml index 59da2a56d4..bce9ca117d 100644 --- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -1,16 +1,37 @@ name: Linux Auditd Virtual Disk File And Directory Discovery id: eec78cef-d4c8-4b35-8f5b-6922102a4a41 -version: 4 -date: '2025-01-16' +version: 5 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious discovery of virtual disk files and directories, which may indicate an attacker's attempt to locate and access virtualized storage environments. Virtual disks can contain sensitive data or critical system configurations, and unauthorized discovery attempts could signify preparatory actions for data exfiltration or further compromise. By monitoring for unusual or unauthorized searches for virtual disk files and directories, this analytic helps identify potential reconnaissance activities, enabling security teams to respond promptly and safeguard against unauthorized access and data breaches. +description: The following analytic detects suspicious discovery of virtual disk files + and directories, which may indicate an attacker's attempt to locate and access virtualized + storage environments. Virtual disks can contain sensitive data or critical system + configurations, and unauthorized discovery attempts could signify preparatory actions + for data exfiltration or further compromise. By monitoring for unusual or unauthorized + searches for virtual disk files and directories, this analytic helps identify potential + reconnaissance activities, enabling security teams to respond promptly and safeguard + against unauthorized access and data breaches. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.vhd%") OR LIKE (process_exec, "%.vhdx%") OR LIKE (process_exec, "%.vmdk%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_virtual_disk_file_and_directory_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, + "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.vhd%") OR + LIKE (process_exec, "%.vhdx%") OR LIKE (process_exec, "%.vmdk%")) | stats count + min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_virtual_disk_file_and_directory_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS @@ -20,7 +41,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -48,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index 275d9ac8f4..280168b042 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd Whoami User Discovery id: d1ff2e22-310d-446a-80b3-faedaa7b3b52 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-18' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -75,4 +75,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: auditd From 7f09aa976dcc00bacfed989063df562989a7893f Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 20 Feb 2025 13:36:03 +0100 Subject: [PATCH 04/30] auditd_detection_updates --- data_sources/linux_auditd_add_user.yml | 8 +++---- data_sources/linux_auditd_execve.yml | 8 +++---- data_sources/linux_auditd_path.yml | 8 +++---- data_sources/linux_auditd_proctitle.yml | 8 +++---- data_sources/linux_auditd_service_stop.yml | 8 +++---- data_sources/linux_auditd_syscall.yml | 8 +++---- .../linux_auditd_add_user_account.yml | 21 ++++++++++--------- .../linux_auditd_at_application_execution.yml | 8 +++---- .../linux_auditd_auditd_service_stop.yml | 8 +++---- .../linux_auditd_base64_decode_files.yml | 21 ++++++++++--------- ...linux_auditd_change_file_owner_to_root.yml | 21 ++++++++++--------- .../linux_auditd_clipboard_data_copy.yml | 17 +++++++++------ .../linux_auditd_data_destruction_command.yml | 19 ++++++++++------- ...td_data_transfer_size_limits_via_split.yml | 15 ++++++++----- ...transfer_size_limits_via_split_syscall.yml | 8 +++---- ..._database_file_and_directory_discovery.yml | 15 ++++++++----- macros/linux_auditd.yml | 2 +- 17 files changed, 113 insertions(+), 90 deletions(-) diff --git a/data_sources/linux_auditd_add_user.yml b/data_sources/linux_auditd_add_user.yml index d8604f8794..95bdba2077 100644 --- a/data_sources/linux_auditd_add_user.yml +++ b/data_sources/linux_auditd_add_user.yml @@ -1,11 +1,11 @@ name: Linux Auditd Add User id: 30f79353-e1d2-4585-8735-1e0359559f3f -version: 1 -date: '2024-08-08' +version: 3 +date: '2025-02-20' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Add User Type -source: /var/log/audit/audit.log -sourcetype: linux:audit +source: auditd +sourcetype: auditd configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules supported_TA: - name: Splunk Add-on for Unix and Linux diff --git a/data_sources/linux_auditd_execve.yml b/data_sources/linux_auditd_execve.yml index 04f7bb6c35..82bd7bcacc 100644 --- a/data_sources/linux_auditd_execve.yml +++ b/data_sources/linux_auditd_execve.yml @@ -1,11 +1,11 @@ name: Linux Auditd Execve id: 9ef6364d-cc67-480e-8448-3306829a6a24 -version: 1 -date: '2024-08-08' +version: 2 +date: '2025-02-20' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Execve Type -source: /var/log/audit/audit.log -sourcetype: linux:audit +source: auditd +sourcetype: auditd configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules supported_TA: - name: Splunk Add-on for Unix and Linux diff --git a/data_sources/linux_auditd_path.yml b/data_sources/linux_auditd_path.yml index 9ff6f3cdef..25c1cb029a 100644 --- a/data_sources/linux_auditd_path.yml +++ b/data_sources/linux_auditd_path.yml @@ -1,11 +1,11 @@ name: Linux Auditd Path id: 3d86125c-0496-4a5a-aae3-0d355a4f3d7d -version: 1 -date: '2024-08-08' +version: 2 +date: '2025-02-20' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Path Type -source: /var/log/audit/audit.log -sourcetype: linux:audit +source: auditd +sourcetype: auditd configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules supported_TA: - name: Splunk Add-on for Unix and Linux diff --git a/data_sources/linux_auditd_proctitle.yml b/data_sources/linux_auditd_proctitle.yml index b20cf3036c..86c68368aa 100644 --- a/data_sources/linux_auditd_proctitle.yml +++ b/data_sources/linux_auditd_proctitle.yml @@ -1,11 +1,11 @@ name: Linux Auditd Proctitle id: 5a25984a-2789-400a-858b-d75c923e06b1 -version: 1 -date: '2024-08-08' +version: 2 +date: '2025-02-20' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Proctitle Type -source: /var/log/audit/audit.log -sourcetype: linux:audit +source: auditd +sourcetype: auditd configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules supported_TA: - name: Splunk Add-on for Unix and Linux diff --git a/data_sources/linux_auditd_service_stop.yml b/data_sources/linux_auditd_service_stop.yml index f58756c5ae..e65d033de2 100644 --- a/data_sources/linux_auditd_service_stop.yml +++ b/data_sources/linux_auditd_service_stop.yml @@ -1,11 +1,11 @@ name: Linux Auditd Service Stop id: 0643483c-bc62-455c-8d6e-1630e5f0e00d -version: 1 -date: '2024-08-08' +version: 2 +date: '2025-02-20' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Service Stop Type -source: /var/log/audit/audit.log -sourcetype: linux:audit +source: auditd +sourcetype: auditd configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules supported_TA: - name: Splunk Add-on for Unix and Linux diff --git a/data_sources/linux_auditd_syscall.yml b/data_sources/linux_auditd_syscall.yml index 6246b98eaf..00a1fa9493 100644 --- a/data_sources/linux_auditd_syscall.yml +++ b/data_sources/linux_auditd_syscall.yml @@ -1,11 +1,11 @@ name: Linux Auditd Syscall id: 4dff7047-0d43-4096-bb3f-b756c889bbad -version: 1 -date: '2024-08-08' +version: 2 +date: '2025-02-20' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Syscall Type -source: /var/log/audit/audit.log -sourcetype: linux:audit +source: auditd +sourcetype: auditd configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules supported_TA: - name: Splunk Add-on for Unix and Linux diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index c29d67571e..58966a46db 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -1,7 +1,7 @@ name: Linux Auditd Add User Account id: aae66dc0-74b4-4807-b480-b35f8027abb4 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,11 +14,12 @@ description: The following analytic detects the creation of new user accounts on the system, posing a severe security risk. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as - dest | where LIKE (process_exec, "%useradd%") OR LIKE (process_exec, "%adduser%") - | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle - dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `linux_auditd_add_user_account_filter`' +search: '`linux_auditd` proctitle IN ("*useradd*", "*adduser*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + |`linux_auditd_add_user_account_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -70,6 +71,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/auditd_proctitle_user_add.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index e9c76689ff..04e207d7a1 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd At Application Execution id: 9f306e0a-1c36-469e-8892-968ca12470dd -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -76,5 +76,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index 8efe47b2f9..998f4dc6df 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Auditd Service Stop id: 6cb9d0e1-eabe-41de-a11a-5efade354e9d -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -71,5 +71,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index 57b3c91b7f..63515e16ee 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -1,7 +1,7 @@ name: Linux Auditd Base64 Decode Files id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -15,11 +15,12 @@ description: The following analytic detects suspicious Base64 decode operations risks associated with encoded malware or unauthorized data access. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as - dest | where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR - LIKE(process_exec, "% --d%")) | stats count min(_time) as firstTime max(_time) as - lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `linux_auditd_base64_decode_files_filter`' +search: '`linux_auditd` execve_command = "*base64*" AND execve_command IN ("*-d*", "* --d*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + |`linux_auditd_base64_decode_files_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -74,6 +75,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/auditd_execve_base64.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml index b4733004c9..29941a0e70 100644 --- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -1,7 +1,7 @@ name: Linux Auditd Change File Owner To Root id: 7b87c556-0ca4-47e0-b84c-6cd62a0a3e90 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -14,11 +14,12 @@ description: The following analytic detects the use of the 'chown' command to ch persistence within the environment. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as - dest | where LIKE (process_exec, "%chown %root%") | stats count min(_time) as firstTime - max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter - dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_change_file_owner_to_root_filter`' +search: '`linux_auditd` proctitle = "*chown *root*" + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_change_file_owner_to_root_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -73,6 +74,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/auditd_proctitle_chown_root.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml index 0a32d1b5d3..52cc20510a 100644 --- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -1,14 +1,19 @@ name: Linux Auditd Clipboard Data Copy id: 9ddfe470-c4d0-4e60-8668-7337bd699edd -version: 3 -date: '2025-01-16' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Linux Auditd telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%xclip%") AND (LIKE(process_exec, "%clipboard%") OR LIKE(process_exec, "%-o%") OR LIKE(process_exec, "%clip %") OR LIKE(process_exec, "%-selection %") OR LIKE(process_exec, "%sel %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_clipboard_data_copy_filter`' +search: '`linux_auditd` execve_command IN ("*xclip*", "*clipboard*") AND execve_command IN ("*-o*", "*-selection *", "*-sel *" ) + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_clipboard_data_copy_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed. references: @@ -46,6 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip2.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml index 94d554eb0a..cf65e8ed1e 100644 --- a/detections/endpoint/linux_auditd_data_destruction_command.yml +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -1,14 +1,19 @@ name: Linux Auditd Data Destruction Command id: 4da5ce1a-f71b-4e71-bb73-c0a3c73f3c3c -version: 3 -date: '2025-01-15' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects the execution of a Unix shell command designed to wipe root directories on a Linux host. It leverages data from Linux Auditd, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' option. This activity is significant as it indicates potential data destruction attempts, often associated with malware like Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, system instability, and compromised integrity of the affected Linux host. Immediate investigation and response are crucial to mitigate potential damage. data_source: -- Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, "%rm %") AND LIKE (process_exec, "% -rf %") AND LIKE (process_exec, "%--no-preserve-root%") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_destruction_command_filter`' +- Linux Auditd Proctitle +search: '`linux_auditd` (proctitle = "*rm *" AND proctitle = "*-rf *" AND proctitle = "*--no-preserve-root*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_data_destruction_command_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: unknown references: @@ -46,6 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/auditd_proctitle_rm_rf.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index 2c7f2eee4e..0d4cea6c4c 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -1,14 +1,19 @@ name: Linux Auditd Data Transfer Size Limits Via Split id: 4669561d-3bbd-44e3-857c-0e3c6ef2120c version: 3 -date: '2025-01-15' +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious data transfer activities that involve the use of the `split` syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%split %") AND LIKE(process_exec, "% -b %") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_transfer_size_limits_via_split_filter`' +search: '`linux_auditd` execve_command = "*split*" AND execve_command = "*-b *" + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_data_transfer_size_limits_via_split_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: @@ -46,6 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/auditd_execve_split.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index 835309e3f6..486d997610 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -1,7 +1,7 @@ name: Linux Auditd Data Transfer Size Limits Via Split Syscall id: c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e -version: 3 -date: '2024-11-13' +version: 4 +date: '2024-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -73,5 +73,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index d9643341cb..6f6cc7253b 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -1,14 +1,19 @@ name: Linux Auditd Database File And Directory Discovery id: f616c4f3-bde9-41cf-856c-019b65f668bb -version: 4 -date: '2025-01-15' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious database file and directory discovery activities, which may signal an attacker attempt to locate and assess critical database assets on a compromised system. This behavior is often a precursor to data theft, unauthorized access, or privilege escalation, as attackers seek to identify valuable information stored in databases. By monitoring for unusual or unauthorized attempts to locate database files and directories, this analytic aids in early detection of potential reconnaissance or data breach efforts, enabling security teams to respond swiftly and mitigate the risk of further compromise. