From 99d3d286549ad21cc9d99e13c239d30909d65eff Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 17 Jun 2025 01:22:13 +0200 Subject: [PATCH 1/6] multiple updates and fixes --- .../endpoint/cobalt_strike_named_pipes.yml | 35 ++++++++-- detections/endpoint/detect_renamed_winrar.yml | 20 +++--- .../endpoint/excessive_usage_of_cacls_app.yml | 67 ++++++++++++------- detections/endpoint/icacls_deny_command.yml | 36 +++++----- detections/endpoint/icacls_grant_command.yml | 34 ++++++---- ...dify_acl_permission_to_files_or_folder.yml | 39 ++++++----- ...active_directory_web_services_protocol.yml | 6 +- .../endpoint/suspicious_copy_on_system32.yml | 57 ++++++++++------ ...rectory_permissions_enable_inheritance.yml | 6 +- ..._access_rights_modification_via_icacls.yml | 35 +++++----- 10 files changed, 209 insertions(+), 126 deletions(-) diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml index ce2ca8274d..0d548697ef 100644 --- a/detections/endpoint/cobalt_strike_named_pipes.yml +++ b/detections/endpoint/cobalt_strike_named_pipes.yml @@ -1,7 +1,7 @@ name: Cobalt Strike Named Pipes id: 5876d429-0240-4709-8b93-ea8330b411b5 -version: 8 -date: '2025-05-02' +version: 9 +date: '2025-06-17' author: Michael Haag, Splunk status: production type: TTP @@ -16,12 +16,33 @@ description: The following analytic detects the use of default or publicly known data_source: - Sysmon EventID 17 - Sysmon EventID 18 -search: '`sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNamePipe*, - \\srvsvc_*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*, - \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime +search: | + `sysmon` EventID=17 OR EventID=18 + PipeName IN ( + \\DserNamePipe*, + \\interprocess_*, + \\lsarpc_*, + \\mojo_*, + \\msagent_*, + \\MSSE-*, + \\netlogon_*, + \\ntsvcs*, + \\postex_*, + \\samr_*, + \\spoolss_*, + \\srvsvc_*, + \\status_*, + \\UIA_PIPE* + \\win_svc*, + \\winsock*, + \\wkssvc_*, + ) + | stats count min(_time) as firstTime max(_time) as lastTime by dest dvc pipe_name process_exec process_guid process_id process_name process_path - signature signature_id user_id vendor_product Image PipeName | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`' + signature signature_id user_id vendor_product Image PipeName + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cobalt_strike_named_pipes_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml index f794dddddc..6d70e3b50d 100644 --- a/detections/endpoint/detect_renamed_winrar.yml +++ b/detections/endpoint/detect_renamed_winrar.yml @@ -1,7 +1,7 @@ name: Detect Renamed WinRAR id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122 -version: 12 -date: '2025-05-02' +version: 13 +date: '2025-06-16' author: Michael Haag, Splunk status: production type: Hunting @@ -18,13 +18,15 @@ data_source: - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe - (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.action - Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name - Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + (Processes.process_name!=rar.exe AND Processes.process_name!=winrar.exe) + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml index b6598f2869..7e62aaafdd 100644 --- a/detections/endpoint/excessive_usage_of_cacls_app.yml +++ b/detections/endpoint/excessive_usage_of_cacls_app.yml @@ -1,37 +1,56 @@ name: Excessive Usage Of Cacls App id: 0bdf6092-af17-11eb-939a-acde48001122 -version: 8 -date: '2025-05-02' +version: 9 +date: '2025-06-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`, - or `icacls.exe` to change file or folder permissions. It leverages data from Endpoint - Detection and Response (EDR) agents, focusing on process names and command-line - executions. This activity is significant as it may indicate an adversary attempting - to restrict access to malware components or artifacts on a compromised system. If - confirmed malicious, this behavior could prevent users from deleting or accessing +description: | + The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`, + or `icacls.exe` to change file or folder permissions. + It looks for 10 or more execution of the aforementioned processes in the span of 1 minute. + It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line executions. + This activity is significant as it may indicate an adversary attempting + to restrict access to malware components or artifacts on a compromised system. + If confirmed malicious, this behavior could prevent users from deleting or accessing critical files, aiding in the persistence and concealment of malicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.dest) as dest - values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime values(Processes.action) - as action values(Processes.original_file_name) as