splunk · nasbench · Oct 1, 2025 · Oct 1, 2025 · Oct 1, 2025 · Oct 6, 2025
@@ -1,9 +1,9 @@
 name: Detect Rundll32 Application Control Bypass - advpack
 id: 4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8
-version: 11
-date: '2025-05-02'
+version: 12
+date: '2025-10-06'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
 description: The following analytic detects the execution of rundll32.exe loading
   advpack.dll or ieadvpack.dll via the LaunchINFSection function. This method is identified

@@ -1,9 +1,9 @@
 name: Detect Rundll32 Application Control Bypass - setupapi
 id: 61e7b44a-6088-4f26-b788-9a96ba13b37a
-version: 11
-date: '2025-05-02'
+version: 12
+date: '2025-10-06'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
 description: The following analytic detects the execution of rundll32.exe loading
   setupapi.dll and iesetupapi.dll via the LaunchINFSection function. This behavior

@@ -1,9 +1,9 @@
 name: Detect Rundll32 Application Control Bypass - syssetup
 id: 71b9bf37-cde1-45fb-b899-1b0aa6fa1183
-version: 11
-date: '2025-05-02'
+version: 12
+date: '2025-10-06'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
 description: The following analytic detects the execution of rundll32.exe loading
   syssetup.dll via the LaunchINFSection function. This method is identified through

@@ -1,9 +1,9 @@
 name: Windows Change Default File Association For No File Ext
 id: dbdf52ad-d6a1-4b68-975f-0a10939d8e38
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-10-06'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: TTP
 description: The following analytic detects attempts to change the default file association
   for files without an extension to open with Notepad.exe. It leverages data from

@@ -1,11 +1,12 @@
 name: Add or Set Windows Defender Exclusion
 id: 773b66fe-4dd9-11ec-8289-acde48001122
-version: '10'
-date: '2025-05-06'
-author: Teoderick Contreras, Splunk
+version: 11
+date: '2025-10-01'
+author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
-description: The following analytic detects the use of commands to add or set exclusions
+description: |
+  The following analytic detects the use of commands to add or set exclusions
   in Windows Defender. It leverages data from Endpoint Detection and Response (EDR)
   agents, focusing on command-line executions involving "Add-MpPreference" or "Set-MpPreference"
   with exclusion parameters. This activity is significant because adversaries often
@@ -14,20 +15,33 @@ description: The following analytic detects the use of commands to add or set ex
   detection, maintain persistence, and execute further malicious activities without
   interference from Windows Defender.
 data_source:
-- Sysmon EventID 1
-- Windows Event Log Security 4688
-- CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*Add-MpPreference
-  *" OR Processes.process = "*Set-MpPreference *") AND Processes.process="*-exclusion*"
+  - Sysmon EventID 1
+  - Windows Event Log Security 4688
+  - CrowdStrike ProcessRollup2
+search: |
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where 
+  (
+    Processes.process = "*Add-MpPreference *"
+    OR 
+    Processes.process = "*Set-MpPreference *"
+  ) 
+  Processes.process IN (
+        "*-Exclusion*", 
+        "*-ControlledFolderAccessAllowedApplications*", 
+        "*-AttackSurfaceReductionOnlyExclusions*"
+        )
   by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
-  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
-  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
-  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
-  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `add_or_set_windows_defender_exclusion_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+     Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
+     Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
+     Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
+     Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `add_or_set_windows_defender_exclusion_filter`
+how_to_implement: |
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.
@@ -36,59 +50,60 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
-known_false_positives: Admin or user may choose to use this windows features. Filter
-  as needed.
+known_false_positives: |
+  Admin or user may choose to use this windows features. Filter as needed.
 references:
-- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
-- https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/
-- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
+  - https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+  - https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/
+  - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
+  - https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=windowsserver2025-ps
 drilldown_searches:
-- name: View the detection results for - "$user$" and "$dest$"
-  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$user$" and "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
-    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
-    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
-    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
-    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
-    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$user$" and "$dest$"
+    search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+      "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+      as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+      Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
   message: exclusion command $process$ executed on $dest$
   risk_objects:
-  - field: user
-    type: user
-    score: 64
-  - field: dest
-    type: system
-    score: 64
+    - field: user
+      type: user
+      score: 64
+    - field: dest
+      type: system
+      score: 64
   threat_objects: []
 tags:
   analytic_story:
-  - Compromised Windows Host
-  - AgentTesla
-  - Data Destruction
-  - Remcos
-  - CISA AA22-320A
-  - ValleyRAT
-  - XWorm
-  - WhisperGate
-  - Windows Defense Evasion Tactics
-  - Crypto Stealer
+    - Compromised Windows Host
+    - AgentTesla
+    - Data Destruction
+    - Remcos
+    - CISA AA22-320A
+    - ValleyRAT
+    - XWorm
+    - WhisperGate
+    - Windows Defense Evasion Tactics
+    - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
-  - T1562.001
+    - T1562.001
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log
-    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+  - name: True Positive Test
+    attack_data:
+    - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log
+      source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+      sourcetype: XmlWinEventLog
@@ -1,16 +1,16 @@
 name: Attempt To Add Certificate To Untrusted Store
 id: 6bc5243e-ef36-45dc-9b12-f4a6be131159
-version: 15
-date: '2025-05-02'
+version: 16
+date: '2025-10-06'
 author: Patrick Bareiss, Rico Valdez, Splunk
 status: production
-type: TTP
-description: The following analytic detects attempts to add a certificate to the untrusted
-  certificate store using the 'certutil -addstore' command. It leverages process activity
-  and command-line arguments from Endpoint Detection and Response (EDR) logs mapped
-  to the Splunk `Processes` data model. This activity is significant as it may indicate
-  an attacker trying to disable security tools to gain unauthorized access. If confirmed
-  malicious, this could lead to the compromise of system security, allowing attackers
+type: Anomaly
+description: |
+  The following analytic detects attempts to add a certificate to the untrusted
+  certificate store using the 'certutil -addstore' command. 
+  It leverages process activity and command-line arguments from Endpoint Detection and Response (EDR) logs mapped to the Splunk `Processes` data model. 
+  This activity is significant as it may indicate an attacker trying to disable security tools to gain unauthorized access.
+  If confirmed malicious, this could lead to the compromise of system security, allowing attackers
   to bypass defenses and potentially escalate privileges or persist in the environment.
 data_source:
 - Sysmon EventID 1