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.db%") OR LIKE (process_exec, "%.sql%") OR LIKE (process_exec, "%.sqlite%") OR LIKE (process_exec, "%.mdb%")OR LIKE (process_exec, "%.accdb%")OR LIKE (process_exec, "%.mdf%")OR LIKE (process_exec, "%.ndf%")OR LIKE (process_exec, "%.ldf%")OR LIKE (process_exec, "%.frm%")OR LIKE (process_exec, "%.idb%")OR LIKE (process_exec, "%.myd%")OR LIKE (process_exec, "%.myi%")OR LIKE (process_exec, "%.dbf%")OR LIKE (process_exec, "%.db2%")OR LIKE (process_exec, "%.dbc%")OR LIKE (process_exec, "%.fpt%")OR LIKE (process_exec, "%.ora%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_database_file_and_directory_discovery_filter`' +search: '`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN("*.db*", "*.sql*", "*.sqlite*", "*.mdb*", "*.accdb*", "*.mdf*", "*.ndf*", "*.ldf*", "*.frm*", "*.myd*", "*.myi*", "*.dbf*", "*.db2*", "*.dbc*", "*.fpt*", "*.ora*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_database_file_and_directory_discovery_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: @@ -49,5 +54,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/macros/linux_auditd.yml b/macros/linux_auditd.yml index 66f941fb15..2090301d54 100644 --- a/macros/linux_auditd.yml +++ b/macros/linux_auditd.yml @@ -1,4 +1,4 @@ -definition: sourcetype="linux:audit" +definition: sourcetype="auditd" description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment. name: linux_auditd \ No newline at end of file From 3490fc07e951a69fcf48d1e1ccf478ee94cb924c Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 20 Feb 2025 13:51:30 +0100 Subject: [PATCH 05/30] auditd_detection_updates --- detections/endpoint/linux_auditd_add_user_account.yml | 2 +- detections/endpoint/linux_auditd_base64_decode_files.yml | 2 +- detections/endpoint/linux_auditd_change_file_owner_to_root.yml | 2 +- detections/endpoint/linux_auditd_clipboard_data_copy.yml | 2 +- detections/endpoint/linux_auditd_data_destruction_command.yml | 2 +- .../linux_auditd_data_transfer_size_limits_via_split.yml | 2 +- .../linux_auditd_database_file_and_directory_discovery.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index 58966a46db..5f5495f156 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -48,7 +48,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to add a user account. + message: A [$proctitle$] event occurred on host - [$dest$] to add a user account. risk_objects: - field: dest type: system diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index 63515e16ee..2f31c31cd6 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -50,7 +50,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to decode a file using + message: A [$execve_command$] event occurred on host - [$dest$] to decode a file using base64. risk_objects: - field: dest diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml index 29941a0e70..a4207c03da 100644 --- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -49,7 +49,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to change a file owner + message: A [$proctitle$] event occurred on host - [$dest$] to change a file owner to root. risk_objects: - field: dest diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml index 52cc20510a..1faf59a8a0 100644 --- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -29,7 +29,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to copy data from + message: A [$execve_command$] event occurred on host - [$dest$] to copy data from the clipboard. risk_objects: - field: dest diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml index cf65e8ed1e..d7f237aa00 100644 --- a/detections/endpoint/linux_auditd_data_destruction_command.yml +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -29,7 +29,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to destroy data. + message: A [$proctitle$] event occurred on host - [$dest$] to destroy data. risk_objects: - field: dest type: system diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index 0d4cea6c4c..28cc14444b 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -28,7 +28,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to split a file. + message: A [$execve_command$] event occurred on host - [$dest$] to split a file. risk_objects: - field: dest type: system diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index 6f6cc7253b..3da1063408 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -29,7 +29,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to discover database + message: A [$execve_command$] event occurred on host - [$dest$] to discover database files and directories. risk_objects: - field: dest From 9743a1b6063195eb0492065ee64567b159434795 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 20 Feb 2025 14:03:56 +0100 Subject: [PATCH 06/30] auditd_detection_updates --- .../linux_auditd_data_transfer_size_limits_via_split.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index 28cc14444b..05b0e1fbaa 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -1,6 +1,6 @@ name: Linux Auditd Data Transfer Size Limits Via Split id: 4669561d-3bbd-44e3-857c-0e3c6ef2120c -version: 3 +version: 4 date: '2025-02-20' author: Teoderick Contreras, Splunk status: production From 23c36c358c6d683082a45509b0163e563def173a Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 20 Feb 2025 14:20:12 +0100 Subject: [PATCH 07/30] auditd_detection_updates --- ...inux_auditd_disable_or_modify_system_firewall.yml | 8 ++++---- .../linux_auditd_doas_conf_file_creation.yml | 8 ++++---- .../endpoint/linux_auditd_doas_tool_execution.yml | 8 ++++---- .../linux_auditd_edit_cron_table_parameter.yml | 8 ++++---- ...itd_insert_kernel_module_using_insmod_utility.yml | 8 ++++---- ..._install_kernel_module_using_modprobe_utility.yml | 8 ++++---- .../linux_auditd_kernel_module_enumeration.yml | 8 ++++---- ...inux_auditd_kernel_module_using_rmmod_utility.yml | 8 ++++---- .../endpoint/linux_auditd_osquery_service_stop.yml | 8 ++++---- ...le_access_or_modification_of_sshd_config_file.yml | 8 ++++---- .../linux_auditd_possible_access_to_sudoers_file.yml | 8 ++++---- ...append_cronjob_entry_on_existing_cronjob_file.yml | 8 ++++---- .../linux_auditd_preload_hijack_via_preload_file.yml | 8 ++++---- detections/endpoint/linux_auditd_stop_services.yml | 8 ++++---- .../endpoint/linux_auditd_sysmon_service_stop.yml | 12 ++++++------ ...auditd_system_network_configuration_discovery.yml | 8 ++++---- ..._auditd_unix_shell_configuration_modification.yml | 8 ++++---- .../endpoint/linux_auditd_whoami_user_discovery.yml | 8 ++++---- 18 files changed, 74 insertions(+), 74 deletions(-) diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index a825c4c9fe..629ee61ab7 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -1,7 +1,7 @@ name: Linux Auditd Disable Or Modify System Firewall id: 07052556-d4b5-4bae-89aa-cbdc1bb11250 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -72,5 +72,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index ce27362871..b372d94491 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -1,7 +1,7 @@ name: Linux Auditd Doas Conf File Creation id: 61059783-574b-40d2-ac2f-69b898afd6b4 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -71,5 +71,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index d955c86264..02f6c4ea83 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd Doas Tool Execution id: 91b8ca78-f205-4826-a3ef-cd8d6b24e97b -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -72,5 +72,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index e3a2452cda..fc988e0f66 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -1,7 +1,7 @@ name: Linux Auditd Edit Cron Table Parameter id: f4bb7321-7e64-4d1e-b1aa-21f8b019a91f -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -74,5 +74,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml index 0b168373bc..f79c5a9b34 100644 --- a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Insert Kernel Module Using Insmod Utility id: bc0ca53f-dea6-4906-9b12-09c396fdf1d3 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -75,5 +75,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml index a57cd34a93..b9e5e8f45c 100644 --- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Install Kernel Module Using Modprobe Utility id: 95165985-ace5-4d42-9c42-93a89a5af901 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -74,5 +74,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml index 266495693a..ee8c4f81e5 100644 --- a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml @@ -1,7 +1,7 @@ name: Linux Auditd Kernel Module Enumeration id: d1b088de-c47a-4572-9339-bdcc26493b32 -version: 4 -date: '2024-12-17' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -72,5 +72,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index 0d437219d2..f31c9ddf36 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Kernel Module Using Rmmod Utility id: 31810b7a-0abe-42be-a210-0dec8106afee -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -73,5 +73,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index edf2a44c84..81af9cea3b 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Osquery Service Stop id: 0c320fea-6e87-4b99-a884-74d09d4b655d -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -73,5 +73,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index a9323c6d19..bd1f8f7e8e 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access Or Modification Of Sshd Config File id: acb3ea33-70f7-47aa-b335-643b3aebcb2f -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -74,5 +74,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index ce58e5dae8..faa3f19bb0 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Sudoers File id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -74,5 +74,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml index 7fac278e2a..557b1b7602 100644 --- a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File id: fea71cf0-fa10-4ef6-9202-9682b2e0c477 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -55,5 +55,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited2.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index d850271d2d..63d385c257 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Preload Hijack Via Preload File id: c1b7abca-55cb-4a39-bdfb-e28c1c12745f -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -73,5 +73,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_stop_services.yml b/detections/endpoint/linux_auditd_stop_services.yml index 23004f47e1..3e1608cc8a 100644 --- a/detections/endpoint/linux_auditd_stop_services.yml +++ b/detections/endpoint/linux_auditd_stop_services.yml @@ -1,7 +1,7 @@ name: Linux Auditd Stop Services id: 43bc9281-753b-4743-b4b7-60af84f085f3 -version: 3 -date: '2024-12-16' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -41,5 +41,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml index 64021b8def..d65a42cd56 100644 --- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -1,10 +1,10 @@ name: Linux Auditd Sysmon Service Stop id: 20901256-633a-40de-8753-7b88811a460f -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the suspicious sysmon service stop. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs @@ -51,7 +51,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 40 threat_objects: [] tags: analytic_story: @@ -72,5 +72,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index b518e8fa93..6eb0e19f4d 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd System Network Configuration Discovery id: 5db16825-81bd-4923-a8d6-d6a13a59832a -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -76,5 +76,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index 664416e29d..d2f9250224 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -1,7 +1,7 @@ name: Linux Auditd Unix Shell Configuration Modification id: 66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -79,5 +79,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index 275d9ac8f4..67d3f903b3 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd Whoami User Discovery id: d1ff2e22-310d-446a-80b3-faedaa7b3b52 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -74,5 +74,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd From 37f16f59134ccb75ff2ed56966eca63412480385 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 20 Feb 2025 17:25:44 +0100 Subject: [PATCH 08/30] auditd_detection_updates --- .../linux_auditd_dd_file_overwrite.yml | 22 +++++++-------- ...ux_auditd_file_and_directory_discovery.yml | 18 ++++++++----- ...file_permission_modification_via_chmod.yml | 24 ++++++++--------- ...le_permissions_modification_via_chattr.yml | 23 ++++++++-------- ...ind_credentials_from_password_managers.yml | 18 ++++++++----- ..._find_credentials_from_password_stores.yml | 24 ++++++++--------- .../linux_auditd_find_ssh_private_keys.yml | 24 ++++++++--------- ...linux_auditd_hardware_addition_swapoff.yml | 18 ++++++++----- ..._hidden_files_and_directories_creation.yml | 20 ++++++++------ ..._auditd_nopasswd_entry_in_sudoers_file.yml | 20 +++++++------- ...td_possible_access_to_credential_files.yml | 25 ++++++++--------- ...ux_auditd_preload_hijack_library_calls.yml | 22 +++++++-------- ...ivate_keys_and_certificate_enumeration.yml | 27 +++++++++---------- .../linux_auditd_service_restarted.yml | 24 ++++++++--------- .../endpoint/linux_auditd_service_started.yml | 24 ++++++++--------- ...inux_auditd_setuid_using_chmod_utility.yml | 24 ++++++++--------- ...nux_auditd_setuid_using_setcap_utility.yml | 25 ++++++++--------- .../linux_auditd_shred_overwrite_command.yml | 24 ++++++++--------- .../linux_auditd_sudo_or_su_execution.yml | 21 ++++++++------- ...inux_auditd_unload_module_via_modprobe.yml | 22 +++++++-------- ...tual_disk_file_and_directory_discovery.yml | 18 ++++++++----- 21 files changed, 237 insertions(+), 230 deletions(-) diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml index a37c14e655..5724aacdc4 100644 --- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -1,7 +1,7 @@ name: Linux Auditd Dd File Overwrite id: d1b74420-4cea-4752-a123-9b40dfcca49a -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -14,11 +14,11 @@ description: The following analytic detects the use of the 'dd' command to overw causing significant operational disruptions. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host - as dest | where LIKE(process_exec, "%dd %") AND LIKE(process_exec, "% of=%") | stats - count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter - dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `linux_auditd_dd_file_overwrite_filter`' +search: 'index=test proctitle = "*dd *" AND proctitle = "*of=*" AND proctitle = "*if=/dev/zero*" + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + |`linux_auditd_dd_file_overwrite_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -48,7 +48,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$]. + message: A [$proctitle$] event occurred on host - [$dest$]. risk_objects: - field: dest type: system @@ -71,6 +71,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/auditd_proctitle_dd_overwrite.