original_file_name values(Processes.parent_process_exec) - as parent_process_exec values(Processes.parent_process_guid) as parent_process_guid - values(Processes.parent_process_id) as parent_process_id values(Processes.parent_process_path) - as parent_process_path values(Processes.process) as process values(Processes.process_exec) - as process_exec values(Processes.process_guid) as process_guid values(Processes.process_hash) - as process_hash values(Processes.process_id) as process_id values(Processes.process_integrity_level) - as process_integrity_level values(Processes.process_name) as process_name values(Processes.process_path) - as process_path values(Processes.user_id) as user_id values(Processes.vendor_product) - as vendor_product count from datamodel=Endpoint.Processes where Processes.process_name - = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name - = "XCACLS.exe" by Processes.parent_process_name Processes.parent_process Processes.dest - Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection +search: | + | tstats `security_content_summariesonly` + min(_time) as firstTime + max(_time) as lastTime + values(Processes.dest) as dest + values(Processes.user) as user + values(Processes.action) as action + values(Processes.original_file_name) as original_file_name + values(Processes.parent_process_exec) as parent_process_exec + values(Processes.parent_process_guid) as parent_process_guid + values(Processes.parent_process_id) as parent_process_id + values(Processes.parent_process_path) as parent_process_path + values(Processes.process) as process + values(Processes.process_exec) as process_exec + values(Processes.process_guid) as process_guid + values(Processes.process_hash) as process_hash + values(Processes.process_id) as process_id + values(Processes.process_integrity_level) as process_integrity_level + values(Processes.process_name) as process_name + values(Processes.process_path) as process_path + values(Processes.user_id) as user_id + values(Processes.vendor_product) as vendor_product count + from datamodel=Endpoint.Processes where + Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") + by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m + | where count >=10 + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `excessive_usage_of_cacls_app_filter` +how_to_implement: | + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml index daf3b978ae..a5a6693b6e 100644 --- a/detections/endpoint/icacls_deny_command.yml +++ b/detections/endpoint/icacls_deny_command.yml @@ -1,11 +1,12 @@ name: Icacls Deny Command id: cf8d753e-a8fe-11eb-8f58-acde48001122 -version: 8 -date: '2025-05-02' +version: 9 +date: '2025-06-17' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic detects instances where an adversary modifies +type: Anomaly +description: | + The following analytic detects instances where an adversary modifies security permissions of a file or directory using commands like "icacls.exe", "cacls.exe", or "xcacls.exe" with deny options. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This @@ -17,17 +18,22 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", - "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/deny*", "*/D*") by Processes.action - Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name - Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `icacls_deny_command_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection +search: | + | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where + Processes.process_name IN ( "icacls.exe", "cacls.exe", "xcacls.exe") AND + Processes.process IN ("*/deny*", "*/d:*", "*/d ") + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `icacls_deny_command_filter` +how_to_implement: | + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index c702fd893e..9730c57221 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -1,11 +1,12 @@ name: ICACLS Grant Command id: b1b1e316-accc-11eb-a9b4-acde48001122 -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-06-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the use of the ICACLS command to grant +description: | + The following analytic detects the use of the ICACLS command to grant additional access permissions to files or directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process names and command-line arguments. This activity is significant because it is commonly used by Advanced @@ -17,17 +18,22 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", - "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") by Processes.action - Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name - Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `icacls_grant_command_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection +search: | + | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where + Processes.process_name IN ( "icacls.exe", "cacls.exe", "xcacls.exe") AND + Processes.process IN ("*/grant*", "*/g:*", "*/g *") + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `icacls_grant_command_filter` +how_to_implement: | + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index 32d238d288..f7d9ea485d 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -1,7 +1,7 @@ name: Modify ACL permission To Files Or Folder id: 7e8458cc-acca-11eb-9e3f-acde48001122 -version: 8 -date: '2025-05-02' +version: 9 +date: '2025-06-17' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -17,20 +17,27 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process - values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "cacls.exe" - OR Processes.process_name = "icacls.exe" OR Processes.process_name = "xcacls.exe") - AND Processes.process = "*/G*" AND (Processes.process = "* everyone:*" OR Processes.process - = "* SYSTEM:*" OR Processes.process = "* S-1-1-0:*") by Processes.action Processes.dest - Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name - Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `modify_acl_permission_to_files_or_folder_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection +search: | + | tstats `security_content_summariesonly` count + min(_time) as firstTime + max(_time) as lastTime + values(Processes.process) as process + values(Processes.process_id) as process_id + from datamodel=Endpoint.Processes where + Processes.process_name IN ("icacls.exe", "cacls.exe", "xcacls.exe") + Processes.process IN ("*/grant*", "*/g:*", "*/g *") + Processes.process IN ("* Everyone:*", "* SYSTEM:*", "* S-1-1-0:*") + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `modify_acl_permission_to_files_or_folder_filter` +how_to_implement: | + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. diff --git a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml index 7b330841e4..1aa6f9ecb9 100644 --- a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml +++ b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml @@ -1,7 +1,7 @@ name: Network Traffic to Active Directory Web Services Protocol id: 68a0056c-34cb-455f-b03d-df935ea62c4f -version: 8 -date: '2025-05-02' +version: 9 +date: '2025-06-17' author: Michael Haag, Splunk status: production type: Hunting @@ -30,7 +30,7 @@ how_to_implement: The detection is based on data that originates from network tr known_false_positives: False positives should be limited as the destination port is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter - by App or dest_ip to AD servers and remove known proceses querying ADWS. + by App or dest_ip to AD servers and remove known processes querying ADWS. references: - https://github.com/FalconForceTeam/SOAPHound tags: diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index e0c9a177fc..ea3c19e495 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -1,18 +1,19 @@ name: Suspicious Copy on System32 id: ce633e56-25b2-11ec-9e76-acde48001122 -version: 10 -date: '2025-05-02' -author: Teoderick Contreras, Splunk +version: 11 +date: '2025-06-17' +author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production -type: TTP -description: - The following analytic detects suspicious file copy operations from the - System32 or SysWow64 directories, often indicative of malicious activity. It leverages - data from Endpoint Detection and Response (EDR) agents, focusing on processes initiated - by command-line tools like cmd.exe or PowerShell. This behavior is significant as - it may indicate an attempt to execute malicious code using legitimate system tools - (LOLBIN). If confirmed malicious, this activity could allow an attacker to execute - arbitrary code, potentially leading to system compromise or further lateral movement +type: Anomaly +description: | + The following analytic detects potentially suspicious file copy operations targeting the + System32 or SysWow64 directories as source, often indicative of malicious activity. + It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on activity initiated by command-line tools like cmd.exe or PowerShell. + This behavior is significant as it may indicate an attempt to evade defenses by copying + an existing binary from the system directory and renaming it. + If confirmed malicious, this activity could allow an attacker to execute + code undetected and potentially leading to system compromise or further lateral movement within the network. data_source: - Sysmon EventID 1 @@ -20,18 +21,34 @@ data_source: - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name - IN("cmd.exe", "powershell*","pwsh.exe", "sqlps.exe", "sqltoolsps.exe", "powershell_ise.exe") - AND `process_copy` AND Processes.process IN("*\\Windows\\System32\\*", "*\\Windows\\SysWow64\\*") - AND Processes.process = "*copy*" by Processes.action Processes.dest Processes.original_file_name + as lastTime from datamodel=Endpoint.Processes where + parent_process_name IN ( + "cmd.exe", + "powershell_ise.exe", + "powershell.exe", + "pwsh.exe", + "sqlps.exe", + "sqltoolsps.exe" + ) + `process_copy` + Processes.process IN( + "* \"C:\\Windows\\System32\\*", + "* 'C:\\Windows\\System32\\*", + "* C:\\Windows\\System32\\*", + "* \"C:\\Windows\\SysWow64\\*" + "* 'C:\\Windows\\SysWow64\\*" + "* C:\\Windows\\SysWow64\\*" + ) + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path - Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` - | eval splitted_commandline=split(process," ") | eval first_cmdline=lower(mvindex(splitted_commandline,0)) - | where NOT LIKE(first_cmdline,"%\\windows\\system32\\%") AND NOT LIKE(first_cmdline,"%\\windows\\syswow64\\%") - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`suspicious_copy_on_system32_filter`' + Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `suspicious_copy_on_system32_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related diff --git a/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml b/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml index 1267605089..defdc40372 100644 --- a/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml +++ b/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml @@ -3,9 +3,6 @@ id: 0247f90a-aca4-47b2-a94d-e30f445d7b41 version: 3 date: '2025-05-02' author: Teoderick Contreras, Splunk -data_source: -- Sysmon EventID 1 -- Windows Event Log Security 4688 type: Hunting status: production description: The following analytic detects the enabling of permission inheritance @@ -16,6 +13,9 @@ description: The following analytic detects the enabling of permission inheritan can indicate legitimate administrative actions but may also signal attempts to override restrictive custom permissions, potentially exposing sensitive files to unauthorized access. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process = "*/inheritance:e*" by Processes.action diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index b753f700a4..b569878d03 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -5,11 +5,8 @@ date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP -data_source: -- Sysmon EventID 1 -- Windows Event Log Security 4688 -- CrowdStrike ProcessRollup2 -description: The following analytic identifies the modification of security permissions +description: | + The following analytic identifies the modification of security permissions on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions. This activity is significant as it is commonly used by @@ -17,16 +14,24 @@ description: The following analytic identifies the modification of security perm maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to hinder investigation, impede remediation efforts, and maintain persistent access to the compromised environment. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", - "cacls.exe","xcacls.exe") AND Processes.process IN ("*:R*", "*:W*", "*:F*", "*:C*",, - "*:N*","*/P*", "*/E*") by Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid Processes.process_hash - Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path - Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_files_and_dirs_access_rights_modification_via_icacls_filter`' +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: | + | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where + Processes.process_name IN ("icacls.exe", "cacls.exe","xcacls.exe") AND + Processes.process IN ("*:R*", "*:W*", "*:F*", "*:C*", "*:N*", "*/P*", "*/E*") + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_files_and_dirs_access_rights_modification_via_icacls_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, From 1d2e689e99fb3303f305762035ae5e0a5a9457ad Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 17 Jun 2025 01:28:45 +0200 Subject: [PATCH 2/6] Update suspicious_copy_on_system32.yml --- detections/endpoint/suspicious_copy_on_system32.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index ea3c19e495..8bead01f79 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -33,10 +33,10 @@ search: `process_copy` Processes.process IN( "* \"C:\\Windows\\System32\\*", - "* 'C:\\Windows\\System32\\*", + "* \'C:\\Windows\\System32\\*", "* C:\\Windows\\System32\\*", "* \"C:\\Windows\\SysWow64\\*" - "* 'C:\\Windows\\SysWow64\\*" + "* \'C:\\Windows\\SysWow64\\*" "* C:\\Windows\\SysWow64\\*" ) by Processes.action Processes.dest Processes.original_file_name From dba17e70d0b2a53f275d64771cd8b6083a7fce06 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 17 Jun 2025 01:35:02 +0200 Subject: [PATCH 3/6] Update suspicious_copy_on_system32.yml --- detections/endpoint/suspicious_copy_on_system32.