@@ -1,7 +1,7 @@
 name: Common Ransomware Extensions
 id: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec
-version: 15
-date: '2025-07-29'
+version: 16
+date: '2025-10-01'
 author: David Dorsey, Michael Haag, Splunk, Steven Dick
 status: production
 type: TTP
@@ -15,23 +15,46 @@ description: The following analytic detects modifications to files with extensio
   data integrity and availability.
 data_source:
 - Sysmon EventID 11
-search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
-  as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as
-  file_path from datamodel=Endpoint.Filesystem by Filesystem.action Filesystem.dest
-  Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
-  Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size
-  Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
-  | `drop_dm_object_name(Filesystem)` | rex field=file_name "(?<file_extension>\.[^\.]+)$"
+search: |
+  | tstats `security_content_summariesonly` 
+    min(_time) as firstTime 
+    max(_time) as lastTime 
+    count latest(Filesystem.user) as user 
+          values(Filesystem.file_path) as file_path 
+    from datamodel=Endpoint.Filesystem by 
+          Filesystem.action Filesystem.dest
+          Filesystem.file_access_time Filesystem.file_create_time 
+          Filesystem.file_hash Filesystem.file_modify_time
+          Filesystem.file_name Filesystem.file_path 
+          Filesystem.file_acl Filesystem.file_size
+          Filesystem.process_guid Filesystem.process_id 
+          Filesystem.user Filesystem.vendor_product
+  | `drop_dm_object_name(Filesystem)` 
+  | rex field=file_name "(?<file_extension>(\.[^\.]+){1,2})$"
   | lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT
-  Extensions Name | search Name !=False | stats min(firstTime) as firstTime max(lastTime)
-  as lastTime dc(file_path) as path_count dc(file_name) as file_count values(action)
-  as action values(file_access_time) as file_access_time values(file_create_time)
-  as file_create_time values(file_hash) as file_hash values(file_modify_time) as file_modify_time
-  values(file_acl) as file_acl values(file_size) as file_size values(process_guid)
-  as process_guid values(process_id) as process_id values(user) as user values(vendor_product)
-  as vendor_product values(file_name) as file_name values(file_extension) as file_extension values(Name) as Name by dest 
+  Extensions Name 
+  | search Name !=False 
+  | stats min(firstTime) as firstTime 
+          max(lastTime) as lastTime 
+          dc(file_path) as path_count 
+          dc(file_name) as file_count 
+          values(action) as action 
+          values(file_access_time) as file_access_time 
+          values(file_create_time) as file_create_time 
+          values(file_hash) as file_hash 
+          values(file_modify_time) as file_modify_time
+          values(file_acl) as file_acl 
+          values(file_size) as file_size 
+          values(process_guid) as process_guid 
+          values(process_id) as process_id 
+          values(user) as user 
+          values(vendor_product) as vendor_product 
+          values(file_name) as file_name 
+          values(file_extension) as file_extension 
+          values(Name) as Name 
+    by dest 
   | where path_count > 1 OR file_count > 20 
-  | `common_ransomware_extensions_filter`'
+  | `common_ransomware_extensions_filter`
 how_to_implement: You must be ingesting data that records the filesystem activity
   from your hosts to populate the Endpoint Filesystem data model node. To see the
   additional metadata, add the following fields, if not already present, please review

@@ -1,11 +1,11 @@
 name: Linux Java Spawning Shell
 id: 7b09db8a-5c20-11ec-9945-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-10-07'
 author: Michael Haag, Splunk
 status: production
 type: TTP
-description: The following analytic detects instances where Java, Apache, or Tomcat
+description: The following analytic detects instances where Java, or Tomcat
   processes spawn a Linux shell, which may indicate exploitation attempts, such as
   those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection
   and Response (EDR) telemetry, focusing on process names and parent-child process
@@ -15,16 +15,26 @@ description: The following analytic detects instances where Java, Apache, or Tom
   access, posing a severe threat to the environment.
 data_source:
 - Sysmon for Linux EventID 1
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java
-  OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat
-  `linux_shells` by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
-  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
-  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
-  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
-  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `linux_java_spawning_shell_filter`'
+search: |
+  | tstats `security_content_summariesonly` 
+    count min(_time) as firstTime 
+          max(_time) as lastTime 
+
+  from datamodel=Endpoint.Processes where 
+
+  Processes.parent_process_name IN ("java", "tomcat")
+  `linux_shells` 
+
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
+     Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
+     Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec 
+     Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level 
+     Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `linux_java_spawning_shell_filter`
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,