From 64de1e59535a8634df4c0fc2785095a9797e4af3 Mon Sep 17 00:00:00 2001 From: 0xC0FFEEEE <119874251+0xC0FFEEEE@users.noreply.github.com> Date: Mon, 3 Mar 2025 15:30:23 +0000 Subject: [PATCH 1/3] Don't trigger on linux os --- .../windows_process_with_netexec_command_line_parameters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index fcb8db9d0f..9a71cf6d7e 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -10,7 +10,7 @@ data_source: - Windows Event Log Security 4688 - Sysmon EventID 1 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND ((Processes.process = "* -p *" AND Processes.process = "* -u *") OR Processes.process IN ("* -x *","* -M *","* --*"))) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name +search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where NOT Processes.os="Linux" Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND ((Processes.process = "* -p *" AND Processes.process = "* -u *") OR Processes.process IN ("* -x *","* -M *","* --*"))) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` From 228a01acc14f635f2526b81cd0a3146dad12cd38 Mon Sep 17 00:00:00 2001 From: 0xC0FFEEEE <119874251+0xC0FFEEEE@users.noreply.github.com> Date: Mon, 3 Mar 2025 16:27:00 +0000 Subject: [PATCH 2/3] another one --- ...ws_command_and_scripting_interpreter_path_traversal_exec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml index c04c043616..a0dd8d9726 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml @@ -18,7 +18,7 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes where Processes.process="*\/..\/..\/..\/*" + as lastTime FROM datamodel=Endpoint.Processes where NOT Processes.os="Linux" Processes.process="*\/..\/..\/..\/*" OR Processes.process="*\\..\\..\\..\\*" OR Processes.process="*\/\/..\/\/..\/\/..\/\/*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id From 46db370f8bd216064ea5c81bf0182b786160b33f Mon Sep 17 00:00:00 2001 From: 0xC0FFEEEE <119874251+0xC0FFEEEE@users.noreply.github.com> Date: Mon, 3 Mar 2025 22:33:47 +0000 Subject: [PATCH 3/3] increment version, update date --- ..._command_and_scripting_interpreter_path_traversal_exec.yml | 4 ++-- .../windows_process_with_netexec_command_line_parameters.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml index a0dd8d9726..77ea2d9bcd 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml @@ -1,7 +1,7 @@ name: Windows Command and Scripting Interpreter Path Traversal Exec id: 58fcdeb1-728d-415d-b0d7-3ab18a275ec2 -version: 6 -date: '2024-12-10' +version: 7 +date: '2025-03-03' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index 9a71cf6d7e..62d783e320 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -1,7 +1,7 @@ name: Windows Process With NetExec Command Line Parameters id: adbff89c-c1f2-4a2e-88a4-b5e645856510 -version: 4 -date: '2025-02-11' +version: 5 +date: '2025-03-03' author: Steven Dick, Github Community status: production type: TTP