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml index f117d9113f..d42c84177e 100644 --- a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml @@ -1,14 +1,18 @@ name: Linux Auditd File And Directory Discovery id: 0bbfb79c-a755-49a5-a38a-1128d0a452f1 -version: 3 -date: '2025-01-15' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious file and directory discovery activities, which may indicate an attacker's effort to locate sensitive documents and files on a compromised system. This behavior often precedes data exfiltration, as adversaries seek to identify valuable or confidential information for theft. By identifying unusual or unauthorized attempts to browse or enumerate files and directories, this analytic helps security teams detect potential reconnaissance or preparatory actions by an attacker, enabling timely intervention to prevent data breaches or unauthorized access. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.tif%") OR LIKE (process_exec, "%.tiff%") OR LIKE (process_exec, "%.gif%") OR LIKE (process_exec, "%.jpeg%")OR LIKE (process_exec, "%.jpg%")OR LIKE (process_exec, "%.jif%")OR LIKE (process_exec, "%.jfif%")OR LIKE (process_exec, "%.jp2%")OR LIKE (process_exec, "%.jpx%")OR LIKE (process_exec, "%.j2k%")OR LIKE (process_exec, "%.j2c%")OR LIKE (process_exec, "%.fpx%")OR LIKE (process_exec, "%.pcd%")OR LIKE (process_exec, "%.png%")OR LIKE (process_exec, "%.flv%") OR LIKE (process_exec, "%.pdf%")OR LIKE (process_exec, "%.mp4%")OR LIKE (process_exec, "%.mp3%")OR LIKE (process_exec, "%.gifv%")OR LIKE (process_exec, "%.avi%")OR LIKE (process_exec, "%.mov%")OR LIKE (process_exec, "%.mpeg%")OR LIKE (process_exec, "%.wav%")OR LIKE (process_exec, "%.doc%")OR LIKE (process_exec, "%.docx%")OR LIKE (process_exec, "%.xls%")OR LIKE (process_exec, "%.xlsx%")OR LIKE (process_exec, "%.svg%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_and_directory_discovery_filter`' +search: '`linux_auditd` execve_command IN ("*grep*", "*find*") AND execve_command IN ("*.tif*", "*.tiff*", "*.gif*", "*.jpeg*", "*.jpg*", "*.jif*", "*.jfif*", "*.jp2*", "*.jpx*", "*.j2k*", "*.j2c*", "*.fpx*", "*.pcd*", "*.png*", "*.flv*", "*.pdf*", "*.mp4*", "*.mp3*", "*.gifv*", "*.avi*", "*.mov*", "*.mpeg*", "*.wav*", "*.doc*", "*.docx*", "*.xls*", "*.xlsx*", "*.svg*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_auditd_file_and_directory_discovery_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: @@ -24,7 +28,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to discover files + message: A [$execve_command$] event occurred on host - [$dest$] to discover files and directories. risk_objects: - field: dest @@ -48,6 +52,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_document/auditd_execve_file_dir_discovery.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml index 7ce6b582fc..27731bffd4 100644 --- a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml +++ b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml @@ -1,7 +1,7 @@ name: Linux Auditd File Permission Modification Via Chmod id: 5f1d2ea7-eec0-4790-8b24-6875312ad492 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-02-20' author: Teoderick Contreras, Splunk, Ivar Nygård status: production type: Anomaly @@ -15,12 +15,12 @@ description: The following analytic detects suspicious file permission modificat actions on the system. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host - as dest | where LIKE(process_exec, "%chmod%") AND (LIKE(process_exec, "% 777 %") - OR LIKE(process_exec, "% 755 %") OR LIKE(process_exec, "%+%x%") OR LIKE(process_exec, - "% 754 %") OR LIKE(process_exec, "% 700 %")) | stats count min(_time) as firstTime - max(_time) as lastTime by process_exec proctitle dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `linux_auditd_file_permission_modification_via_chmod_filter`' +search: '`linux_auditd` proctitle="*chmod*" AND proctitle IN ("* 777 *", "* 755 *", "*+*x*", "* 754 *") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_file_permission_modification_via_chmod_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -49,7 +49,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A $process_exec$ event occurred on host $dest$ to modify file permissions + message: A $proctitle$ event occurred on host $dest$ to modify file permissions using the "chmod" command. risk_objects: - field: dest @@ -77,6 +77,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/auditd_proctitle_chmod.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml index de8a0c8bc8..2822124528 100644 --- a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml +++ b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml @@ -1,19 +1,18 @@ name: Linux Auditd File Permissions Modification Via Chattr id: f2d1110d-b01c-4a58-9975-90a9edeb083a -version: 4 -date: '2025-02-03' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious file permissions modifications using the chattr command, which may indicate an attacker attempting to manipulate file attributes to evade detection or prevent alteration. The chattr command can be used to make files immutable or restrict deletion, which can be leveraged to protect malicious files or disrupt system operations. By monitoring for unusual or unauthorized chattr usage, this analytic helps identify potential tampering with critical files, enabling security teams to quickly respond to and mitigate threats associated with unauthorized file attribute changes. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host - as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, - "%chattr %") AND LIKE(process_exec, "% -i%") | stats count min(_time) as firstTime - max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter - dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_file_permissions_modification_via_chattr_filter`' +search: '`linux_auditd` proctitle = "*chattr *" AND proctitle = "* -i*" + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + |`linux_auditd_file_permissions_modification_via_chattr_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -42,7 +41,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to modify file permissions + message: A [$proctitle$] event occurred on host - [$dest$] to modify file permissions using the "chattr" command. risk_objects: - field: dest @@ -67,6 +66,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/auditd_proctitle_chattr.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml index 91a4468484..6c9f6f4191 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml @@ -1,7 +1,7 @@ name: Linux Auditd Find Credentials From Password Managers id: 784241aa-85a5-4782-a503-d071bd3446f9 -version: 4 -date: '2025-02-03' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,7 +15,11 @@ description: The following analytic detects suspicious attempts to find credenti further unauthorized access. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_managers_filter`' +search: '`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*.kdbx*", "*KeePass*", "*.enforced*", "*.lpdb*", "*.opvault*", "*.agilekeychain*", "*.dashlane*", "*.rfx*", "*passbolt*", "*.spdb*", "*StickyPassword*", "*.walletx*", "*enpass*", "*vault*", "*.kdb*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_auditd_find_credentials_from_password_managers_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: @@ -36,7 +40,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to find credentials + message: A [$execve_command$] event occurred on host - [$dest$] to find credentials stored in password managers. risk_objects: - field: dest @@ -61,6 +65,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/auditd_execve_pwd_mgr.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml index 9ae67754ae..da4c8a6105 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml @@ -1,7 +1,7 @@ name: Linux Auditd Find Credentials From Password Stores id: 4de73044-9a1d-4a51-a1c2-85267d8dcab3 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,13 +15,11 @@ description: The following analytic detects suspicious attempts to find credenti data. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as - dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, - "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%password%") - OR LIKE (process_exec, "%pass %") OR LIKE (process_exec, "%credential%")OR LIKE - (process_exec, "%creds%")) | stats count min(_time) as firstTime max(_time) as lastTime - by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_find_credentials_from_password_stores_filter`' +search: '`linux_auditd` execve_command IN ("*setcap *") AND execve_command IN ("*cap_setuid+ep*", "*cap_setuid=ep*", "*cap_net_bind_service+p*", "*cap_net_raw+ep*", "*cap_dac_read_search+ep*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_auditd_find_credentials_from_password_stores_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -51,7 +49,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to find credentials + message: A [$execve_command$] event occurred on host - [$dest$] to find credentials stored in password managers. risk_objects: - field: dest @@ -76,6 +74,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/auditd_execve_find_creds.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml index 96e7d7d952..b45c028093 100644 --- a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml @@ -1,7 +1,7 @@ name: Linux Auditd Find Ssh Private Keys id: e2d2bd10-dcd1-4b2f-8a76-0198eab32ba5 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -15,13 +15,11 @@ description: The following analytic detects suspicious attempts to find SSH priv and potential breaches. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as - dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, - "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%id_rsa%") - OR LIKE (process_exec, "%id_dsa%")OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, - "%ssh_key%")OR LIKE (process_exec, "%authorized_keys%")) | stats count min(_time) - as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `linux_auditd_find_ssh_private_keys_filter`' +search: '`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*id_rsa*", "*id_dsa*", "*.key*", "*ssh_key*", "*authorized_keys*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_auditd_find_ssh_private_keys_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -51,7 +49,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to find SSH private + message: A [$execve_command$] event occurred on host - [$dest$] to find SSH private keys. risk_objects: - field: dest @@ -76,6 +74,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/auditd_execve_find_ssh.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml index 11a767918e..1ac67acba6 100644 --- a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml @@ -1,14 +1,18 @@ name: Linux Auditd Hardware Addition Swapoff id: 5728bb16-1a0b-4b66-bce2-0074ac839770 -version: 3 -date: '2025-01-16' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects the execution of the "swapoff" command, which disables the swapping of paging devices on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because disabling swap can be a tactic used by malware, such as Awfulshred, to evade detection and hinder forensic analysis. If confirmed malicious, this action could allow an attacker to manipulate system memory management, potentially leading to data corruption, system instability, or evasion of memory-based detection mechanisms. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%swapoff %") AND LIKE(process_exec, "% -a%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_hardware_addition_swapoff_filter`' +search: '`linux_auditd` proctitle = "*swapoff*" AND proctitle = "*-a*" + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `linux_auditd_hardware_addition_swapoff_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: administrator may disable swapping of devices in a linux host. Filter is needed. references: @@ -23,7 +27,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to disable the swapping + message: A [$proctitle$] event occurred on host - [$dest$] to disable the swapping of paging devices on a Linux system. risk_objects: - field: dest @@ -46,6 +50,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff2.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index 483150c621..f4e1c33498 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -1,14 +1,18 @@ name: Linux Auditd Hidden Files And Directories Creation id: 555cc358-bf16-4e05-9b3a-0f89c73b7261 -version: 5 -date: '2025-02-03' +version: 6 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production -type: Anomaly +type: Hunting description: The following analytic detects suspicious creation of hidden files and directories, which may indicate an attacker's attempt to conceal malicious activities or unauthorized data. Hidden files and directories are often used to evade detection by security tools and administrators, providing a stealthy means for storing malware, logs, or sensitive information. By monitoring for unusual or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide malicious operations, enabling security teams to uncover and address hidden threats effectively. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec,"%touch %") OR LIKE (process_exec,"%mkdir %")OR LIKE (process_exec,"%vim %") OR LIKE (process_exec,"%vi %") OR LIKE (process_exec,"%nano %")) AND (LIKE (process_exec,"% ./.%") OR LIKE (process_exec," .%")OR LIKE (process_exec," /.%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_hidden_files_and_directories_creation_filter`' +search: '`linux_auditd` execve_command IN ("*touch *", "*mkdir *", "*vim *", "*vi *", "*nano *") AND execve_command IN ("* ./.*", "* .*", "*/.*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_auditd_hidden_files_and_directories_creation_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: @@ -24,7 +28,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$]. + message: A [$execve_command$] event occurred on host - [$dest$]. risk_objects: - field: dest type: system @@ -47,6 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_hidden_file/auditd_execve_hidden_file.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index 2470ddfe8f..3e710c1678 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Nopasswd Entry In Sudoers File id: 651df959-ad17-4b73-a323-90cb96d5fa1b version: 5 -date: '2025-02-10' +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,11 +14,11 @@ description: The following analytic detects the addition of NOPASSWD entries to and potential compromise of sensitive data and system integrity. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host - as dest | where LIKE (process_exec, "%NOPASSWD%") | stats count min(_time) as firstTime - max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter - dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `linux_auditd_nopasswd_entry_in_sudoers_file_filter`' +search: '`linux_auditd` proctitle = "*NOPASSWD*" + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `linux_auditd_nopasswd_entry_in_sudoers_file_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -48,7 +48,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to add NOPASSWD entry + message: A [$proctitle$] event occurred on host - [$dest$] to add NOPASSWD entry in sudoers file. risk_objects: - field: dest @@ -74,6 +74,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd2.