diff --git a/contentctl.yml b/contentctl.yml index 78635c7cf5..794d347eb1 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -123,11 +123,11 @@ apps: description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-stream-wire-data_816.tgz - uid: 2757 - title: Palo Alto Networks Add-on for Splunk - appid: PALO_ALTO_NETWORKS_ADD_ON_FOR_SPLUNK - version: 8.1.3 + title: Splunk Add-on for Palo Alto Networks + appid: SPLUNK_ADD_ON_FOR_PALO_ALTO_NETWORKS + version: 3.0.0 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/palo-alto-networks-add-on-for-splunk_813.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-palo-alto-networks_300.tgz - uid: 3865 title: Zscaler Technical Add-On for Splunk appid: Zscaler_CIM diff --git a/data_sources/palo_alto_network_threat.yml b/data_sources/palo_alto_network_threat.yml index a486085366..5e8dbf8fcb 100644 --- a/data_sources/palo_alto_network_threat.yml +++ b/data_sources/palo_alto_network_threat.yml @@ -1,7 +1,7 @@ name: Palo Alto Network Threat id: 375c2b0e-d216-41ad-9406-200464595209 -version: 2 -date: '2025-01-23' +version: 3 +date: '2026-03-23' author: Patrick Bareiss, Splunk description: Logs detected threats identified by Palo Alto Networks devices, including details about malware, intrusion attempts, and malicious network activity. @@ -11,12 +11,12 @@ mitre_components: - Network Traffic Flow - Application Log Content - Host Status -source: pan:threat +source: not_applicable sourcetype: pan:threat supported_TA: - name: Palo Alto Networks Add-on - url: https://splunkbase.splunk.com/app/2757 - version: 8.1.3 + url: https://splunkbase.splunk.com/app/7523 + version: 3.0.0 field_mappings: - data_model: cim data_set: Web diff --git a/data_sources/palo_alto_network_traffic.yml b/data_sources/palo_alto_network_traffic.yml index a2f3147ddc..2825028cbb 100644 --- a/data_sources/palo_alto_network_traffic.yml +++ b/data_sources/palo_alto_network_traffic.yml @@ -1,7 +1,7 @@ name: Palo Alto Network Traffic id: 182a83bc-c31a-4817-8c7a-263744cec52a -version: 2 -date: '2025-01-23' +version: 3 +date: '2026-03-23' author: Patrick Bareiss, Splunk description: Logs network traffic events captured by Palo Alto Networks devices, including details about sessions, protocols, and source and destination IPs. @@ -11,12 +11,12 @@ mitre_components: - Network Connection Creation - Response Metadata - Application Log Content -source: screenconnect_palo_traffic +source: not_applicable sourcetype: pan:traffic supported_TA: - name: Palo Alto Networks Add-on - url: https://splunkbase.splunk.com/app/2757 - version: 8.1.3 + url: https://splunkbase.splunk.com/app/7523 + version: 3.0.0 fields: - _time - date_hour diff --git a/data_sources/windows_event_log_security_4756.yml b/data_sources/windows_event_log_security_4756.yml new file mode 100644 index 0000000000..2e02ba4afb --- /dev/null +++ b/data_sources/windows_event_log_security_4756.yml @@ -0,0 +1,18 @@ +name: Windows Event Log Security 4756 +id: b0093058-0cb6-4c73-a95b-fb0f3541e88c +version: 1 +date: '2026-03-23' +author: Nasreddine Bencherchali, Splunk +description: Data source object for Windows Event Log Security 4754 +source: XmlWinEventLog:Security +sourcetype: XmlWinEventLog +separator: EventCode +supported_TA: +- name: Splunk Add-on for Microsoft Windows + url: https://splunkbase.splunk.com/app/742 + version: 9.1.2 +fields: +- _time +output_fields: +- dest +example_log: '' diff --git a/detections/application/email_attachments_with_lots_of_spaces.yml b/detections/application/email_attachments_with_lots_of_spaces.yml index 1694496b6e..676efb0c7b 100644 --- a/detections/application/email_attachments_with_lots_of_spaces.yml +++ b/detections/application/email_attachments_with_lots_of_spaces.yml @@ -1,7 +1,7 @@ name: Email Attachments With Lots Of Spaces id: 56e877a6-1455-4479-ada6-0550dc1e22f8 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-25' author: David Dorsey, Splunk status: experimental type: Anomaly @@ -35,6 +35,9 @@ tags: - Hermetic Wiper - Suspicious Emails asset_type: Endpoint + mitre_attack_id: + - T1566.001 + - T1036.008 product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/application/suspicious_java_classes.yml b/detections/application/suspicious_java_classes.yml index b926aaba20..865ecf7238 100644 --- a/detections/application/suspicious_java_classes.yml +++ b/detections/application/suspicious_java_classes.yml @@ -1,24 +1,36 @@ name: Suspicious Java Classes id: 6ed33786-5e87-4f55-b62c-cb5f1168b831 -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-25' author: Jose Hernandez, Splunk status: experimental type: Anomaly -description: The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration. +description: |- + The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. + It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. + This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. + If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration. data_source: [] search: |- - `stream_http` http_method=POST http_content_length>1 - | regex form_data="(?i)java\.lang\.