splunk · pyth0n1c · Jun 17, 2025 · May 26, 2025 · May 26, 2025 · May 27, 2025
@@ -1,7 +1,7 @@
 name: CMD Carry Out String Command Parameter
 id: 54a6ed00-3256-11ec-b031-acde48001122
-version: 11
-date: '2025-05-06'
+version: 12
+date: '2025-05-26'
 author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production
 type: Hunting
@@ -17,14 +17,14 @@ data_source:
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process IN ("*/c*", "*/k*")
-  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
-  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
-  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
-  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
-  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `cmd_carry_out_string_command_parameter_filter`'
+  as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process
+  IN ("*/c*", "*/k*") by Processes.action Processes.dest Processes.original_file_name
+  Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
+  Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
+  Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
+  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
+  Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -41,27 +41,28 @@ references:
 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
 tags:
   analytic_story:
-  - Data Destruction
-  - DarkGate Malware
-  - Chaos Ransomware
-  - Hermetic Wiper
-  - Warzone RAT
+  - PlugX
   - Winter Vivern
+  - Rhysida Ransomware
+  - Malicious Inno Setup Loader
+  - DarkGate Malware
   - ProxyNotShell
-  - IcedID
-  - Living Off The Land
-  - NjRAT
   - Log4Shell CVE-2021-44228
-  - CISA AA23-347A
-  - AsyncRAT
-  - Rhysida Ransomware
-  - DarkCrystal RAT
-  - Crypto Stealer
   - Azorult
+  - Living Off The Land
   - Qakbot
-  - RedLine Stealer
-  - PlugX
+  - Chaos Ransomware
+  - IcedID
+  - Data Destruction
+  - Crypto Stealer
   - WhisperGate
+  - NjRAT
+  - AsyncRAT
+  - CISA AA23-347A
+  - Hermetic Wiper
+  - RedLine Stealer
+  - DarkCrystal RAT
+  - Warzone RAT
   asset_type: Endpoint
   cve:
   - CVE-2021-44228

@@ -1,7 +1,7 @@
 name: Detect Renamed 7-Zip
 id: 4057291a-b8cf-11eb-95fe-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-06-02'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -43,6 +43,7 @@ references:
 tags:
   analytic_story:
   - Collection and Staging
+  - Malicious Inno Setup Loader
   asset_type: Endpoint
   mitre_attack_id:
   - T1560.001

@@ -1,7 +1,7 @@
 name: Hiding Files And Directories With Attrib exe
 id: 6e5a3ae4-90a3-462d-9aa6-0119f638c0f1
-version: 12
-date: '2025-05-02'
+version: 13
+date: '2025-05-26'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -64,8 +64,9 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Azorult
   - Windows Persistence Techniques
+  - Malicious Inno Setup Loader
+  - Azorult
   - Compromised Windows Host
   - Windows Defense Evasion Tactics
   - Crypto Stealer