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index 62158c07f3..86a75b995b 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Credential Files id: 0419cb7a-57ea-467b-974f-77c303dfe2a3 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,13 +14,11 @@ description: The following analytic detects attempts to access or dump the conte offline cracking, leading to unauthorized access and potential system compromise. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host - as dest | where (LIKE (process_exec, "%shadow%") OR LIKE (process_exec, "%passwd%")) - AND (LIKE (process_exec, "%cat %") OR LIKE (process_exec, "%nano %")OR LIKE (process_exec, - "%vim %") OR LIKE (process_exec, "%vi %")) | stats count min(_time) as firstTime - max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter - dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_possible_access_to_credential_files_filter`' +search: '`linux_auditd` proctitle IN ("*shadow*", "*passwd*") AND proctitle IN ("*cat *", "*nano *", "*vim *", "*vi *") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_auditd_possible_access_to_credential_files_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -50,7 +48,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to access or dump + message: A [$proctitle$] event occurred on host - [$dest$] to access or dump the contents of /etc/passwd and /etc/shadow files. risk_objects: - field: dest @@ -75,7 +73,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/auditd_proctitle_access_cred.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml index 8eb1a95ce2..3325087aae 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml @@ -1,7 +1,7 @@ name: Linux Auditd Preload Hijack Library Calls id: 35c50572-a70b-452f-afa9-bebdf3c3ce36 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,11 +15,11 @@ description: The following analytic detects the use of the LD_PRELOAD environmen access to the system. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as - dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, - "%LD_PRELOAD%")| stats count min(_time) as firstTime max(_time) as lastTime by argc - process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `linux_auditd_preload_hijack_library_calls_filter`' +search: '`linux_auditd` execve_command = "*LD_PRELOAD*" + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `linux_auditd_preload_hijack_library_calls_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -48,7 +48,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to hijack or hook + message: A [$execve_command$] event occurred on host - [$dest$] to hijack or hook library functions using the LD_PRELOAD environment variable. risk_objects: - field: dest @@ -74,6 +74,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/auditd_execve_ldpreload.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index 3734df8760..2b1d09f51d 100644 --- a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -1,7 +1,7 @@ name: Linux Auditd Private Keys and Certificate Enumeration id: 892eb674-3344-4143-8e52-4775b1daf3f1 -version: 2 -date: '2025-02-10' +version: 3 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -15,15 +15,12 @@ description: The following analytic detects suspicious attempts to find private of encrypted information. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as - dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, - "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR - LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, - "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%.gpg%")OR LIKE - (process_exec, "%.ppk%") OR LIKE (process_exec, "%.p12%") OR LIKE (process_exec, - "%.pfx%")OR LIKE (process_exec, "%.p7b%")) | stats count min(_time) as firstTime - max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `linux_auditd_private_keys_and_certificate_enumeration_filter`' +search: '`linux_auditd` execve_command IN ("*find*", "*grep*") + AND execve_command IN ("*.pem*", "*.cer*", "*.crt*", "*.pgp*", "*.key*", "*.gpg*", "*.ppk*", "*.p12*", "*.pfx*", "*.p7b*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_auditd_private_keys_and_certificate_enumeration_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -53,7 +50,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to find private keys. + message: A [$execve_command$] event occurred on host - [$dest$] to find private keys. risk_objects: - field: dest type: system @@ -77,6 +74,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/auditd_execve_find_gpg.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml index 63fbdd633c..b8a415e327 100644 --- a/detections/endpoint/linux_auditd_service_restarted.yml +++ b/detections/endpoint/linux_auditd_service_restarted.yml @@ -1,7 +1,7 @@ name: Linux Auditd Service Restarted id: 8eb3e858-18d3-44a4-a514-52cfa39f154a -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,12 +14,12 @@ description: The following analytic detects the restarting or re-enabling of ser should investigate these events to mitigate risks and prevent further compromise. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host - as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service - %") ) AND(LIKE(process_exec, "%restart%") OR LIKE(process_exec, "%reenable%") OR - LIKE(process_exec, "%reload%")) | stats count min(_time) as firstTime max(_time) - as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| `linux_auditd_service_restarted_filter`' +search: '`linux_auditd` proctitle IN ("*systemctl *", "*service *") AND proctitle IN ("*restart*", "*reenable*", "*reload*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` + | `linux_auditd_service_restarted_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -48,7 +48,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to restart or re-enable + message: A [$proctitle$] event occurred on host - [$dest$] to restart or re-enable a service. risk_objects: - field: dest @@ -77,6 +77,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/linux_services_restart/auditd_proctitle_service_restart.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml index d157eebc41..565e6af26b 100644 --- a/detections/endpoint/linux_auditd_service_started.yml +++ b/detections/endpoint/linux_auditd_service_started.yml @@ -1,7 +1,7 @@ name: Linux Auditd Service Started id: b5eed06d-5c97-4092-a3a1-fa4b7e77c71a -version: 4 -date: '2025-02-03' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,12 +14,12 @@ description: The following analytic detects the suspicious service started. This prevent potential security incidents. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host - as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service - %") ) AND(LIKE(process_exec, "% start %") OR LIKE(process_exec, "% enable %")) | - stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle - normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_service_started_filter`' +search: '`linux_auditd` proctitle IN ("*systemctl *", "*service *") AND proctitle IN ("*start*", "*enable*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` + | `linux_auditd_service_started_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -48,7 +48,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to start or enable + message: A [$proctitle$] event occurred on host - [$dest$] to start or enable a service. risk_objects: - field: dest @@ -73,6 +73,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/linux_service_start/auditd_proctitle_service_start.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml index db1157d54e..ecce194753 100644 --- a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Setuid Using Chmod Utility id: 8230c407-1b47-4d95-ac2e-718bd6381386 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,12 +14,12 @@ description: The following analytic detects the execution of the chmod utility t compromising sensitive data or critical system functions. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host - as dest | where LIKE (process_exec, "%chmod %") AND (LIKE (process_exec, "% u+s - %") OR LIKE (process_exec, "% g+s %") OR LIKE (process_exec, "% 4777 %") OR LIKE - (process_exec, "% 4577 %")) | stats count min(_time) as firstTime max(_time) as - lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `linux_auditd_setuid_using_chmod_utility_filter`' +search: '`linux_auditd` proctitle IN ("*chmod *") AND proctitle IN ("* u+s *", "* g+s *", "* 4777 *", "* 4577 *") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` + | `linux_auditd_setuid_using_chmod_utility_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -48,7 +48,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to set the SUID or + message: A [$proctitle$] event occurred on host - [$dest$] to set the SUID or SGID bit on files using the chmod utility. risk_objects: - field: dest @@ -73,6 +73,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/auditd_proctitle_setuid.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml index 08a69f6ca0..fe932449ad 100644 --- a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Setuid Using Setcap Utility id: 1474459a-302b-4255-8add-d82f96d14cd9 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -14,14 +14,11 @@ description: The following analytic detects the execution of the 'setcap' utilit commands with elevated permissions, and potentially compromise the entire system. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as - dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, - "%setcap %") AND (LIKE (process_exec, "% cap_setuid+ep %") OR LIKE (process_exec, - "% cap_setuid=ep %") OR LIKE (process_exec, "% cap_net_bind_service+p %") OR LIKE - (process_exec, "% cap_net_raw+ep %") OR LIKE (process_exec, "% cap_dac_read_search+ep - %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec - dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `linux_auditd_setuid_using_setcap_utility_filter`' +search: '`linux_auditd` execve_command IN ("*setcap *") AND execve_command IN ("*cap_setuid+ep*", "*cap_setuid=ep*", "*cap_net_bind_service+p*", "*cap_net_raw+ep*", "*cap_dac_read_search+ep*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_auditd_setuid_using_setcap_utility_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -50,7 +47,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to set the SUID or + message: A [$execve_command$] event occurred on host - [$dest$] to set the SUID or SGID bit on files using the setcap utility. risk_objects: - field: dest @@ -74,6 +71,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setcap_priv.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/auditd_execve_setcap.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_shred_overwrite_command.yml b/detections/endpoint/linux_auditd_shred_overwrite_command.yml index 6d09005763..f7645e02b4 100644 --- a/detections/endpoint/linux_auditd_shred_overwrite_command.yml +++ b/detections/endpoint/linux_auditd_shred_overwrite_command.yml @@ -1,7 +1,7 @@ name: Linux Auditd Shred Overwrite Command id: ce2bde4d-a1d4-4452-8c87-98440e5adfb3 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -14,12 +14,12 @@ description: The following analytic detects the execution of the 'shred' command critical files, severely impacting system integrity and data availability. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host - as dest | where LIKE (process_exec, "%shred%") AND (LIKE (process_exec, "%-n%") - OR LIKE (process_exec, "%-z%") OR LIKE (process_exec, "%-u%") OR LIKE (process_exec, - "%-s%")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec - proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| `linux_auditd_shred_overwrite_command_filter`' +search: '`linux_auditd` proctitle IN ("*shred*") AND proctitle IN ("*-n*", "*-z*", "*-u*", "*-s*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` + | `linux_auditd_shred_overwrite_command_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -49,7 +49,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to overwrite files + message: A [$proctitle$] event occurred on host - [$dest$] to overwrite files using the shred utility. risk_objects: - field: dest @@ -76,6 +76,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_shred/auditd_proctitle_shred.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml index ebf46c26c5..eb3dd844c8 100644 --- a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd Sudo Or Su Execution id: 817a5c89-5b92-4818-a22d-aa35e1361afe -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,11 +14,12 @@ description: The following analytic detects the execution of the "sudo" or "su" to severe security breaches, data exfiltration, or further system compromise. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host - as dest | where LIKE(process_exec, "%sudo %") OR LIKE(process_exec, "%su %") | stats - count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter - dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_sudo_or_su_execution_filter`' +search: '`linux_auditd` proctitle IN ("*sudo *", "*su *") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest + | `security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` + | `linux_auditd_sudo_or_su_execution_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -71,6 +72,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/auditd_proctitle_sudo.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml index cdd0c0c95c..3644a846ed 100644 --- a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml +++ b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml @@ -1,7 +1,7 @@ name: Linux Auditd Unload Module Via Modprobe id: 90964d6a-4b5f-409a-85bd-95e261e03fe9 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,11 +15,11 @@ description: The following analytic detects suspicious use of the `modprobe` com address possible threats to system integrity. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as - dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, - "%modprobe%") AND LIKE (process_exec, "%-r %") | stats count min(_time) as firstTime - max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| `linux_auditd_unload_module_via_modprobe_filter`' +search: '`linux_auditd` execve_command = "*modprobe*" AND execve_command = "*-r *" + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `linux_auditd_unload_module_via_modprobe_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -48,7 +48,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to unload a kernel + message: A [$execve_command$] event occurred on host - [$dest$] to unload a kernel module via the modprobe command. risk_objects: - field: dest @@ -73,6 +73,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/auditd_execve_modprobe.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml index 59da2a56d4..46bc0e5678 100644 --- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -1,14 +1,18 @@ name: Linux Auditd Virtual Disk File And Directory Discovery id: eec78cef-d4c8-4b35-8f5b-6922102a4a41 -version: 4 -date: '2025-01-16' +version: 5 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious discovery of virtual disk files and directories, which may indicate an attacker's attempt to locate and access virtualized storage environments. Virtual disks can contain sensitive data or critical system configurations, and unauthorized discovery attempts could signify preparatory actions for data exfiltration or further compromise. By monitoring for unusual or unauthorized searches for virtual disk files and directories, this analytic helps identify potential reconnaissance activities, enabling security teams to respond promptly and safeguard against unauthorized access and data breaches. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.vhd%") OR LIKE (process_exec, "%.vhdx%") OR LIKE (process_exec, "%.vmdk%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_virtual_disk_file_and_directory_discovery_filter`' +search: '`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*.vhd*", "*.vhdx*", "*.vmdk*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `linux_auditd_virtual_disk_file_and_directory_discovery_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: @@ -24,7 +28,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to discover virtual + message: A [$execve_command$] event occurred on host - [$dest$] to discover virtual disk files and directories. risk_objects: - field: dest @@ -48,6 +52,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/auditd_execve_find_vhd.log + source: auditd + sourcetype: auditd From 75b2d7110226efbf6646868d23e03a9527f51296 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 20 Feb 2025 17:29:28 +0100 Subject: [PATCH 09/30] auditd_detection_updates --- detections/endpoint/linux_auditd_sudo_or_su_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml index eb3dd844c8..dfe3d02727 100644 --- a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml @@ -48,7 +48,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to execute the sudo + message: A [$proctitle$] event occurred on host - [$dest$] to execute the sudo or su command. risk_objects: - field: dest From baaab64bce251d0d059856b52882e8f2c5eff377 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 20 Feb 2025 17:39:09 +0100 Subject: [PATCH 10/30] auditd_detection_updates --- .../linux_auditd_hidden_files_and_directories_creation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index f4e1c33498..f7ef3823d6 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -4,7 +4,7 @@ version: 6 date: '2025-02-20' author: Teoderick Contreras, Splunk status: production -type: Hunting +type: Anomaly description: The following analytic detects suspicious creation of hidden files and directories, which may indicate an attacker's attempt to conceal malicious activities or unauthorized data. Hidden files and directories are often used to evade detection by security tools and administrators, providing a stealthy means for storing malware, logs, or sensitive information. By monitoring for unusual or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide malicious operations, enabling security teams to uncover and address hidden threats effectively. data_source: - Linux Auditd Execve @@ -32,7 +32,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 9 threat_objects: [] tags: analytic_story: From ff28372b71d8af68259fa43f37760990c4c5bb0f Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 20 Feb 2025 17:43:44 +0100 Subject: [PATCH 11/30] auditd_detection_updates --- .../endpoint/linux_auditd_add_user_account_type.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index 7bf00799da..d6e2e2343b 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -1,7 +1,7 @@ name: Linux Auditd Add User Account Type id: f8c325ea-506e-4105-8ccf-da1492e90115 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-02-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -70,5 +70,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log - source: /var/log/audit/audit.log - sourcetype: linux:audit + source: auditd + sourcetype: auditd From 8e3d03cc4269b585f131d839284991374ad597a0 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 20 Feb 2025 18:07:30 +0100 Subject: [PATCH 12/30] auditd_detection_updates --- detections/endpoint/linux_auditd_dd_file_overwrite.yml | 2 +- .../linux_auditd_find_credentials_from_password_stores.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml index 5724aacdc4..b3b6308f50 100644 --- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -14,7 +14,7 @@ description: The following analytic detects the use of the 'dd' command to overw causing significant operational disruptions. data_source: - Linux Auditd Proctitle -search: 'index=test proctitle = "*dd *" AND proctitle = "*of=*" AND proctitle = "*if=/dev/zero*" +search: '`linux_auditd` proctitle = "*dd *" AND proctitle = "*of=*" AND proctitle = "*if=/dev/zero*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml index da4c8a6105..e1b6683d3e 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml @@ -15,7 +15,7 @@ description: The following analytic detects suspicious attempts to find credenti data. data_source: - Linux Auditd Execve -search: '`linux_auditd` execve_command IN ("*setcap *") AND execve_command IN ("*cap_setuid+ep*", "*cap_setuid=ep*", "*cap_net_bind_service+p*", "*cap_net_raw+ep*", "*cap_dac_read_search+ep*") +search: '`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*password*", "*pass *", "*credential*", "*creds*") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` From 6ae3bcfc42ae36b9c0f7c22db9e9dc7b9e7c5cce Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Fri, 21 Feb 2025 09:35:53 +0100 Subject: [PATCH 13/30] Update data_sources/linux_auditd_add_user.yml Co-authored-by: Nasreddine Bencherchali --- data_sources/linux_auditd_add_user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data_sources/linux_auditd_add_user.yml b/data_sources/linux_auditd_add_user.yml index 95bdba2077..acab747455 100644 --- a/data_sources/linux_auditd_add_user.yml +++ b/data_sources/linux_auditd_add_user.yml @@ -1,6 +1,6 @@ name: Linux Auditd Add User id: 30f79353-e1d2-4585-8735-1e0359559f3f -version: 3 +version: 2 date: '2025-02-20' author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Add User Type From 64fcd2a6d4a394708dfd2f924ea00dd2917d2c60 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Fri, 21 Feb 2025 09:36:11 +0100 Subject: [PATCH 14/30] Update detections/endpoint/linux_auditd_change_file_owner_to_root.yml Co-authored-by: Nasreddine Bencherchali --- detections/endpoint/linux_auditd_change_file_owner_to_root.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml index a4207c03da..9d4a2a18b1 100644 --- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -4,7 +4,7 @@ version: 6 date: '2025-02-20' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant From 28f438438a6a4e72f2d9b34f38a42e6dcf5790c4 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Fri, 21 Feb 2025 09:36:28 +0100 Subject: [PATCH 15/30] Update detections/endpoint/linux_auditd_edit_cron_table_parameter.yml Co-authored-by: Nasreddine Bencherchali --- detections/endpoint/linux_auditd_edit_cron_table_parameter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index fc988e0f66..33311670ec 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -4,7 +4,7 @@ version: 5 date: '2025-02-20' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving 'crontab' and the edit parameter. From 6baa8d078a1de70d7f355679a6c9e110291982ff Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Fri, 21 Feb 2025 09:36:35 +0100 Subject: [PATCH 16/30] Update detections/endpoint/linux_auditd_osquery_service_stop.yml Co-authored-by: Nasreddine Bencherchali --- detections/endpoint/linux_auditd_osquery_service_stop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index 81af9cea3b..8007cb6d21 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -4,7 +4,7 @@ version: 4 date: '2025-02-20' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects suspicious stopping of the `osquery` service, which may indicate an attempt to disable monitoring and evade detection. `Osquery` is a powerful tool used for querying system information and detecting anomalies, From 9697f1e75717d369c0f5c80a0713fe5e76474e38 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Fri, 21 Feb 2025 10:00:39 +0100 Subject: [PATCH 17/30] auditd_detection_updates --- detections/endpoint/linux_auditd_base64_decode_files.yml | 4 +++- detections/endpoint/linux_auditd_clipboard_data_copy.yml | 4 +++- detections/endpoint/linux_auditd_data_destruction_command.yml | 2 ++ .../linux_auditd_data_transfer_size_limits_via_split.yml | 4 +++- .../linux_auditd_database_file_and_directory_discovery.yml | 2 ++ .../endpoint/linux_auditd_file_and_directory_discovery.yml | 2 ++ .../linux_auditd_find_credentials_from_password_managers.yml | 2 ++ .../linux_auditd_find_credentials_from_password_stores.yml | 2 ++ detections/endpoint/linux_auditd_find_ssh_private_keys.yml | 2 ++ .../linux_auditd_hidden_files_and_directories_creation.yml | 2 ++ .../endpoint/linux_auditd_preload_hijack_library_calls.yml | 4 +++- .../linux_auditd_private_keys_and_certificate_enumeration.yml | 2 ++ .../endpoint/linux_auditd_setuid_using_setcap_utility.yml | 2 ++ .../endpoint/linux_auditd_unload_module_via_modprobe.yml | 2 ++ ...linux_auditd_virtual_disk_file_and_directory_discovery.yml | 2 ++ 15 files changed, 34 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index 2f31c31cd6..d8969d5de2 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -16,7 +16,9 @@ description: The following analytic detects suspicious Base64 decode operations data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command = "*base64*" AND execve_command IN ("*-d*", "* --d*") - | rename host as dest + | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml index 1faf59a8a0..2e6d044e78 100644 --- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -9,7 +9,9 @@ description: The following analytic detects the use of the Linux 'xclip' command data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command IN ("*xclip*", "*clipboard*") AND execve_command IN ("*-o*", "*-selection *", "*-sel *" ) - | rename host as dest + | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml index d7f237aa00..a0aed17000 100644 --- a/detections/endpoint/linux_auditd_data_destruction_command.yml +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -10,6 +10,8 @@ data_source: - Linux Auditd Proctitle search: '`linux_auditd` (proctitle = "*rm *" AND proctitle = "*-rf *" AND proctitle = "*--no-preserve-root*") | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index 05b0e1fbaa..2802b6570d 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -9,7 +9,9 @@ description: The following analytic detects suspicious data transfer activities data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command = "*split*" AND execve_command = "*-b *" - | rename host as dest + | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index 3da1063408..cc83ff6bd2 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -10,6 +10,8 @@ data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN("*.db*", "*.sql*", "*.sqlite*", "*.mdb*", "*.accdb*", "*.mdf*", "*.ndf*", "*.ldf*", "*.frm*", "*.myd*", "*.myi*", "*.dbf*", "*.db2*", "*.dbc*", "*.fpt*", "*.ora*") | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml index d42c84177e..d760679d96 100644 --- a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml @@ -10,6 +10,8 @@ data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command IN ("*grep*", "*find*") AND execve_command IN ("*.tif*", "*.tiff*", "*.gif*", "*.jpeg*", "*.jpg*", "*.jif*", "*.jfif*", "*.jp2*", "*.jpx*", "*.j2k*", "*.j2c*", "*.fpx*", "*.pcd*", "*.png*", "*.flv*", "*.pdf*", "*.mp4*", "*.mp3*", "*.gifv*", "*.avi*", "*.mov*", "*.mpeg*", "*.wav*", "*.doc*", "*.docx*", "*.xls*", "*.xlsx*", "*.svg*") | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_file_and_directory_discovery_filter`' diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml index 6c9f6f4191..9e460eae8a 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml @@ -17,6 +17,8 @@ data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*.kdbx*", "*KeePass*", "*.enforced*", "*.lpdb*", "*.opvault*", "*.agilekeychain*", "*.dashlane*", "*.rfx*", "*passbolt*", "*.spdb*", "*StickyPassword*", "*.walletx*", "*enpass*", "*vault*", "*.kdb*") | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_find_credentials_from_password_managers_filter`' diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml index e1b6683d3e..4b39e1d0bc 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml @@ -17,6 +17,8 @@ data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*password*", "*pass *", "*credential*", "*creds*") | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_find_credentials_from_password_stores_filter`' diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml index b45c028093..d9de476bf8 100644 --- a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml @@ -17,6 +17,8 @@ data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*id_rsa*", "*id_dsa*", "*.key*", "*ssh_key*", "*authorized_keys*") | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_find_ssh_private_keys_filter`' diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index f7ef3823d6..9aee4725bb 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -10,6 +10,8 @@ data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command IN ("*touch *", "*mkdir *", "*vim *", "*vi *", "*nano *") AND execve_command IN ("* ./.*", "* .*", "*/.*") | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_hidden_files_and_directories_creation_filter`' diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml index 3325087aae..f5ff7d5a41 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml @@ -16,7 +16,9 @@ description: The following analytic detects the use of the LD_PRELOAD environmen data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command = "*LD_PRELOAD*" - | rename host as dest + | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `linux_auditd_preload_hijack_library_calls_filter`' diff --git a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index 2b1d09f51d..e256d7247a 100644 --- a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -18,6 +18,8 @@ data_source: search: '`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*.pem*", "*.cer*", "*.crt*", "*.pgp*", "*.key*", "*.gpg*", "*.ppk*", "*.p12*", "*.pfx*", "*.p7b*") | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_private_keys_and_certificate_enumeration_filter`' diff --git a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml index fe932449ad..c186d3278e 100644 --- a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml @@ -16,6 +16,8 @@ data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command IN ("*setcap *") AND execve_command IN ("*cap_setuid+ep*", "*cap_setuid=ep*", "*cap_net_bind_service+p*", "*cap_net_raw+ep*", "*cap_dac_read_search+ep*") | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_setuid_using_setcap_utility_filter`' diff --git a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml index 3644a846ed..cc4ffe639d 100644 --- a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml +++ b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml @@ -17,6 +17,8 @@ data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command = "*modprobe*" AND execve_command = "*-r *" | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `linux_auditd_unload_module_via_modprobe_filter`' diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml index 46bc0e5678..8f0c0c8369 100644 --- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -10,6 +10,8 @@ data_source: - Linux Auditd Execve search: '`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*.vhd*", "*.vhdx*", "*.vmdk*") | rename host as dest + | rename comm as process_name + | rename exe as process | stats count min(_time) as firstTime max(_time) as lastTime by argc execve_command dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `linux_auditd_virtual_disk_file_and_directory_discovery_filter`' From b284853bfec947bfa7582c66730e03fce5367069 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Fri, 21 Feb 2025 10:30:05 +0100 Subject: [PATCH 18/30] Update linux_auditd_add_user.yml --- data_sources/linux_auditd_add_user.