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index 8bead01f79..b24f06855f 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -22,7 +22,7 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where - parent_process_name IN ( + Processes.parent_process_name IN ( "cmd.exe", "powershell_ise.exe", "powershell.exe", @@ -35,8 +35,8 @@ search: "* \"C:\\Windows\\System32\\*", "* \'C:\\Windows\\System32\\*", "* C:\\Windows\\System32\\*", - "* \"C:\\Windows\\SysWow64\\*" - "* \'C:\\Windows\\SysWow64\\*" + "* \"C:\\Windows\\SysWow64\\*", + "* \'C:\\Windows\\SysWow64\\*", "* C:\\Windows\\SysWow64\\*" ) by Processes.action Processes.dest Processes.original_file_name From aeeb471de29b7c984091c87411fd4440a8155487 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 17 Jun 2025 01:38:33 +0200 Subject: [PATCH 4/6] Update suspicious_copy_on_system32.yml --- detections/endpoint/suspicious_copy_on_system32.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index b24f06855f..0e2f5e4f11 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -19,8 +19,8 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: - '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ( "cmd.exe", @@ -49,7 +49,7 @@ search: | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_copy_on_system32_filter`' -how_to_implement: +how_to_implement: | The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -59,7 +59,7 @@ how_to_implement: the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: every user may do this event but very un-ussual. +known_false_positives: Copying files from System directories can happen for multiple admin reasons, allbeit rare without approval. Apply additional filters where needed. references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ From b0df2c1973c749b3a76ebd53355df925d73fc2a1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 17 Jun 2025 01:42:32 +0200 Subject: [PATCH 5/6] Update windows_files_and_dirs_access_rights_modification_via_icacls.yml --- ...ows_files_and_dirs_access_rights_modification_via_icacls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index b569878d03..3d267817c6 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -1,6 +1,6 @@ name: Windows Files and Dirs Access Rights Modification Via Icacls id: c76b796c-27e1-4520-91c4-4a58695c749e -version: 8 +version: 9 date: '2025-05-02' author: Teoderick Contreras, Splunk status: production From 27575a878b848b50b0bec1d14004436205d90929 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 17 Jun 2025 02:30:48 +0200 Subject: [PATCH 6/6] fix typos --- .../endpoint/cobalt_strike_named_pipes.yml | 42 +++++++++---------- .../endpoint/suspicious_copy_on_system32.yml | 4 +- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml index 0d548697ef..1481bf0af3 100644 --- a/detections/endpoint/cobalt_strike_named_pipes.yml +++ b/detections/endpoint/cobalt_strike_named_pipes.yml @@ -17,32 +17,32 @@ data_source: - Sysmon EventID 17 - Sysmon EventID 18 search: | - `sysmon` EventID=17 OR EventID=18 + `sysmon` (EventID=17 OR EventID=18) PipeName IN ( - \\DserNamePipe*, - \\interprocess_*, - \\lsarpc_*, - \\mojo_*, - \\msagent_*, - \\MSSE-*, - \\netlogon_*, - \\ntsvcs*, - \\postex_*, - \\samr_*, - \\spoolss_*, - \\srvsvc_*, - \\status_*, - \\UIA_PIPE* - \\win_svc*, - \\winsock*, - \\wkssvc_*, + "\\DserNamePipe*", + "\\interprocess_*", + "\\lsarpc_*", + "\\mojo_*", + "\\msagent_*", + "\\MSSE-*", + "\\netlogon_*", + "\\ntsvcs*", + "\\postex_*", + "\\samr_*", + "\\spoolss_*", + "\\srvsvc_*", + "\\status_*", + "\\UIA_PIPE"* + "\\win_svc*", + "\\winsock*", + "\\wkssvc_*", ) | stats count min(_time) as firstTime max(_time) as lastTime by dest dvc pipe_name process_exec process_guid process_id process_name process_path - signature signature_id user_id vendor_product Image PipeName + signature signature_id user_id vendor_product Image PipeName | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `cobalt_strike_named_pipes_filter`' + | `security_content_ctime(lastTime)` + | `cobalt_strike_named_pipes_filter` how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index 0e2f5e4f11..2bca0b056a 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -31,7 +31,7 @@ search: | "sqltoolsps.exe" ) `process_copy` - Processes.process IN( + Processes.process IN ( "* \"C:\\Windows\\System32\\*", "* \'C:\\Windows\\System32\\*", "* C:\\Windows\\System32\\*", @@ -48,7 +48,7 @@ search: | | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `suspicious_copy_on_system32_filter`' + | `suspicious_copy_on_system32_filter` how_to_implement: | The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related