(?:runtime - | processbuilder)" - | rename src_ip as src - | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent - BY src, dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `suspicious_java_classes_filter` -how_to_implement: In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro. -known_false_positives: There are no known false positives. + `stream_http` + http_method=POST + http_content_length>1 + | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)" + | rename src_ip as src + | stats count earliest(_time) as firstTime + latest(_time) as lastTime + values(url) as uri + values(status) as status + values(http_user_agent) as http_user_agent + BY src dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `suspicious_java_classes_filter` +how_to_implement: |- + In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. + This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro. +known_false_positives: |- + No false positives have been identified at this time. references: [] rba: message: Suspicious Java Classes in HTTP requests involving $src$ and $dest$ @@ -34,6 +46,8 @@ tags: analytic_story: - Apache Struts Vulnerability asset_type: Endpoint + mitre_attack_id: + - T1190 product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml index b8c2962817..2fb994226d 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml @@ -1,17 +1,27 @@ name: Cloud Compute Instance Created With Previously Unseen Instance Type id: c6ddbf53-9715-49f3-bb4c-fb2e8a309cda -version: 8 -date: '2026-03-10' +version: 9 +date: '2026-03-25' author: David Dorsey, Splunk status: production type: Anomaly -description: The following analytic detects the creation of EC2 instances with previously unseen instance types. It leverages Splunk's tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded. This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation. +description: |- + The following analytic detects the creation of EC2 instances with previously unseen instance types. + It leverages Splunk's tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded. + This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes. + If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation. data_source: - AWS CloudTrail search: |- - | tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count FROM datamodel=Change - WHERE All_Changes.action=created - BY All_Changes.Instance_Changes.instance_type, All_Changes.user + | tstats count earliest(_time) as firstTime + latest(_time) as lastTime + values(All_Changes.object_id) as dest + FROM datamodel=Change WHERE + + All_Changes.action=created + + BY All_Changes.Instance_Changes.instance_type All_Changes.user + | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where instance_type != "unknown" @@ -23,8 +33,10 @@ search: |- | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro. -known_false_positives: It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type. +how_to_implement: |- + You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro. +known_false_positives: |- + It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type. references: [] drilldown_searches: - name: View the detection results for - "$dest$" @@ -54,6 +66,8 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: threat + mitre_attack_id: + - T1578.002 manual_test: This search needs the baseline `Previously Seen Cloud Compute Instance Types - Initial` to be run first. tests: - name: True Positive Test diff --git a/detections/endpoint/certutil_exe_certificate_extraction.yml b/detections/endpoint/certutil_exe_certificate_extraction.yml index f88c416d5f..29e386e928 100644 --- a/detections/endpoint/certutil_exe_certificate_extraction.yml +++ b/detections/endpoint/certutil_exe_certificate_extraction.yml @@ -1,31 +1,49 @@ name: Certutil exe certificate extraction id: 337a46be-600f-11eb-ae93-0242ac130002 -version: 13 -date: '2026-03-10' +version: 14 +date: '2026-03-25' author: Rod Soto, Splunk status: production type: TTP -description: The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS. If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network. +description: |- + The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. + This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS. + If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: |- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process_name=certutil.exe Processes.process = "*-exportPFX*" - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + FROM datamodel=Endpoint.Processes + WHERE + ( + Processes.process_name=certutil.exe + OR + Processes.original_file_name=certutil.exe + ) + Processes.process = "*-exportPFX*" + + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_exe_certificate_extraction_filter` -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services. +how_to_implement: |- + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: |- + Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services. references: - https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack - https://strontic.github.io/xcyclopedia/library/certutil.exe-09A8A29BAA3A451713FD3D07943B4A43.html @@ -66,6 +84,8 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + mitre_attack_id: + - T1649 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml index d95308af2b..9e1237c29a 100644 --- a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml +++ b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml @@ -1,30 +1,38 @@ name: Detect Computer Changed with Anonymous Account id: 1400624a-d42d-484d-8843-e6753e6e3645 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-03-18' author: Rod Soto, Jose Hernandez, Splunk -status: experimental +status: production type: Hunting -description: The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to "ANONYMOUS LOGON" and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network. +description: | + The following analytic detects changes to computer accounts using an anonymous logon. + It leverages Windows Security Event Codes 4742 (Computer Change) with a SubjectUserName of a value "ANONYMOUS LOGON". + This activity can be significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. + If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network. data_source: - - Windows Event Log Security 4624 - Windows Event Log Security 4742 search: |- - `wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3 - | stats count min(_time) as firstTime max(_time) as lastTime - BY action app authentication_method - dest