auditd_detection_updates

data_sources/linux_auditd_add_user.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Add User
 id: 30f79353-e1d2-4585-8735-1e0359559f3f
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Add User Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

data_sources/linux_auditd_execve.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Execve
 id: 9ef6364d-cc67-480e-8448-3306829a6a24
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Execve Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

data_sources/linux_auditd_path.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Path
 id: 3d86125c-0496-4a5a-aae3-0d355a4f3d7d
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Path Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

data_sources/linux_auditd_proctitle.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Proctitle
 id: 5a25984a-2789-400a-858b-d75c923e06b1
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Proctitle Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

data_sources/linux_auditd_service_stop.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Service Stop
 id: 0643483c-bc62-455c-8d6e-1630e5f0e00d
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Service Stop Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

data_sources/linux_auditd_syscall.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Syscall
 id: 4dff7047-0d43-4096-bb3f-b756c889bbad
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Syscall Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

detections/endpoint/any_powershell_downloadfile.yml

@@ -1,7 +1,7 @@
 name: Any Powershell DownloadFile
 id: 1a93b7ea-7af7-11eb-adb5-acde48001122
-version: 11
-date: '2025-02-10'
+version: '12'
+date: '2025-02-24'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -71,18 +71,18 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - Data Destruction
   - Ingress Tool Transfer
+  - China-Nexus Threat Activity
+  - Crypto Stealer
+  - Hermetic Wiper
   - DarkCrystal RAT
-  - PXA Stealer
-  - Braodo Stealer
-  - Phemedrone Stealer
-  - Log4Shell CVE-2021-44228
   - Malicious PowerShell
-  - Hermetic Wiper
-  - Crypto Stealer
-  - Nexus APT Threat Activity
   - Earth Estries
+  - Phemedrone Stealer
+  - Braodo Stealer
+  - PXA Stealer
+  - Data Destruction
+  - Log4Shell CVE-2021-44228
   asset_type: Endpoint
   cve:
   - CVE-2021-44228
@@ -97,7 +97,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/detect_renamed_psexec.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed PSExec
 id: 683e6196-b8e8-11eb-9a79-acde48001122
-version: 11
-date: '2025-02-10'
+version: '12'
+date: '2025-02-24'
 author: Michael Haag, Splunk, Alex Oberkircher, Github Community
 status: production
 type: Hunting
@@ -39,18 +39,18 @@ references:
 - https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
   - BlackByte Ransomware
+  - HAFNIUM Group
   - DHS Report TA18-074A
-  - DarkSide Ransomware
-  - SamSam Ransomware
   - CISA AA22-320A
-  - HAFNIUM Group
-  - Sandworm Tools
+  - DarkSide Ransomware
   - Active Directory Lateral Movement
-  - Nexus APT Threat Activity
   - DarkGate Malware
-  - Earth Estries
+  - Sandworm Tools
   - Rhysida Ransomware
+  - Earth Estries
+  - SamSam Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1569.002
@@ -62,7 +62,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/detect_renamed_winrar.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed WinRAR
 id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122
-version: 9
-date: '2025-02-10'
+version: '10'
+date: '2025-02-24'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -38,10 +38,10 @@ references:
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - CISA AA22-277A
   - Collection and Staging
   - Earth Estries
-  - Nexus APT Threat Activity
-  - CISA AA22-277A
   asset_type: Endpoint
   mitre_attack_id:
   - T1560.001
@@ -53,7 +53,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 10
-date: '2025-01-27'
+version: '11'
+date: '2025-02-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -61,46 +61,46 @@ rba:
     type: file_name
 tags:
   analytic_story:
-  - Chaos Ransomware
+  - BlackByte Ransomware
+  - Brute Ratel C4
   - Trickbot
   - Snake Keylogger
-  - CISA AA23-347A
-  - Industroyer2
-  - WinDealer RAT
-  - Qakbot
+  - Graceful Wipe Out Attack
+  - PlugX
+  - Handala Wiper
+  - Earth Estries
   - Warzone RAT
-  - IcedID
   - ValleyRAT
-  - Azorult
-  - Handala Wiper
+  - NjRAT
   - LockBit Ransomware
-  - Meduza Stealer
-  - Brute Ratel C4
+  - Double Zero Destructor
+  - Swift Slicer
+  - DarkCrystal RAT
   - AsyncRAT
-  - AcidPour
+  - Volt Typhoon
+  - Chaos Ransomware
+  - Hermetic Wiper
   - Derusbi
-  - DarkGate Malware
-  - Graceful Wipe Out Attack
-  - NjRAT
-  - WhisperGate
-  - Data Destruction
-  - BlackByte Ransomware
+  - XMRig
   - AgentTesla
-  - Swift Slicer
+  - WinDealer RAT
+  - RedLine Stealer
+  - Remcos
+  - Rhysida Ransomware
+  - China-Nexus Threat Activity
   - Crypto Stealer
-  - Hermetic Wiper
+  - Qakbot
+  - IcedID
+  - Meduza Stealer
+  - AcidPour
   - MoonPeak
-  - Double Zero Destructor
-  - XMRig
-  - PlugX
+  - CISA AA23-347A
+  - DarkGate Malware
+  - Industroyer2
+  - Azorult
+  - Data Destruction
   - Amadey
-  - DarkCrystal RAT
-  - Remcos
-  - Nexus APT Threat Activity
-  - Earth Estries
-  - Rhysida Ransomware
-  - RedLine Stealer
-  - Volt Typhoon
+  - WhisperGate
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

