Multiple Updates & Fixes

detections/endpoint/cobalt_strike_named_pipes.yml

@@ -1,7 +1,7 @@
 name: Cobalt Strike Named Pipes
 id: 5876d429-0240-4709-8b93-ea8330b411b5
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-06-17'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -16,12 +16,33 @@ description: The following analytic detects the use of default or publicly known
 data_source:
 - Sysmon EventID 17
 - Sysmon EventID 18
-search: '`sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNamePipe*,
-  \\srvsvc_*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*,
-  \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime
+search: |
+  `sysmon` (EventID=17 OR EventID=18)
+  PipeName IN (
+    "\\DserNamePipe*",
+    "\\interprocess_*",
+    "\\lsarpc_*",
+    "\\mojo_*",
+    "\\msagent_*",
+    "\\MSSE-*",
+    "\\netlogon_*",
+    "\\ntsvcs*",
+    "\\postex_*",
+    "\\samr_*",
+    "\\spoolss_*",
+    "\\srvsvc_*",
+    "\\status_*",
+    "\\UIA_PIPE"*
+    "\\win_svc*",
+    "\\winsock*",
+    "\\wkssvc_*",
+  )
+  | stats count min(_time) as firstTime max(_time) as lastTime
   by dest dvc pipe_name process_exec process_guid process_id process_name process_path
-  signature signature_id user_id vendor_product Image PipeName | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`'
+  signature signature_id user_id vendor_product Image PipeName
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `cobalt_strike_named_pipes_filter`
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name, parent process, and command-line executions from your
   endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the

detections/endpoint/detect_renamed_winrar.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed WinRAR
 id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122
-version: 12
-date: '2025-05-02'
+version: 13
+date: '2025-06-16'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -18,13 +18,15 @@ data_source:
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe
-  (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.action
-  Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
-  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
-  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
-  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
-  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  (Processes.process_name!=rar.exe AND Processes.process_name!=winrar.exe) 
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process 
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id 
+  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec 
+  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level 
+  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
   | `detect_renamed_winrar_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related

detections/endpoint/excessive_usage_of_cacls_app.yml

@@ -1,37 +1,56 @@
 name: Excessive Usage Of Cacls App
 id: 0bdf6092-af17-11eb-939a-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-06-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`,
-  or `icacls.exe` to change file or folder permissions. It leverages data from Endpoint
-  Detection and Response (EDR) agents, focusing on process names and command-line
-  executions. This activity is significant as it may indicate an adversary attempting
-  to restrict access to malware components or artifacts on a compromised system. If
-  confirmed malicious, this behavior could prevent users from deleting or accessing
+description: |
+  The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`,
+  or `icacls.exe` to change file or folder permissions.
+  It looks for 10 or more execution of the aforementioned processes in the span of 1 minute. 
+  It leverages data from Endpoint Detection and Response (EDR) agents, 
+  focusing on process names and command-line executions.
+  This activity is significant as it may indicate an adversary attempting
+  to restrict access to malware components or artifacts on a compromised system.
+  If confirmed malicious, this behavior could prevent users from deleting or accessing
   critical files, aiding in the persistence and concealment of malicious activities.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` values(Processes.dest) as dest
-  values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime values(Processes.action)
-  as action values(Processes.original_file_name) as original_file_name values(Processes.parent_process_exec)
-  as parent_process_exec values(Processes.parent_process_guid) as parent_process_guid
-  values(Processes.parent_process_id) as parent_process_id values(Processes.parent_process_path)
-  as parent_process_path values(Processes.process) as process values(Processes.process_exec)
-  as process_exec values(Processes.process_guid) as process_guid values(Processes.process_hash)
-  as process_hash values(Processes.process_id) as process_id values(Processes.process_integrity_level)
-  as process_integrity_level values(Processes.process_name) as process_name values(Processes.process_path)
-  as process_path values(Processes.user_id) as user_id values(Processes.vendor_product)
-  as vendor_product count from datamodel=Endpoint.Processes where Processes.process_name
-  = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name
-  = "XCACLS.exe" by Processes.parent_process_name Processes.parent_process Processes.dest
-  Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+search: |
+  | tstats `security_content_summariesonly` 
+    min(_time) as firstTime 
+    max(_time) as lastTime 
+    values(Processes.dest) as dest
+    values(Processes.user) as user 
+    values(Processes.action) as action 
+    values(Processes.original_file_name) as original_file_name 
+    values(Processes.parent_process_exec) as parent_process_exec 
+    values(Processes.parent_process_guid) as parent_process_guid
+    values(Processes.parent_process_id) as parent_process_id 
+    values(Processes.parent_process_path) as parent_process_path 
+    values(Processes.process) as process 
+    values(Processes.process_exec) as process_exec 
+    values(Processes.process_guid) as process_guid 
+    values(Processes.process_hash) as process_hash 
+    values(Processes.process_id) as process_id 
+    values(Processes.process_integrity_level) as process_integrity_level 
+    values(Processes.process_name) as process_name 
+    values(Processes.process_path) as process_path 
+    values(Processes.user_id) as user_id 
+    values(Processes.vendor_product) as vendor_product count 
+  from datamodel=Endpoint.Processes where 
+  Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") 
+  by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m 
+  | where count >=10 
+  | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `excessive_usage_of_cacls_app_filter`
+how_to_implement: |
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.