dvc process - process_id process_name process_path - signature signature_id src - src_port status subject - user user_group vendor_product - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `detect_computer_changed_with_anonymous_account_filter` -how_to_implement: This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -known_false_positives: No false positives have been identified at this time. + `wineventlog_security` + EventCode=4742 + SubjectUserName="ANONYMOUS LOGON" + PasswordLastSet="*" + | stats count min(_time) as firstTime max(_time) as lastTime + BY action app dest ProcessID PasswordLastSet + signature signature_id src_user status + SubjectDomainName user user_group vendor_product + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `detect_computer_changed_with_anonymous_account_filter` +how_to_implement: | + This search requires "Audit Computer Account Management" sub-category in the audit policy to be enabled on the system in order to generate Event ID 4742, as well as "Audit Logon" to generate Event ID 4624. + We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. + Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. +known_false_positives: Some legitimate, legacy devices may utilize this functionality and generate false positives. Apply additional tuning as needed. references: - https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/ + - https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/zerologon-vulnerability/ + - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx tags: analytic_story: - Detect Zerologon Attack @@ -38,3 +46,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/zerologon/zerologon.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index ee52923103..4f74640734 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -1,18 +1,42 @@ name: Malicious PowerShell Process - Encoded Command id: c4db14d9-7909-48b4-a054-aa14d89dbb19 -version: 19 -date: '2026-02-09' +version: 20 +date: '2026-03-25' author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community status: production type: Hunting -description: The following analytic detects the use of the EncodedCommand parameter in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data to identify variations of the EncodedCommand parameter, including shortened forms and different command switch types. This activity is significant because adversaries often use encoded commands to obfuscate malicious scripts, making detection harder. If confirmed malicious, this behavior could allow attackers to execute hidden code, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment. Review parallel events to determine legitimacy and tune based on known administrative scripts. +description: | + The following analytic detects the use of the EncodedCommand parameter in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data to identify variations of the EncodedCommand parameter, including shortened forms and different command switch types. + This activity is significant because adversaries often use encoded commands to obfuscate malicious scripts, making detection harder. + If confirmed malicious, this behavior could allow attackers to execute hidden code, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment. + Review parallel events to determine legitimacy and tune based on known administrative scripts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|–|—|―][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\\s+[\\\"]?[A-Za-z0-9+/=]{5,}[\\\"]?\") | `malicious_powershell_process___encoded_command_filter`" -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: System administrators may use this option, but it's not common. +search: |- + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + from datamodel=Endpoint.Processes where + `process_powershell` + by Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | where match(process,"(?i)(?:^|\\s)(?:/|-(?:-)?|\\u2013(?:\\u2013)?|\\u2014(?:\\u2014)?|\\u2015(?:\\u2015)?)e(?:n(?:c(?:o(?:d(?:e(?:d(?:c(?:o(?:m(?:m(?:a(?:n(?:d)?)?)?)?)?)?)?)?)?)?)?)?(?:\\s+['\\\"]?\\S+['\\\"]?)?") + | `malicious_powershell_process___encoded_command_filter` +how_to_implement: | + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: | + System administrators may use this option, but it's not common. references: - https://regexr.com/662ov - https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1 diff --git a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml index fd6af464f8..278c4be82f 100644 --- a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml +++ b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml @@ -1,56 +1,65 @@ name: Outbound Network Connection from Java Using Default Ports id: d2c14d28-5c47-11ec-9892-acde48001122 -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-18' author: Mauricio Velazco, Lou Stella, Splunk status: production type: TTP -description: "The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. Monitoring this activity is crucial as it can signify an attacker’s attempt to perform JNDI lookups and retrieve malicious payloads. If confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server." +description: | + The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability. + This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. + Monitoring this activity is crucial as it can signify an attacker's attempt to perform JNDI lookups and retrieve malicious payloads. + If confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server. data_source: - Sysmon EventID 1 AND Sysmon EventID 3 search: |- - | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - WHERE ( - Processes.process_name="java.exe" - OR - Processes.process_name=javaw.exe - OR - Processes.process_name=javaw.exe - ) - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + | tstats `security_content_summariesonly` count + FROM datamodel=Endpoint.Processes WHERE + + Processes.process_name IN ( + "java.exe", + "javaw.exe" + ) + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid + Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | join process_id [ - | tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic - WHERE ( - All_Traffic.dest_port= 389 - OR - All_Traffic.dest_port= 636 - OR - All_Traffic.dest_port = 1389 - OR - All_Traffic.dest_port = 1099 + | join process_id + [ + | tstats `security_content_summariesonly` count + FROM datamodel=Network_Traffic.All_Traffic WHERE + All_Traffic.dest_port IN ( + 389, + 636, + 1099, + 1389 ) - BY All_Traffic.action All_Traffic.app All_Traffic.bytes - All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest - All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc - All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src - All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport - All_Traffic.user All_Traffic.vendor_product All_Traffic.direction - All_Traffic.process_id - | `drop_dm_object_name(All_Traffic)` - | rename dest as connection_to_CNC] - | table _time dest parent_process_name process_name process_path process dest_port + BY All_Traffic.action All_Traffic.app All_Traffic.bytes + All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest + All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc + All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src + All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport + All_Traffic.user All_Traffic.vendor_product All_Traffic.direction + All_Traffic.process_id + | `drop_dm_object_name(All_Traffic)` + | rename dest as connection_to_CNC + ] + | table _time dest + parent_process_path parent_process_name parent_process + process_path process_name process process_hash + connection_to_CNC dest_port user | `outbound_network_connection_from_java_using_default_ports_filter` -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legitimate Java applications may use perform outbound connections to these ports. Filter as needed +how_to_implement: | + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: | + Legitimate Java applications may use perform outbound connections to these ports. Filter as needed references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ - https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/ diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index f9cfba8f4d..e59877f38f 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -1,18 +1,64 @@ name: Possible Lateral Movement PowerShell Spawn id: cb909b3e-512b-11ec-aa31-3e22fbd008af -version: 13 -date: '2026-03-10' +version: 14 +date: '2026-03-18' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. This activity is significant as it often indicates lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment. +description: | + The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. + This activity is significant as it could indicates lateral movement or remote code execution attempts by adversaries. + If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN ("*c:\\windows\\ccm\\*")) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed. +search: |- + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + from datamodel=Endpoint.Processes where + + Processes.parent_process_name IN ( + "mmc.exe", + "services.exe", + "svchost.exe", + "wmiprvse.exe", + "wsmprovhost.exe" + ) + AND + ( + Processes.process_name IN ("powershell.exe", "pwsh.exe") + OR + ( + Processes.process_name=cmd.exe + Processes.process IN ( + "*powershell*", + "*pwsh*" + ) + ) + ) + NOT Processes.process IN ("*:\\Windows\\CCM\\*") + + by Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `possible_lateral_movement_powershell_spawn_filter` +how_to_implement: | + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: | + Legitimate applications may spawn PowerShell as a child process of the the identified processes. + Filter as needed. references: - https://attack.mitre.org/techniques/T1021/003/ - https://attack.mitre.org/techniques/T1021/006/ @@ -34,7 +80,13 @@ rba: - field: dest type: system score: 50 - threat_objects: [] + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name + - field: process + type: process tags: analytic_story: - Active Directory Lateral Movement diff --git a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml index 7e3852734e..ab6b7d1362 100644 --- a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml @@ -1,32 +1,46 @@ name: Suspicious Rundll32 no Command Line Arguments id: e451bd16-e4c5-4109-8eb1-c4c6ecf048b4 -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-03-25' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of rundll32.exe without any command line arguments. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution logs. It is significant because rundll32.exe typically requires command line arguments to function properly, and its absence is often associated with malicious activities, such as those performed by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to execute arbitrary code, potentially leading to credential dumping, unauthorized file writes, or other malicious actions. +description: |- + The following analytic detects the execution of rundll32.exe without any command line arguments. + This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution logs. + It is significant because rundll32.exe typically requires command line arguments to function properly, and its absence is often associated with malicious activities, such as those performed by Cobalt Strike. + If confirmed malicious, this activity could indicate an attempt to execute arbitrary code, potentially leading to credential dumping, unauthorized file writes, or other malicious actions. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: |- - | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - WHERE `process_rundll32` - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Endpoint.Processes WHERE + + `process_rundll32` + Processes.process IN ("*rundll32","*rundll32.exe", "*rundll32.exe\"") + + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | regex process="(?i)(rundll32\.exe.{0,4}$)" | `suspicious_rundll32_no_command_line_arguments_filter` -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. +how_to_implement: |- + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: |- + Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. references: - https://attack.mitre.org/techniques/T1218/011/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md diff --git a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml index b591f59d89..9dc4116257 100644 --- a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml @@ -1,32 +1,51 @@ name: Suspicious SearchProtocolHost no Command Line Arguments id: f52d2db8-31f9-4aa7-a176-25779effe55c -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-03-25' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects instances of searchprotocolhost.exe running without command line arguments. This behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution data. This activity is significant because searchprotocolhost.exe typically runs with specific arguments, and its absence may indicate an attempt to evade detection. If confirmed malicious, this could lead to unauthorized code execution, potential credential dumping, or other malicious actions within the environment. +description: |- + The following analytic detects instances of searchprotocolhost.exe running without command line arguments. + This behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike. + The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution data. + This activity is significant because searchprotocolhost.exe typically runs with specific arguments, and its absence may indicate an attempt to evade detection. + If confirmed malicious, this could lead to unauthorized code execution, potential credential dumping, or other malicious actions within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: |- - | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - WHERE Processes.process_name=searchprotocolhost.exe - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Endpoint.Processes WHERE + + ( + Processes.process_name=searchprotocolhost.exe + OR + Processes.original_file_name=searchprotocolhost.exe + ) + Processes.process IN ("*searchprotocolhost","*searchprotocolhost.exe", "*searchprotocolhost.exe\"") + + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | regex process="(?i)(searchprotocolhost\.exe.{0,4}$)" | `suspicious_searchprotocolhost_no_command_line_arguments_filter` -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives may be present in small environments. Tuning may be required based on parent process. +how_to_implement: |- + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: |- + No false positives have been identified at this time. references: - https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc drilldown_searches: diff --git a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml index 8488829e97..06d4d6271f 100644 --- a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml +++ b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml @@ -1,36 +1,64 @@ name: Windows New Deny Permission Set On Service SD Via Sc.EXE id: d0f6a5e5-dbfd-46e1-8bd5-2e2905947c33 -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-25' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects changes in a service security descriptor where a new deny ace has been added. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the "sc.exe" binary with the "sdset" flag targeting any service and adding a dedicated deny ace. If confirmed malicious, this could allow an attacker to escalate their privileges, blind defenses and more. +description: | + The following analytic detects changes in a service security descriptor where a new deny ace has been added. + It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the "sc.exe" binary with the "sdset" flag targeting any service and adding a dedicated deny ace to specific groups. + If confirmed malicious, this could allow an attacker to escalate their privileges, blind defenses and more. + Investigate appropariate services and groups to determine if the behavior is malicious. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: |- - | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE ( - Processes.process_name=sc.exe - OR - Processes.original_file_name=sc.exe - ) - Processes.process="*sdset *" Processes.process="*(D;*" Processes.process IN ("*;IU*", "*;S-1-5-4*", "*;SU*", "*;S-1-5-6*", "*;BA*", "*;S-1-5-32-544*", "*;SY*", "*;S-1-5-18*", "*;WD*", "*;S-1-1-0*", "*;AU*", "*;S-1-5-11*", "*;LS*", "*;S-1-5-19*") - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + values(Processes.process) as process + FROM datamodel=Endpoint.Processes WHERE + ( + Processes.process_name=sc.exe + OR + Processes.original_file_name=sc.exe + ) + Processes.process="*sdset *" + Processes.process="*(D;*" + Processes.process IN ( + "*;IU*", + "*;S-1-5-4*", + "*;SU*", + "*;S-1-5-6*", + "*;BA*", + "*;S-1-5-32-544*", + "*;SY*", + "*;S-1-5-18*", + "*;WD*", + "*;S-1-1-0*", + "*;AU*", + "*;S-1-5-11*", + "*;LS*", + "*;S-1-5-19*" + ) + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_deny_permission_set_on_service_sd_via_sc_exe_filter` -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: No false positives have been identified at this time. security-related services should be