detections/endpoint/linux_auditd_add_user_account.yml

@@ -1,7 +1,7 @@
 name: Linux Auditd Add User Account
 id: aae66dc0-74b4-4807-b480-b35f8027abb4
-version: 4
-date: '2025-02-10'
+version: 5
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -14,11 +14,12 @@ description: The following analytic detects the creation of new user accounts on
   the system, posing a severe security risk.
 data_source:
 - Linux Auditd Proctitle
-search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as
-  dest | where LIKE (process_exec, "%useradd%") OR LIKE (process_exec, "%adduser%")
-  | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle
-  dest  | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`|
-  `linux_auditd_add_user_account_filter`'
+search: '`linux_auditd` proctitle IN ("*useradd*", "*adduser*")
+  | rename host as dest 
+  | stats count min(_time) as firstTime max(_time) as lastTime by proctitle dest  
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  |`linux_auditd_add_user_account_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd
   data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
   executions and process details on Unix/Linux systems. These logs should be ingested
@@ -47,7 +48,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A [$process_exec$] event occurred on host - [$dest$] to add a user account.
+  message: A [$proctitle$] event occurred on host - [$dest$] to add a user account.
   risk_objects:
   - field: dest
     type: system
@@ -70,6 +71,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log
-    source: /var/log/audit/audit.log
-    sourcetype: linux:audit
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/auditd_proctitle_user_add.log
+    source: auditd
+    sourcetype: auditd

detections/endpoint/linux_auditd_add_user_account_type.yml

@@ -1,7 +1,7 @@
 name: Linux Auditd Add User Account Type
 id: f8c325ea-506e-4105-8ccf-da1492e90115
-version: 5
-date: '2025-02-10'
+version: 6
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -70,5 +70,5 @@ tests:
   attack_data:
   - data: 
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log
-    source: /var/log/audit/audit.log
-    sourcetype: linux:audit
+    source: auditd
+    sourcetype: auditd

detections/endpoint/linux_auditd_at_application_execution.yml

@@ -1,7 +1,7 @@
 name: Linux Auditd At Application Execution
 id: 9f306e0a-1c36-469e-8892-968ca12470dd
-version: 4
-date: '2025-02-10'
+version: 5
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -76,5 +76,5 @@ tests:
   attack_data:
   - data: 
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log
-    source: /var/log/audit/audit.log
-    sourcetype: linux:audit
+    source: auditd
+    sourcetype: auditd