detections/endpoint/icacls_deny_command.yml

@@ -1,11 +1,12 @@
 name: Icacls Deny Command
 id: cf8d753e-a8fe-11eb-8f58-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-06-17'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
-description: The following analytic detects instances where an adversary modifies
+type: Anomaly
+description: |
+  The following analytic detects instances where an adversary modifies
   security permissions of a file or directory using commands like "icacls.exe", "cacls.exe",
   or "xcacls.exe" with deny options. It leverages data from Endpoint Detection and
   Response (EDR) agents, focusing on process names and command-line executions. This
@@ -17,17 +18,22 @@ data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe",
-  "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/deny*", "*/D*") by Processes.action
-  Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
-  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
-  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
-  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
-  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `icacls_deny_command_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+search: |
+  | tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where 
+  Processes.process_name IN ( "icacls.exe", "cacls.exe", "xcacls.exe") AND 
+  Processes.process IN ("*/deny*", "*/d:*", "*/d ") 
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process 
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id 
+  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec 
+  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level 
+  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `icacls_deny_command_filter`
+how_to_implement: |
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.

detections/endpoint/icacls_grant_command.yml

@@ -1,11 +1,12 @@
 name: ICACLS Grant Command
 id: b1b1e316-accc-11eb-a9b4-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects the use of the ICACLS command to grant
+description: |
+  The following analytic detects the use of the ICACLS command to grant
   additional access permissions to files or directories. It leverages data from Endpoint
   Detection and Response (EDR) agents, focusing on specific process names and command-line
   arguments. This activity is significant because it is commonly used by Advanced
@@ -17,17 +18,22 @@ data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe",
-  "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") by Processes.action
-  Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
-  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
-  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
-  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
-  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `icacls_grant_command_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+search: |
+  | tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where 
+  Processes.process_name IN ( "icacls.exe", "cacls.exe", "xcacls.exe") AND 
+  Processes.process IN ("*/grant*", "*/g:*", "*/g *") 
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process 
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id 
+  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec 
+  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level 
+  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `icacls_grant_command_filter`
+how_to_implement: |
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.

detections/endpoint/modify_acl_permission_to_files_or_folder.yml

@@ -1,7 +1,7 @@
 name: Modify ACL permission To Files Or Folder
 id: 7e8458cc-acca-11eb-9e3f-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-06-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -17,20 +17,27 @@ data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` values(Processes.process) as process
-  values(Processes.process_id) as process_id count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "cacls.exe"
-  OR Processes.process_name = "icacls.exe" OR Processes.process_name = "xcacls.exe")
-  AND Processes.process = "*/G*" AND (Processes.process = "* everyone:*"  OR Processes.process
-  = "* SYSTEM:*" OR Processes.process = "* S-1-1-0:*") by Processes.action Processes.dest
-  Processes.original_file_name Processes.parent_process Processes.parent_process_exec
-  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
-  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
-  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
-  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `modify_acl_permission_to_files_or_folder_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+search: |
+  | tstats `security_content_summariesonly` count 
+    min(_time) as firstTime 
+    max(_time) as lastTime
+    values(Processes.process) as process
+    values(Processes.process_id) as process_id 
+  from datamodel=Endpoint.Processes where 
+    Processes.process_name IN ("icacls.exe", "cacls.exe", "xcacls.exe") 
+    Processes.process IN ("*/grant*", "*/g:*", "*/g *") 
+    Processes.process IN ("* Everyone:*", "* SYSTEM:*", "* S-1-1-0:*")
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process 
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id 
+  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec 
+  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level 
+  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `modify_acl_permission_to_files_or_folder_filter`
+how_to_implement: |
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.

detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml

@@ -1,7 +1,7 @@
 name: Network Traffic to Active Directory Web Services Protocol
 id: 68a0056c-34cb-455f-b03d-df935ea62c4f
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-06-17'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -30,7 +30,7 @@ how_to_implement: The detection is based on data that originates from network tr
 known_false_positives: False positives should be limited as the destination port is
   specific to Active Directory Web Services Protocol, however we recommend utilizing
   this analytic to hunt for non-standard processes querying the ADWS port. Filter
-  by App or dest_ip to AD servers and remove known proceses querying ADWS.
+  by App or dest_ip to AD servers and remove known processes querying ADWS.
 references:
 - https://github.com/FalconForceTeam/SOAPHound
 tags: