Merge branch 'develop' into kbouchard-patch-1

Author: ljstella

contentctl.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.25.0
+  version: 5.26.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
@@ -170,12 +170,6 @@ apps:
   version: 5.1.0
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-office-365_510.tgz
-- uid: 2890
-  title: Splunk Machine Learning Toolkit
-  appid: SPLUNK_MACHINE_LEARNING_TOOLKIT
-  version: 5.5.0
-  description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-machine-learning-toolkit_550.tgz
 - uid: 5518
   title: Splunk add on for Microsoft Defender Advanced Hunting
   appid: SPLUNK_ADD_ON_FOR_MICROSOFT_DEFENDER_ADVANCED_HUNTING
@@ -206,12 +200,6 @@ apps:
   version: 3.2.1
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/crowdstrike-falcon-event-streams-technical-add-on_321.tgz
-- uid: 2882
-  title: Python for Scientific Computing (for Linux 64-bit)
-  appid: Splunk_SA_Scientific_Python_linux_x86_64
-  version: 4.2.2
-  description: PSC for MLTK
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/python-for-scientific-computing-for-linux-64-bit_422.tgz
 - uid: 6254
   title: Splunk Add-on for Github
   appid: Splunk_TA_github

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 25
-date: '2026-03-16'
+version: 26
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -148,6 +148,7 @@ tags:
         - DynoWiper
         - XML Runner Loader
         - Void Manticore
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1036

detections/endpoint/executables_or_script_creation_in_temp_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 21
-date: '2026-03-16'
+version: 22
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -131,6 +131,7 @@ tags:
         - PromptFlux
         - XML Runner Loader
         - Void Manticore
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1036

detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml

@@ -1,7 +1,7 @@
 name: Linux Auditd File Permission Modification Via Chmod
 id: 5f1d2ea7-eec0-4790-8b24-6875312ad492
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
 author: "Teoderick Contreras, Splunk, Ivar Nygård"
 status: production
 type: Anomaly
@@ -45,6 +45,7 @@ tags:
         - XorDDos
         - Salt Typhoon
         - Linux Privilege Escalation
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1222.002

detections/endpoint/linux_auditd_possible_access_to_credential_files.yml

@@ -1,7 +1,7 @@
 name: Linux Auditd Possible Access To Credential Files
 id: 0419cb7a-57ea-467b-974f-77c303dfe2a3
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -44,6 +44,7 @@ tags:
         - China-Nexus Threat Activity
         - Salt Typhoon
         - Linux Privilege Escalation
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1003.008

detections/endpoint/linux_common_process_for_elevation_control.yml

@@ -1,7 +1,7 @@
 name: Linux Common Process For Elevation Control
 id: 66ab15c0-63d0-11ec-9e70-acde48001122
-version: 10
-date: '2026-02-25'
+version: 11
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -38,6 +38,7 @@ tags:
         - Linux Living Off The Land
         - Salt Typhoon
         - Linux Privilege Escalation
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1548.001

detections/endpoint/linux_ingress_tool_transfer_hunting.yml

@@ -1,7 +1,7 @@
 name: Linux Ingress Tool Transfer Hunting
 id: 52fd468b-cb6d-48f5-b16a-92f1c9bb10cf
-version: 10
-date: '2026-02-25'
+version: 11
+date: '2026-03-31'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -39,6 +39,7 @@ tags:
         - Linux Living Off The Land
         - XorDDos
         - NPM Supply Chain Compromise
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1105

detections/endpoint/macos_lolbin.yml

@@ -1,15 +1,15 @@
 name: MacOS LOLbin
 id: 58d270fb-5b39-418e-a855-4b8ac046805e
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
 description: The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as "find", "crontab", "screencapture", "openssl", "curl", "wget", "killall", and "funzip". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.
 data_source:
     - osquery
 search: |-
-    `osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*", "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*")
+    `osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*", "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*", "chmod*")
       | rename columns.* as *
       | stats  min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id,  dc(path) as dc_path
         BY username host
@@ -45,6 +45,7 @@ tags:
     analytic_story:
         - Living Off The Land
         - Hellcat Ransomware
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1059.004

detections/endpoint/powershell_4104_hunting.yml

@@ -1,7 +1,7 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: 23
-date: '2026-03-10'
+version: 24
+date: '2026-03-31'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -238,6 +238,7 @@ tags:
         - Hellcat Ransomware
         - Microsoft WSUS CVE-2025-59287
         - MuddyWater
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1059.001

detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml

@@ -1,7 +1,7 @@
 name: Powershell Fileless Script Contains Base64 Encoded Content
 id: 8acbc04c-c882-11eb-b060-acde48001122
-version: 17
-date: '2026-03-10'
+version: 18
+date: '2026-03-31'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -62,6 +62,7 @@ tags:
         - Microsoft WSUS CVE-2025-59287
         - NetSupport RMM Tool Abuse
         - MuddyWater
+        - Axios Supply Chain Post Compromise
     mitre_attack_id:
         - T1027
         - T1059.001