@@ -1,12 +1,11 @@
 name: LOLBAS With Network Traffic
 id: 2820f032-19eb-497e-8642-25b04a880359
-version: 10
-date: '2025-05-19'
+version: 11
+date: '2025-05-26'
 author: Steven Dick
 status: production
 type: TTP
-description:
-  The following analytic identifies the use of Living Off the Land Binaries
+description: The following analytic identifies the use of Living Off the Land Binaries
   and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic
   data model to detect when native Windows binaries, often abused by adversaries,
   initiate network connections. This activity is significant as LOLBAS are frequently
@@ -15,9 +14,8 @@ description:
   to execute arbitrary code, escalate privileges, or maintain persistence within the
   environment, posing a severe threat to organizational security.
 data_source:
-  - Sysmon EventID 3
-search:
-  '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+- Sysmon EventID 3
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN
   ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe",
   "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe",
@@ -36,61 +34,59 @@ search:
   All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user All_Traffic.vendor_product
   | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | rex field=app ".*\\\(?<process_name>.*)$" | `lolbas_with_network_traffic_filter`'
-how_to_implement:
-  To successfully implement this detection you must ingest events
+how_to_implement: To successfully implement this detection you must ingest events
   into the Network traffic data model that contain the source, destination, and communicating
   process in the app field. Relevant processes must also be ingested in the Endpoint
   data model with matching process_id field. Sysmon EID1 and EID3 are good examples
   of this type this data type.
-known_false_positives:
-  Legitimate usage of internal automation or scripting, especially
+known_false_positives: Legitimate usage of internal automation or scripting, especially
   powershell.exe or pwsh.exe, internal to internal or logon scripts. It may be necessary
   to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1")
 references:
-  - https://lolbas-project.github.io/#
-  - https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/
+- https://lolbas-project.github.io/#
+- https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/
 drilldown_searches:
-  - name: View the detection results for - "$src$"
-    search: '%original_detection_search% | search  src = "$src$"'
-    earliest_offset: $info_min_time$
-    latest_offset: $info_max_time$
-  - name: View risk events for the last 7 days for - "$src$"
-    search:
-      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$")
-      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-      | `security_content_ctime(lastTime)`'
-    earliest_offset: $info_min_time$
-    latest_offset: $info_max_time$
+- name: View the detection results for - "$src$"
+  search: '%original_detection_search% | search  src = "$src$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$.
   risk_objects:
-    - field: src
-      type: system
-      score: 25
+  - field: src
+    type: system
+    score: 25
   threat_objects:
-    - field: dest_ip
-      type: ip_address
+  - field: dest_ip
+    type: ip_address
 tags:
   analytic_story:
-    - Living Off The Land
-    - Water Gamayun
-    - Fake CAPTCHA Campaigns
+  - Fake CAPTCHA Campaigns
+  - Living Off The Land
+  - Malicious Inno Setup Loader
+  - Water Gamayun
   asset_type: Endpoint
   mitre_attack_id:
-    - T1105
-    - T1567
-    - T1218
+  - T1105
+  - T1567
+  - T1218
   product:
-    - Splunk Enterprise
-    - Splunk Enterprise Security
-    - Splunk Cloud
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
   security_domain: network
 tests:
-  - name: True Positive Test
-    attack_data:
-      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log
-        source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-        sourcetype: XmlWinEventLog
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
@@ -1,7 +1,7 @@
 name: Non Chrome Process Accessing Chrome Default Dir
 id: 81263de4-160a-11ec-944f-acde48001122
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-05-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -15,10 +15,11 @@ description: The following analytic detects a non-Chrome process accessing files
   and further compromise of the affected system.
 data_source:
 - Windows Event Log Security 4663
-search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\chrome.exe",
-  "*\\explorer.exe", "*sql*")) ObjectName="*\\Google\\Chrome\\User Data\\Default*"
-  | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType
-  ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+search: '`wineventlog_security` EventCode=4663 
+  NOT (ProcessName IN ("*\\chrome.exe", "*\\explorer.exe", "*sql*", "*\\dllhost.exe")) ObjectName="*\\Google\\Chrome\\User Data\\Default*"
+  | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
   | `non_chrome_process_accessing_chrome_default_dir_filter`'
 how_to_implement: To successfully implement this search, you must ingest Windows Security
   Event logs and track event code 4663. For 4663, enable "Audit Object Access" in
@@ -63,6 +64,7 @@ tags:
   - 3CX Supply Chain Attack
   - DarkGate Malware
   - NjRAT
+  - Malicious Inno Setup Loader
   asset_type: Endpoint
   mitre_attack_id:
   - T1555.003

@@ -1,7 +1,7 @@
 name: Non Firefox Process Access Firefox Profile Dir
 id: e6fc13b0-1609-11ec-b533-acde48001122
-version: 9
-date: '2025-05-02'
+version: '10'
+date: '2025-05-26'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -48,21 +48,22 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - AgentTesla
+  - NjRAT
   - Snake Keylogger
-  - CISA AA23-347A
+  - AgentTesla
+  - DarkGate Malware
   - China-Nexus Threat Activity
-  - Remcos
-  - FIN7
+  - 3CX Supply Chain Attack
+  - Malicious Inno Setup Loader
+  - CISA AA23-347A
   - Phemedrone Stealer
-  - SnappyBee
   - Azorult
+  - Remcos
   - RedLine Stealer
-  - Warzone RAT
   - Salt Typhoon
-  - 3CX Supply Chain Attack
-  - DarkGate Malware
-  - NjRAT
+  - Warzone RAT
+  - SnappyBee
+  - FIN7
   asset_type: Endpoint
   mitre_attack_id:
   - T1555.003

@@ -1,7 +1,7 @@
 name: Recon Using WMI Class
 id: 018c1972-ca07-11eb-9473-acde48001122
-version: 7
-date: '2025-05-02'
+version: '8'
+date: '2025-05-26'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -65,12 +65,13 @@ rba:
 tags:
   analytic_story:
   - AsyncRAT
-  - Qakbot
-  - Industroyer2
-  - Hermetic Wiper
   - LockBit Ransomware
   - Malicious PowerShell
+  - Malicious Inno Setup Loader
+  - Hermetic Wiper
   - Data Destruction
+  - Qakbot
+  - Industroyer2
   - MoonPeak
   asset_type: Endpoint
   mitre_attack_id:

@@ -1,7 +1,7 @@
 name: Suspicious Scheduled Task from Public Directory
 id: 7feb7972-7ac3-11eb-bac8-acde48001122
-version: '12'
-date: '2025-05-06'
+version: '13'
+date: '2025-05-26'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -69,21 +69,22 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - CISA AA24-241A
-  - CISA AA23-347A
-  - Medusa Ransomware
+  - DarkCrystal RAT
   - China-Nexus Threat Activity
-  - Scheduled Tasks
   - Windows Persistence Techniques
-  - Living Off The Land
   - Ryuk Ransomware
+  - Medusa Ransomware
+  - Malicious Inno Setup Loader
+  - CISA AA23-347A
+  - Azorult
+  - Living Off The Land
+  - Crypto Stealer
   - Salt Typhoon
+  - XWorm
+  - CISA AA24-241A
+  - Scheduled Tasks
   - Ransomware
-  - DarkCrystal RAT
-  - Azorult
   - MoonPeak
-  - XWorm
-  - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005