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/data_sources/linux_auditd_add_user.yml b/data_sources/linux_auditd_add_user.yml index e92775485b..acab747455 100644 --- a/data_sources/linux_auditd_add_user.yml +++ b/data_sources/linux_auditd_add_user.yml @@ -1,12 +1,7 @@ name: Linux Auditd Add User id: 30f79353-e1d2-4585-8735-1e0359559f3f -<<<<<<< HEAD version: 2 date: '2025-02-20' -======= -version: 1 -date: '2024-08-24' ->>>>>>> 6f88528e2849855c588650d7b6bd0396b1cc384b author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Add User Type source: auditd From 649cc56451cff40790f287e9591edf4f492de6bb Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Fri, 21 Feb 2025 10:30:25 +0100 Subject: [PATCH 19/30] Update linux_auditd_execve.yml --- data_sources/linux_auditd_execve.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/data_sources/linux_auditd_execve.yml b/data_sources/linux_auditd_execve.yml index e2cb2f3177..82bd7bcacc 100644 --- a/data_sources/linux_auditd_execve.yml +++ b/data_sources/linux_auditd_execve.yml @@ -1,12 +1,7 @@ name: Linux Auditd Execve id: 9ef6364d-cc67-480e-8448-3306829a6a24 -<<<<<<< HEAD version: 2 date: '2025-02-20' -======= -version: 1 -date: '2024-09-24' ->>>>>>> 6f88528e2849855c588650d7b6bd0396b1cc384b author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Execve Type source: auditd From 5f935a671bacb730edda12946da167346090628b Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Fri, 21 Feb 2025 10:30:50 +0100 Subject: [PATCH 20/30] Update linux_auditd_path.yml --- data_sources/linux_auditd_path.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/data_sources/linux_auditd_path.yml b/data_sources/linux_auditd_path.yml index 4145d303fd..25c1cb029a 100644 --- a/data_sources/linux_auditd_path.yml +++ b/data_sources/linux_auditd_path.yml @@ -1,12 +1,7 @@ name: Linux Auditd Path id: 3d86125c-0496-4a5a-aae3-0d355a4f3d7d -<<<<<<< HEAD version: 2 date: '2025-02-20' -======= -version: 1 -date: '2024-09-24' ->>>>>>> 6f88528e2849855c588650d7b6bd0396b1cc384b author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Path Type source: auditd From f9accd9748462ca0bcfcbddd083d1673f4f23a0e Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Fri, 21 Feb 2025 10:31:15 +0100 Subject: [PATCH 21/30] Update linux_auditd_proctitle.yml --- data_sources/linux_auditd_proctitle.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/data_sources/linux_auditd_proctitle.yml b/data_sources/linux_auditd_proctitle.yml index b0a217211e..86c68368aa 100644 --- a/data_sources/linux_auditd_proctitle.yml +++ b/data_sources/linux_auditd_proctitle.yml @@ -1,12 +1,7 @@ name: Linux Auditd Proctitle id: 5a25984a-2789-400a-858b-d75c923e06b1 -<<<<<<< HEAD version: 2 date: '2025-02-20' -======= -version: 1 -date: '2024-09-24' ->>>>>>> 6f88528e2849855c588650d7b6bd0396b1cc384b author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Proctitle Type source: auditd From b1032d7ff72d701982fb6213b58d953116919107 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Fri, 21 Feb 2025 10:31:34 +0100 Subject: [PATCH 22/30] Update linux_auditd_service_stop.yml --- data_sources/linux_auditd_service_stop.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/data_sources/linux_auditd_service_stop.yml b/data_sources/linux_auditd_service_stop.yml index 5fa8ce6ac9..e65d033de2 100644 --- a/data_sources/linux_auditd_service_stop.yml +++ b/data_sources/linux_auditd_service_stop.yml @@ -1,12 +1,7 @@ name: Linux Auditd Service Stop id: 0643483c-bc62-455c-8d6e-1630e5f0e00d -<<<<<<< HEAD version: 2 date: '2025-02-20' -======= -version: 1 -date: '2024-09-24' ->>>>>>> 6f88528e2849855c588650d7b6bd0396b1cc384b author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Service Stop Type source: auditd From 9614dcd2924a49857d00dcd0f8d2327b294a2edc Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Fri, 21 Feb 2025 10:31:56 +0100 Subject: [PATCH 23/30] Update linux_auditd_syscall.yml --- data_sources/linux_auditd_syscall.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/data_sources/linux_auditd_syscall.yml b/data_sources/linux_auditd_syscall.yml index f37a34b9a8..00a1fa9493 100644 --- a/data_sources/linux_auditd_syscall.yml +++ b/data_sources/linux_auditd_syscall.yml @@ -1,12 +1,7 @@ name: Linux Auditd Syscall id: 4dff7047-0d43-4096-bb3f-b756c889bbad -<<<<<<< HEAD version: 2 date: '2025-02-20' -======= -version: 1 -date: '2024-09-24' ->>>>>>> 6f88528e2849855c588650d7b6bd0396b1cc384b author: Teoderick Contreras, Splunk description: Data source object for Linux Auditd Syscall Type source: auditd From 5c4abbc5b97ce7d089da73e832bd08a510147577 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 24 Feb 2025 12:13:01 +0100 Subject: [PATCH 24/30] auditd_detection_updates --- .../linux_auditd_file_permission_modification_via_chmod.yml | 6 +++--- .../linux_auditd_nopasswd_entry_in_sudoers_file.yml | 6 +++--- .../linux_auditd_possible_access_to_credential_files.yml | 6 +++--- .../linux_auditd_possible_access_to_sudoers_file.yml | 6 +++--- .../endpoint/linux_auditd_preload_hijack_library_calls.yml | 6 +++--- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml index 27731bffd4..76b725c535 100644 --- a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml +++ b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml @@ -1,7 +1,7 @@ name: Linux Auditd File Permission Modification Via Chmod id: 5f1d2ea7-eec0-4790-8b24-6875312ad492 -version: 8 -date: '2025-02-20' +version: 9 +date: '2025-02-24' author: Teoderick Contreras, Splunk, Ivar Nygård status: production type: Anomaly @@ -63,7 +63,7 @@ tags: - Compromised Linux Host - Linux Persistence Techniques - XorDDos - - Nexus APT Threat Activity + - China-Nexus Threat Activity - Earth Estries asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index 3e710c1678..0ade7b96a2 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Nopasswd Entry In Sudoers File id: 651df959-ad17-4b73-a323-90cb96d5fa1b -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -60,7 +60,7 @@ tags: - Linux Privilege Escalation - Compromised Linux Host - Linux Persistence Techniques - - Nexus APT Threat Activity + - China-Nexus Threat Activity - Earth Estries asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index 86a75b995b..37ec34de57 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Credential Files id: 0419cb7a-57ea-467b-974f-77c303dfe2a3 -version: 6 -date: '2025-02-20' +version: 7 +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -60,7 +60,7 @@ tags: - Linux Privilege Escalation - Compromised Linux Host - Linux Persistence Techniques - - Nexus APT Threat Activity + - China-Nexus Threat Activity - Earth Estries asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index faa3f19bb0..29c1d8eafe 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Sudoers File id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834 -version: 6 -date: '2025-02-20' +version: 7 +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -59,7 +59,7 @@ tags: - Linux Privilege Escalation - Compromised Linux Host - Linux Persistence Techniques - - Nexus APT Threat Activity + - China-Nexus Threat Activity - Earth Estries asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml index f5ff7d5a41..5ce6df62c2 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml @@ -1,7 +1,7 @@ name: Linux Auditd Preload Hijack Library Calls id: 35c50572-a70b-452f-afa9-bebdf3c3ce36 -version: 6 -date: '2025-02-20' +version: 7 +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: TTP @@ -62,7 +62,7 @@ tags: - Linux Privilege Escalation - Compromised Linux Host - Linux Persistence Techniques - - Nexus APT Threat Activity + - China-Nexus Threat Activity - Earth Estries asset_type: Endpoint mitre_attack_id: From 3b5dd65b8c15233c092c88200d1de62b1d30e9ce Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 24 Feb 2025 12:20:26 +0100 Subject: [PATCH 25/30] auditd_detection_updates --- stories/china_nexus_threat_activity.yml | 22 ++++++++++++++++++++++ stories/nexus_apt_threat_activity.yml | 21 --------------------- 2 files changed, 22 insertions(+), 21 deletions(-) create mode 100644 stories/china_nexus_threat_activity.yml delete mode 100644 stories/nexus_apt_threat_activity.yml diff --git a/stories/china_nexus_threat_activity.yml b/stories/china_nexus_threat_activity.yml new file mode 100644 index 0000000000..740f595dde --- /dev/null +++ b/stories/china_nexus_threat_activity.yml @@ -0,0 +1,22 @@ +name: China-Nexus Threat Activity +id: 43f8062d-4da0-4f48-8cad-6a20e108961b +version: 2 +date: '2025-02-24' +author: Teoderick Contreras, Splunk +status: production +description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, Chinese state-nexus adversaries known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss. +narrative: Chinese state-nexus threat group are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors. +references: +- https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/ +- https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-weapons-97d4ef95?st=oe1KKi&reflink=desktopwebshare _permalink +- https://www.judiciary.senate.gov/imo/media/doc/2024-11-19_pm_-_testimony_-_meyers.pdf +- https://go.crowdstrike.com/rs/281-OBQ-266/images/GlobalThreatReport2024.pdf +- https://www.crowdstrike.com/adversaries/envoy-panda/ +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file diff --git a/stories/nexus_apt_threat_activity.yml b/stories/nexus_apt_threat_activity.yml deleted file mode 100644 index bd6aed1350..0000000000 --- a/stories/nexus_apt_threat_activity.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Nexus APT Threat Activity -id: 43f8062d-4da0-4f48-8cad-6a20e108961b -version: 1 -date: '2025-01-27' -author: Teoderick Contreras, Splunk -status: production -description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, an advanced persistent threat (APT) group known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss. -narrative: Chinese state-nexus threat actors are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors. -references: -- https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/ -- https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-weapons-97d4ef95?st=oe1KKi&reflink=desktopwebshare _permalink -- https://www.judiciary.senate.gov/imo/media/doc/2024-11-19_pm_-_testimony_-_meyers.pdf -- https://go.crowdstrike.com/rs/281-OBQ-266/images/GlobalThreatReport2024.pdf -tags: - category: - - Malware - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - usecase: Advanced Threat Detection \ No newline at end of file From a856da57c2c74ae1b80117acf31735e4381a5110 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 24 Feb 2025 12:37:33 +0100 Subject: [PATCH 26/30] auditd_detection_updates --- .../endpoint/any_powershell_downloadfile.yml | 23 ++++--- detections/endpoint/detect_renamed_psexec.yml | 19 +++--- detections/endpoint/detect_renamed_winrar.yml | 11 ++-- ..._or_script_creation_in_suspicious_path.yml | 62 +++++++++---------- ...x_common_process_for_elevation_control.yml | 11 ++-- ...x_file_creation_in_init_boot_directory.yml | 11 ++-- .../linux_iptables_firewall_modification.yml | 11 ++-- .../linux_nopasswd_entry_in_sudoers_file.yml | 11 ++-- ...ux_possible_access_to_credential_files.yml | 11 ++-- .../linux_possible_access_to_sudoers_file.yml | 11 ++-- .../linux_preload_hijack_library_calls.yml | 11 ++-- .../linux_sudoers_tmp_file_creation.yml | 11 ++-- ...hell_process___execution_policy_bypass.yml | 13 ++-- ...e_process_accessing_chrome_default_dir.yml | 21 +++---- .../endpoint/powershell_4104_hunting.yml | 23 ++++--- .../registry_keys_used_for_persistence.yml | 45 +++++++------- .../remote_process_instantiation_via_wmi.yml | 10 +-- ...eduled_task_deleted_or_created_via_cmd.yml | 43 +++++++------ ...ious_regsvr32_register_suspicious_path.yml | 15 +++-- ...s_scheduled_task_from_public_directory.yml | 23 ++++--- ...ss_token_manipulation_sedebugprivilege.yml | 21 +++---- ...windows_archive_collected_data_via_rar.yml | 11 ++-- ...ssword_stores_chrome_localstate_access.yml | 22 +++---- ...ssword_stores_chrome_login_data_access.yml | 22 +++---- ...ndows_curl_download_to_suspicious_path.yml | 10 +-- ...ws_replication_through_removable_media.yml | 10 +-- ...e_created_with_suspicious_service_path.yml | 23 ++++--- ..._service_creation_using_registry_entry.yml | 18 +++--- .../windows_unsigned_dll_side_loading.yml | 8 +-- ..._dll_side_loading_in_same_process_path.yml | 11 ++-- .../windows_unsigned_ms_dll_side_loading.yml | 6 +- ..._scheduled_task_created_to_spawn_shell.yml | 19 +++--- ...eduled_task_created_within_public_path.yml | 31 +++++----- .../detect_large_outbound_icmp_packets.yml | 8 +-- 34 files changed, 296 insertions(+), 320 deletions(-) diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index 65a6733058..0cee497f25 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -1,7 +1,7 @@ name: Any Powershell DownloadFile id: 1a93b7ea-7af7-11eb-adb5-acde48001122 -version: 11 -date: '2025-02-10' +version: '12' +date: '2025-02-24' author: Michael Haag, Splunk status: production type: TTP @@ -71,18 +71,18 @@ rba: type: process_name tags: analytic_story: - - Data Destruction - Ingress Tool Transfer + - China-Nexus Threat Activity + - Crypto Stealer + - Hermetic Wiper - DarkCrystal RAT - - PXA Stealer - - Braodo Stealer - - Phemedrone Stealer - - Log4Shell CVE-2021-44228 - Malicious PowerShell - - Hermetic Wiper - - Crypto Stealer - - Nexus APT Threat Activity - Earth Estries + - Phemedrone Stealer + - Braodo Stealer + - PXA Stealer + - Data Destruction + - Log4Shell CVE-2021-44228 asset_type: Endpoint cve: - CVE-2021-44228 @@ -97,7 +97,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml index 27479f9d15..9e1fbafe91 100644 --- a/detections/endpoint/detect_renamed_psexec.yml +++ b/detections/endpoint/detect_renamed_psexec.yml @@ -1,7 +1,7 @@ name: Detect Renamed PSExec id: 683e6196-b8e8-11eb-9a79-acde48001122 -version: 11 -date: '2025-02-10' +version: '12' +date: '2025-02-24' author: Michael Haag, Splunk, Alex Oberkircher, Github Community status: production type: Hunting @@ -39,18 +39,18 @@ references: - https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/ tags: analytic_story: + - China-Nexus Threat Activity - BlackByte Ransomware + - HAFNIUM Group - DHS Report TA18-074A - - DarkSide Ransomware - - SamSam Ransomware - CISA AA22-320A - - HAFNIUM Group - - Sandworm Tools + - DarkSide Ransomware - Active Directory Lateral Movement - - Nexus APT Threat Activity - DarkGate Malware - - Earth Estries + - Sandworm Tools - Rhysida Ransomware + - Earth Estries + - SamSam Ransomware asset_type: Endpoint mitre_attack_id: - T1569.002 @@ -62,7 +62,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml index 5c146b775f..f676b4c7db 100644 --- a/detections/endpoint/detect_renamed_winrar.yml +++ b/detections/endpoint/detect_renamed_winrar.yml @@ -1,7 +1,7 @@ name: Detect Renamed WinRAR id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122 -version: 9 -date: '2025-02-10' +version: '10' +date: '2025-02-24' author: Michael Haag, Splunk status: production type: Hunting @@ -38,10 +38,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md tags: analytic_story: + - China-Nexus Threat Activity + - CISA AA22-277A - Collection and Staging - Earth Estries - - Nexus APT Threat Activity - - CISA AA22-277A asset_type: Endpoint mitre_attack_id: - T1560.001 @@ -53,7 +53,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index ead8a42979..741c492268 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 10 -date: '2025-01-27' +version: '11' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -61,46 +61,46 @@ rba: type: file_name tags: analytic_story: - - Chaos Ransomware + - BlackByte Ransomware + - Brute Ratel C4 - Trickbot - Snake Keylogger - - CISA AA23-347A - - Industroyer2 - - WinDealer RAT - - Qakbot + - Graceful Wipe Out Attack + - PlugX + - Handala Wiper + - Earth Estries - Warzone RAT - - IcedID - ValleyRAT - - Azorult - - Handala Wiper + - NjRAT - LockBit Ransomware - - Meduza Stealer - - Brute Ratel C4 + - Double Zero Destructor + - Swift Slicer + - DarkCrystal RAT - AsyncRAT - - AcidPour + - Volt Typhoon + - Chaos Ransomware + - Hermetic Wiper - Derusbi - - DarkGate Malware - - Graceful Wipe Out Attack - - NjRAT - - WhisperGate - - Data Destruction - - BlackByte Ransomware + - XMRig - AgentTesla - - Swift Slicer + - WinDealer RAT + - RedLine Stealer + - Remcos + - Rhysida Ransomware + - China-Nexus Threat Activity - Crypto Stealer - - Hermetic Wiper + - Qakbot + - IcedID + - Meduza Stealer + - AcidPour - MoonPeak - - Double Zero Destructor - - XMRig - - PlugX + - CISA AA23-347A + - DarkGate Malware + - Industroyer2 + - Azorult + - Data Destruction - Amadey - - DarkCrystal RAT - - Remcos - - Nexus APT Threat Activity - - Earth Estries - - Rhysida Ransomware - - RedLine Stealer - - Volt Typhoon + - WhisperGate asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/linux_common_process_for_elevation_control.yml b/detections/endpoint/linux_common_process_for_elevation_control.yml index 221f4c30c6..b823b6e94c 100644 --- a/detections/endpoint/linux_common_process_for_elevation_control.yml +++ b/detections/endpoint/linux_common_process_for_elevation_control.yml @@ -1,7 +1,7 @@ name: Linux Common Process For Elevation Control id: 66ab15c0-63d0-11ec-9e70-acde48001122 -version: 6 -date: '2025-02-10' +version: '7' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -44,10 +44,10 @@ references: - https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/privilege_escalation/T1548.001_ElevationControl_CommonProcesses.xml tags: analytic_story: + - China-Nexus Threat Activity + - Linux Persistence Techniques - Linux Privilege Escalation - Linux Living Off The Land - - Linux Persistence Techniques - - Nexus APT Threat Activity - Earth Estries asset_type: Endpoint mitre_attack_id: @@ -60,7 +60,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml index 05900fd9fa..143c90cbbc 100644 --- a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml +++ b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml @@ -1,7 +1,7 @@ name: Linux File Creation In Init Boot Directory id: 97d9cfb2-61ad-11ec-bb2d-acde48001122 -version: 7 -date: '2025-02-10' +version: '8' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -49,11 +49,11 @@ rba: threat_objects: [] tags: analytic_story: - - Linux Privilege Escalation + - China-Nexus Threat Activity - Backdoor Pingpong - Linux Persistence Techniques - XorDDos - - Nexus APT Threat Activity + - Linux Privilege Escalation asset_type: Endpoint mitre_attack_id: - T1037.004 @@ -65,7 +65,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml index 395f7c7c45..9b1d5a8d69 100644 --- a/detections/endpoint/linux_iptables_firewall_modification.yml +++ b/detections/endpoint/linux_iptables_firewall_modification.yml @@ -1,7 +1,7 @@ name: Linux Iptables Firewall Modification id: 309d59dc-1e1b-49b2-9800-7cf18d12f7b7 -version: 8 -date: '2025-02-10' +version: '9' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -66,10 +66,10 @@ rba: threat_objects: [] tags: analytic_story: - - Sandworm Tools + - China-Nexus Threat Activity - Backdoor Pingpong - - Nexus APT Threat Activity - Cyclops Blink + - Sandworm Tools asset_type: Endpoint mitre_attack_id: - T1562.004 @@ -81,7 +81,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml index 42d8d99f84..90563b48db 100644 --- a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux NOPASSWD Entry In Sudoers File id: ab1e0d52-624a-11ec-8e0b-acde48001122 -version: 6 -date: '2025-02-10' +version: '7' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -58,10 +58,10 @@ rba: threat_objects: [] tags: analytic_story: + - China-Nexus Threat Activity + - Linux Persistence Techniques - Linux Privilege Escalation - Earth Estries - - Nexus APT Threat Activity - - Linux Persistence Techniques asset_type: Endpoint mitre_attack_id: - T1548.003 @@ -73,7 +73,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_access_to_credential_files.yml b/detections/endpoint/linux_possible_access_to_credential_files.yml index 9bbbe61f67..14a2fe0df1 100644 --- a/detections/endpoint/linux_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_possible_access_to_credential_files.yml @@ -1,7 +1,7 @@ name: Linux Possible Access To Credential Files id: 16107e0e-71fc-11ec-b862-acde48001122 -version: 7 -date: '2025-02-10' +version: '8' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -57,10 +57,10 @@ rba: threat_objects: [] tags: analytic_story: - - Linux Privilege Escalation + - China-Nexus Threat Activity - Linux Persistence Techniques - XorDDos - - Nexus APT Threat Activity + - Linux Privilege Escalation - Earth Estries asset_type: Endpoint mitre_attack_id: @@ -73,7 +73,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_possible_access_to_sudoers_file.yml index 92ff1b6f97..b9936bb72e 100644 --- a/detections/endpoint/linux_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_possible_access_to_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Possible Access To Sudoers File id: 4479539c-71fc-11ec-b2e2-acde48001122 -version: 6 -date: '2025-02-10' +version: '7' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -57,10 +57,10 @@ rba: threat_objects: [] tags: analytic_story: + - China-Nexus Threat Activity + - Linux Persistence Techniques - Linux Privilege Escalation - Earth Estries - - Nexus APT Threat Activity - - Linux Persistence Techniques asset_type: Endpoint mitre_attack_id: - T1548.003 @@ -72,7 +72,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_preload_hijack_library_calls.yml b/detections/endpoint/linux_preload_hijack_library_calls.yml index 051c3c042d..1d2059864e 100644 --- a/detections/endpoint/linux_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_preload_hijack_library_calls.yml @@ -1,7 +1,7 @@ name: Linux Preload Hijack Library Calls id: cbe2ca30-631e-11ec-8670-acde48001122 -version: 6 -date: '2025-02-10' +version: '7' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: TTP @@ -57,10 +57,10 @@ rba: threat_objects: [] tags: analytic_story: + - China-Nexus Threat Activity + - Linux Persistence Techniques - Linux Privilege Escalation - Earth Estries - - Nexus APT Threat Activity - - Linux Persistence Techniques asset_type: Endpoint mitre_attack_id: - T1574.006 @@ -72,7 +72,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_sudoers_tmp_file_creation.yml b/detections/endpoint/linux_sudoers_tmp_file_creation.yml index cd67ed8058..ca24f2680e 100644 --- a/detections/endpoint/linux_sudoers_tmp_file_creation.yml +++ b/detections/endpoint/linux_sudoers_tmp_file_creation.yml @@ -1,7 +1,7 @@ name: Linux Sudoers Tmp File Creation id: be254a5c-63e7-11ec-89da-acde48001122 -version: 6 -date: '2025-02-10' +version: '7' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -51,10 +51,10 @@ rba: threat_objects: [] tags: analytic_story: + - China-Nexus Threat Activity + - Linux Persistence Techniques - Linux Privilege Escalation - Earth Estries - - Nexus APT Threat Activity - - Linux Persistence Techniques asset_type: Endpoint mitre_attack_id: - T1548.003 @@ -66,7 +66,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index ecc670ddcd..5051787f4a 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -1,7 +1,7 @@ name: Malicious PowerShell Process - Execution Policy Bypass id: 9be56c82-b1cc-4318-87eb-d138afaaca39 -version: 10 -date: '2025-02-10' +version: '11' +date: '2025-02-24' author: Rico Valdez, Mauricio Velazco, Splunk status: production type: Anomaly @@ -60,11 +60,11 @@ rba: threat_objects: [] tags: analytic_story: + - China-Nexus Threat Activity + - HAFNIUM Group - DHS Report TA18-074A - - AsyncRAT - DarkCrystal RAT - - HAFNIUM Group - - Nexus APT Threat Activity + - AsyncRAT - Earth Estries - Volt Typhoon asset_type: Endpoint @@ -78,7 +78,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 3a3b1fe2b8..1fa5ed604a 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -1,7 +1,7 @@ name: Non Chrome Process Accessing Chrome Default Dir id: 81263de4-160a-11ec-944f-acde48001122 -version: 7 -date: '2025-02-10' +version: '8' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -49,19 +49,19 @@ rba: threat_objects: [] tags: analytic_story: + - Warzone RAT + - NjRAT + - China-Nexus Threat Activity + - FIN7 - Snake Keylogger - - CISA AA23-347A - 3CX Supply Chain Attack - - Warzone RAT - - Remcos + - CISA AA23-347A - AgentTesla - Phemedrone Stealer - - FIN7 - DarkGate Malware - - Nexus APT Threat Activity - - Earth Estries - - NjRAT - RedLine Stealer + - Remcos + - Earth Estries asset_type: Endpoint mitre_attack_id: - T1555.003 @@ -73,7 +73,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index e4c1ddafe7..d4a20fcd06 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -1,7 +1,7 @@ name: PowerShell 4104 Hunting id: d6f2b006-0041-11ec-8885-acde48001122 -version: 11 -date: '2025-02-10' +version: '12' +date: '2025-02-24' author: Michael Haag, Splunk status: production type: Hunting @@ -59,19 +59,19 @@ references: - https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/ tags: analytic_story: - - Data Destruction + - China-Nexus Threat Activity + - CISA AA24-241A + - Malicious PowerShell - Flax Typhoon - CISA AA23-347A - - Braodo Stealer - - Cleo File Transfer Software - - Malicious PowerShell - - Hermetic Wiper - DarkGate Malware - - Lumma Stealer - - Nexus APT Threat Activity - Earth Estries + - Cleo File Transfer Software + - Braodo Stealer + - Lumma Stealer - Rhysida Ransomware - - CISA AA24-241A + - Data Destruction + - Hermetic Wiper asset_type: Endpoint mitre_attack_id: - T1059.001 @@ -83,7 +83,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 3733e09819..968c76a2f3 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 16 -date: '2025-02-10' +version: '17' +date: '2025-02-24' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP @@ -76,35 +76,35 @@ rba: threat_objects: [] tags: analytic_story: - - Chaos Ransomware - - Windows Persistence Techniques + - BlackByte Ransomware - DHS Report TA18-074A - Snake Keylogger - - CISA AA23-347A - - WinDealer RAT - - Qakbot + - Emotet Malware DHS Report TA18-201A + - Sneaky Active Directory Persistence Tricks - Warzone RAT - - IcedID - - Azorult + - NjRAT + - Suspicious MSHTA Activity - Suspicious Windows Registry Activities + - Braodo Stealer - AsyncRAT + - Windows Registry Abuse + - Chaos Ransomware - Derusbi + - Windows Persistence Techniques + - WinDealer RAT + - RedLine Stealer + - Remcos - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns - - DarkGate Malware - - NjRAT - - BlackByte Ransomware + - China-Nexus Threat Activity + - Qakbot + - IcedID - Ransomware - - MoonPeak - BlackSuit Ransomware - - Emotet Malware DHS Report TA18-201A - - Sneaky Active Directory Persistence Tricks + - MoonPeak + - CISA AA23-347A + - DarkGate Malware + - Azorult - Amadey - - Remcos - - Braodo Stealer - - Windows Registry Abuse - - Nexus APT Threat Activity - - Suspicious MSHTA Activity - - RedLine Stealer asset_type: Endpoint mitre_attack_id: - T1547.001 @@ -116,7 +116,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_process_instantiation_via_wmi.yml b/detections/endpoint/remote_process_instantiation_via_wmi.yml index 45d08b0f06..677dae13f9 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via WMI id: d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da -version: 11 -date: '2025-01-27' +version: '12' +date: '2025-02-24' author: Rico Valdez, Mauricio Velazco, Splunk status: production type: TTP @@ -65,11 +65,11 @@ rba: threat_objects: [] tags: analytic_story: - - CISA AA23-347A + - China-Nexus Threat Activity - Ransomware - - Suspicious WMI Use - Active Directory Lateral Movement - - Nexus APT Threat Activity + - CISA AA23-347A + - Suspicious WMI Use - Earth Estries asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 5090e71991..f8dd98ccb9 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,7 +1,7 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: 12 -date: '2025-02-10' +version: '13' +date: '2025-02-24' author: Bhavin Patel, Splunk status: production type: TTP @@ -66,32 +66,32 @@ rba: threat_objects: [] tags: analytic_story: - - Windows Persistence Techniques - DHS Report TA18-074A - Trickbot - - CISA AA23-347A - - Qakbot - - Azorult + - NOBELIUM Group + - Prestige Ransomware + - Earth Estries - ShrinkLocker - - AsyncRAT - - Phemedrone Stealer - NjRAT - - Prestige Ransomware - - Scheduled Tasks - - AgentTesla - - MoonPeak - - NOBELIUM Group - - Living Off The Land - - CISA AA22-257A - CISA AA24-241A - - Amadey - DarkCrystal RAT - Sandworm Tools - - Winter Vivern - - Nexus APT Threat Activity - - Earth Estries - - Rhysida Ransomware + - Living Off The Land + - AsyncRAT + - Scheduled Tasks + - AgentTesla + - Windows Persistence Techniques - RedLine Stealer + - Rhysida Ransomware + - Winter Vivern + - China-Nexus Threat Activity + - Qakbot + - CISA AA22-257A + - MoonPeak + - CISA AA23-347A + - Phemedrone Stealer + - Azorult + - Amadey asset_type: Endpoint mitre_attack_id: - T1053.005 @@ -103,7 +103,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml index 598771f5eb..f4e90ec9b2 100644 --- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml +++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml @@ -1,7 +1,7 @@ name: Suspicious Regsvr32 Register Suspicious Path id: 62732736-6250-11eb-ae93-0242ac130002 -version: 12 -date: '2025-02-10' +version: '13' +date: '2025-02-24' author: Michael Haag, Splunk status: production type: TTP @@ -73,13 +73,13 @@ rba: type: process_name tags: analytic_story: - - Qakbot - - Earth Estries - - Suspicious Regsvr32 Activity + - China-Nexus Threat Activity - IcedID + - Qakbot - Derusbi - - Nexus APT Threat Activity - Living Off The Land + - Earth Estries + - Suspicious Regsvr32 Activity asset_type: Endpoint mitre_attack_id: - T1218.010 @@ -91,7 +91,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 8e78c248d6..2f4d734922 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -1,7 +1,7 @@ name: Suspicious Scheduled Task from Public Directory id: 7feb7972-7ac3-11eb-bac8-acde48001122 -version: 6 -date: '2025-02-10' +version: '7' +date: '2025-02-24' author: Michael Haag, Splunk status: production type: Anomaly @@ -65,19 +65,19 @@ rba: threat_objects: [] tags: analytic_story: - - Windows Persistence Techniques - - CISA AA23-347A + - China-Nexus Threat Activity + - Crypto Stealer - Ransomware + - MoonPeak - DarkCrystal RAT - - Scheduled Tasks - - Azorult - - Crypto Stealer - - Nexus APT Threat Activity + - CISA AA24-241A + - CISA AA23-347A + - Windows Persistence Techniques - Living Off The Land - - MoonPeak + - Azorult - Ryuk Ransomware + - Scheduled Tasks - Earth Estries - - CISA AA24-241A asset_type: Endpoint mitre_attack_id: - T1053.005 @@ -89,7 +89,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 66a85dd28f..dbc9a29e59 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -1,7 +1,7 @@ name: Windows Access Token Manipulation SeDebugPrivilege id: 6ece9ed0-5f92-4315-889d-48560472b188 -version: 11 -date: '2025-02-10' +version: '12' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -56,16 +56,16 @@ rba: threat_objects: [] tags: analytic_story: - - Brute Ratel C4 - - PlugX - - AsyncRAT - - CISA AA23-347A - - WinDealer RAT - ValleyRAT + - China-Nexus Threat Activity + - Brute Ratel C4 - Derusbi - - Nexus APT Threat Activity - - DarkGate Malware - Meduza Stealer + - CISA AA23-347A + - DarkGate Malware + - WinDealer RAT + - PlugX + - AsyncRAT - Earth Estries asset_type: Endpoint mitre_attack_id: @@ -78,7 +78,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml index 7a1bc686a4..cfda3ba9cf 100644 --- a/detections/endpoint/windows_archive_collected_data_via_rar.yml +++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml @@ -1,7 +1,7 @@ name: Windows Archive Collected Data via Rar id: 2015de95-fe91-413d-9d62-2fe011b67e82 -version: 6 -date: '2025-02-10' +version: '7' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -61,9 +61,9 @@ rba: threat_objects: [] tags: analytic_story: - - Earth Estries - - Nexus APT Threat Activity - DarkGate Malware + - China-Nexus Threat Activity + - Earth Estries asset_type: Endpoint mitre_attack_id: - T1560.001 @@ -75,7 +75,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility_darkgate/rar_sys.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility_darkgate/rar_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index c981720bb5..1ffe7b2329 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: 7 -date: '2025-01-27' +version: '8' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -51,19 +51,19 @@ rba: threat_objects: [] tags: analytic_story: - - Snake Keylogger - - Amadey - Warzone RAT - - PXA Stealer - - Braodo Stealer - - Phemedrone Stealer - - Nexus APT Threat Activity - - DarkGate Malware + - NjRAT + - China-Nexus Threat Activity - Meduza Stealer - MoonPeak - - Earth Estries - - NjRAT + - Snake Keylogger + - DarkGate Malware + - Phemedrone Stealer - RedLine Stealer + - Braodo Stealer + - PXA Stealer + - Earth Estries + - Amadey asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 5ed95dadf5..1ac718c88b 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: 7 -date: '2025-01-27' +version: '8' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -52,19 +52,19 @@ rba: threat_objects: [] tags: analytic_story: - - Snake Keylogger - - Amadey - Warzone RAT - - PXA Stealer - - Braodo Stealer - - Phemedrone Stealer - - Nexus APT Threat Activity - - DarkGate Malware + - NjRAT + - China-Nexus Threat Activity - Meduza Stealer - MoonPeak - - Earth Estries - - NjRAT + - Snake Keylogger + - DarkGate Malware + - Phemedrone Stealer - RedLine Stealer + - Braodo Stealer + - PXA Stealer + - Earth Estries + - Amadey asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml index fc5ad0009f..aa27afdfc7 100644 --- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml @@ -1,7 +1,7 @@ name: Windows Curl Download to Suspicious Path id: c32f091e-30db-11ec-8738-acde48001122 -version: 8 -date: '2025-01-27' +version: '9' +date: '2025-02-24' author: Michael Haag, Splunk status: production type: TTP @@ -71,11 +71,11 @@ rba: tags: analytic_story: - Ingress Tool Transfer - - Forest Blizzard + - China-Nexus Threat Activity - IcedID - - Nexus APT Threat Activity - - Compromised Windows Host + - Forest Blizzard - Earth Estries + - Compromised Windows Host asset_type: Endpoint mitre_attack_id: - T1105 diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml index 7817d86c25..3d1e836554 100644 --- a/detections/endpoint/windows_replication_through_removable_media.yml +++ b/detections/endpoint/windows_replication_through_removable_media.yml @@ -1,7 +1,7 @@ name: Windows Replication Through Removable Media id: 60df805d-4605-41c8-bbba-57baa6a4eb97 -version: 7 -date: '2025-01-27' +version: '8' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: TTP @@ -60,12 +60,12 @@ rba: type: file_name tags: analytic_story: - - PlugX + - NjRAT + - China-Nexus Threat Activity - Chaos Ransomware - Derusbi - - Nexus APT Threat Activity + - PlugX - Earth Estries - - NjRAT asset_type: Endpoint mitre_attack_id: - T1091 diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index d87ac0bdb8..af4539abce 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -1,7 +1,7 @@ name: Windows Service Created with Suspicious Service Path id: 429141be-8311-11eb-adb6-acde48001122 -version: 12 -date: '2025-02-10' +version: '13' +date: '2025-02-24' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP @@ -54,17 +54,17 @@ rba: type: service tags: analytic_story: - - Brute Ratel C4 - - Flax Typhoon - - PlugX - - CISA AA23-347A - - Qakbot + - China-Nexus Threat Activity - Crypto Stealer - - Active Directory Lateral Movement - - Derusbi - - Nexus APT Threat Activity + - Qakbot - Snake Malware + - Brute Ratel C4 + - Derusbi + - Active Directory Lateral Movement - Clop Ransomware + - Flax Typhoon + - CISA AA23-347A + - PlugX - Earth Estries asset_type: Endpoint mitre_attack_id: @@ -77,7 +77,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/windows-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index fc477eaf62..a1825a9c1a 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 -version: 12 -date: '2025-01-27' +version: '13' +date: '2025-02-24' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -52,16 +52,16 @@ rba: threat_objects: [] tags: analytic_story: + - China-Nexus Threat Activity + - Crypto Stealer - Brute Ratel C4 - - PlugX - - Windows Persistence Techniques + - Derusbi + - Active Directory Lateral Movement - CISA AA23-347A - - Windows Registry Abuse + - Windows Persistence Techniques - Suspicious Windows Registry Activities - - Active Directory Lateral Movement - - Crypto Stealer - - Derusbi - - Nexus APT Threat Activity + - PlugX + - Windows Registry Abuse - Earth Estries asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index f6c7a56920..579b67e6d4 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -1,7 +1,7 @@ name: Windows Unsigned DLL Side-Loading id: 5a83ce44-8e0f-4786-a775-8249a525c879 -version: 7 -date: '2025-01-27' +version: '8' +date: '2025-02-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -52,10 +52,10 @@ rba: tags: analytic_story: - Warzone RAT + - NjRAT + - China-Nexus Threat Activity - Derusbi - - Nexus APT Threat Activity - Earth Estries - - NjRAT asset_type: Endpoint mitre_attack_id: - T1574.002 diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index b064f55c1f..8c93465a46 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -1,7 +1,7 @@ name: Windows Unsigned DLL Side-Loading In Same Process Path id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f -version: 7 -date: '2025-02-10' +version: '8' +date: '2025-02-24' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 @@ -54,10 +54,10 @@ rba: threat_objects: [] tags: analytic_story: - - PlugX + - China-Nexus Threat Activity - Derusbi - - Nexus APT Threat Activity - DarkGate Malware + - PlugX - Earth Estries asset_type: Endpoint mitre_attack_id: @@ -70,7 +70,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_process_path.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_process_path.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml index add7f13b4d..621a904a38 100644 --- a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml @@ -1,7 +1,7 @@ name: Windows Unsigned MS DLL Side-Loading id: 8d9e0e06-ba71-4dc5-be16-c1a46d58728c -version: 7 -date: '2025-01-27' +version: '8' +date: '2025-02-24' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 @@ -64,9 +64,9 @@ rba: type: file_name tags: analytic_story: + - China-Nexus Threat Activity - Derusbi - APT29 Diplomatic Deceptions with WINELOADER - - Nexus APT Threat Activity - Earth Estries group: - APT29 diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml index 36d6515acc..eb98f737e4 100644 --- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml +++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml @@ -1,7 +1,7 @@ name: WinEvent Scheduled Task Created to Spawn Shell id: 203ef0ea-9bd8-11eb-8201-acde48001122 -version: 9 -date: '2025-02-10' +version: '10' +date: '2025-02-24' author: Michael Haag, Splunk status: production type: TTP @@ -54,16 +54,16 @@ rba: threat_objects: [] tags: analytic_story: - - Windows Persistence Techniques - - Ransomware + - China-Nexus Threat Activity + - CISA AA22-257A - Windows Error Reporting Service Elevation of Privilege Vulnerability - - Scheduled Tasks - - Winter Vivern - - Nexus APT Threat Activity - Compromised Windows Host + - Ransomware + - Windows Persistence Techniques - Ryuk Ransomware + - Scheduled Tasks - Earth Estries - - CISA AA22-257A + - Winter Vivern asset_type: Endpoint mitre_attack_id: - T1053.005 @@ -75,7 +75,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index b7a530c00d..f464f02690 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -1,7 +1,7 @@ name: WinEvent Scheduled Task Created Within Public Path id: 5d9c6eee-988c-11eb-8253-acde48001122 -version: 9 -date: '2025-02-10' +version: '10' +date: '2025-02-24' author: Michael Haag, Splunk status: production type: TTP @@ -54,22 +54,22 @@ rba: threat_objects: [] tags: analytic_story: - - Data Destruction - - Windows Persistence Techniques - - AsyncRAT - - Industroyer2 - - CISA AA23-347A + - China-Nexus Threat Activity + - IcedID + - CISA AA22-257A + - Compromised Windows Host - Ransomware + - Active Directory Lateral Movement + - CISA AA23-347A + - Windows Persistence Techniques + - Earth Estries - Prestige Ransomware + - Industroyer2 + - Ryuk Ransomware + - AsyncRAT - Scheduled Tasks - - IcedID + - Data Destruction - Winter Vivern - - Active Directory Lateral Movement - - Nexus APT Threat Activity - - Compromised Windows Host - - Ryuk Ransomware - - Earth Estries - - CISA AA22-257A asset_type: Endpoint mitre_attack_id: - T1053.005 @@ -81,7 +81,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml index 9fa1a7f4b5..082b43da4b 100644 --- a/detections/network/detect_large_outbound_icmp_packets.yml +++ b/detections/network/detect_large_outbound_icmp_packets.yml @@ -1,7 +1,7 @@ name: Detect Large Outbound ICMP Packets id: e9c102de-4d43-42a7-b1c8-8062ea297419 -version: 9 -date: '2025-01-27' +version: '10' +date: '2025-02-24' author: Rico Valdez, Dean Luxton, Splunk status: production type: TTP @@ -66,9 +66,9 @@ rba: threat_objects: [] tags: analytic_story: - - Backdoor Pingpong - - Nexus APT Threat Activity - Command And Control + - China-Nexus Threat Activity + - Backdoor Pingpong asset_type: Endpoint mitre_attack_id: - T1095 From b83eb7794122d7c0b06ac504314464167cec7df8 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 26 Feb 2025 09:36:14 +0100 Subject: [PATCH 27/30] auditd_detection_updates --- .../deprecated/nexus_apt_threat_activity.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 stories/deprecated/nexus_apt_threat_activity.yml diff --git a/stories/deprecated/nexus_apt_threat_activity.yml b/stories/deprecated/nexus_apt_threat_activity.yml new file mode 100644 index 0000000000..bd6aed1350 --- /dev/null +++ b/stories/deprecated/nexus_apt_threat_activity.yml @@ -0,0 +1,21 @@ +name: Nexus APT Threat Activity +id: 43f8062d-4da0-4f48-8cad-6a20e108961b +version: 1 +date: '2025-01-27' +author: Teoderick Contreras, Splunk +status: production +description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, an advanced persistent threat (APT) group known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss. +narrative: Chinese state-nexus threat actors are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors. +references: +- https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/ +- https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-weapons-97d4ef95?st=oe1KKi&reflink=desktopwebshare _permalink +- https://www.judiciary.senate.gov/imo/media/doc/2024-11-19_pm_-_testimony_-_meyers.pdf +- https://go.crowdstrike.com/rs/281-OBQ-266/images/GlobalThreatReport2024.pdf +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From fb67c4f6cef8460f54ba16d322f2d4c1cd614416 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 26 Feb 2025 09:40:27 +0100 Subject: [PATCH 28/30] auditd_detection_updates --- stories/china_nexus_threat_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stories/china_nexus_threat_activity.yml b/stories/china_nexus_threat_activity.yml index 740f595dde..96c404d6bb 100644 --- a/stories/china_nexus_threat_activity.yml +++ b/stories/china_nexus_threat_activity.yml @@ -1,5 +1,5 @@ name: China-Nexus Threat Activity -id: 43f8062d-4da0-4f48-8cad-6a20e108961b +id: ac8b8e7c-ed27-428b-871f-ceb9400c733a version: 2 date: '2025-02-24' author: Teoderick Contreras, Splunk From aabdf4f8f6219f42c15102208f540839d7fc1eb9 Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 26 Feb 2025 16:21:07 -0800 Subject: [PATCH 29/30] status deprecated --- stories/deprecated/nexus_apt_threat_activity.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/stories/deprecated/nexus_apt_threat_activity.yml b/stories/deprecated/nexus_apt_threat_activity.yml index bd6aed1350..0821b60fb8 100644 --- a/stories/deprecated/nexus_apt_threat_activity.yml +++ b/stories/deprecated/nexus_apt_threat_activity.yml @@ -1,10 +1,10 @@ name: Nexus APT Threat Activity id: 43f8062d-4da0-4f48-8cad-6a20e108961b -version: 1 -date: '2025-01-27' +version: 2 +date: '2025-02-27' author: Teoderick Contreras, Splunk -status: production -description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, an advanced persistent threat (APT) group known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss. +status: deprecated +description: This story is deprecated in favour of analytic story China-Nexus Threat Activity. Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, an advanced persistent threat (APT) group known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss. narrative: Chinese state-nexus threat actors are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors. references: - https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/ From 99871b502448bcca4a819ce113252eb27997a621 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 27 Feb 2025 10:36:29 +0100 Subject: [PATCH 30/30] auditd_detection_updates --- stories/china_nexus_threat_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stories/china_nexus_threat_activity.yml b/stories/china_nexus_threat_activity.yml index 96c404d6bb..8be93388e0 100644 --- a/stories/china_nexus_threat_activity.yml +++ b/stories/china_nexus_threat_activity.yml @@ -5,7 +5,7 @@ date: '2025-02-24' author: Teoderick Contreras, Splunk status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, Chinese state-nexus adversaries known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss. -narrative: Chinese state-nexus threat group are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors. +narrative: As described by Crowdstrike, Chinese state-nexus threat group or adversary are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors. references: - https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/ - https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-weapons-97d4ef95?st=oe1KKi&reflink=desktopwebshare _permalink