immediately investigated. +how_to_implement: |- + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: | + - McAfee related services changes are a known false positive. The sc.exe utility is used to deny groups such as Authenticated Users, Built-in Administrators and System access to certain permissions. references: - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf diff --git a/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml b/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml index 602ca2abcd..a461de0a35 100644 --- a/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml +++ b/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml @@ -1,36 +1,49 @@ name: Windows New Service Security Descriptor Set Via Sc.EXE id: cde00c31-042a-4307-bf70-25e471da56e9 -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-25' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects changes in a service security descriptor where a new deny ace has been added. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the "sc.exe" binary with the "sdset" flag targeting any service and adding a dedicated deny ace. If confirmed malicious, this could allow an attacker to escalate their privileges, blind defenses and more. +description: |- + The following analytic detects changes in a service security descriptor. + It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the "sc.exe" binary with the "sdset" flag targeting any service. + This behavior can be legitimate, such as when a user or administrator is configuring a service's security settings. + Investigate appropariate services to determine if the behavior is malicious. + If confirmed malicious, this could allow an attacker to escalate their privileges, blind defenses and more. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: |- - | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE ( - Processes.process_name=sc.exe - OR - Processes.original_file_name=sc.exe - ) - Processes.process="*sdset *" - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + values(Processes.process) as process + + FROM datamodel=Endpoint.Processes WHERE + ( + Processes.process_name=sc.exe + OR + Processes.original_file_name=sc.exe + ) + Processes.process="*sdset *" + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_service_security_descriptor_set_via_sc_exe_filter` -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: No false positives have been identified at this time. should be identified and understood. +how_to_implement: |- + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: |- + - False positives are expected from legitimate system administrator scripts or installation utilities. Filter known parent image and commandline combinations. references: - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf @@ -45,7 +58,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. + message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to change the security descriptor of a service on endpoint $dest$ by user $user$. risk_objects: - field: user type: user @@ -56,6 +69,8 @@ rba: threat_objects: - field: process_name type: process_name + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Defense Evasion or Unauthorized Access Via SDDL Tampering diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml index 2623bf327e..13986f4e41 100644 --- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml +++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml @@ -1,16 +1,125 @@ name: Windows Privilege Escalation Suspicious Process Elevation id: 6a80300a-9f8a-4f22-bd3e-09ca577cfdfc -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-24' author: Steven Dick status: production type: TTP -description: The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations. This behavior is identified using process execution data from Windows process monitoring or Sysmon EventID 1. This activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks. If confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access. +description: | + The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations. + This behavior is identified using process execution data from Windows process monitoring. + This activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks. + If confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access. data_source: - Sysmon EventID 1 AND Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename user as src_user, parent_process* as orig_parent_process*, process* as parent_process* | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level IN ("system") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$")) OR (Processes.process_integrity_level IN ("high","system") AND (Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") OR Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*"))) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename parent_process_guid as join_guid ] | where elevated_integrity_level > integrity_level OR user != elevated_user | fields dest, user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_suspicious_process_elevation_filter`' -how_to_implement: Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1. -known_false_positives: False positives may be generated by administrators installing benign applications using run-as/elevation. +search: |- + | tstats `security_content_summariesonly` + count min(_time) as firstTime + + from datamodel=Endpoint.Processes where + + Processes.process_integrity_level IN ("low","medium","high") + NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") + + by Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id + Processes.process_integrity_level Processes.process_name + Processes.process_path Processes.user Processes.user_id + Processes.vendor_product + + | `drop_dm_object_name(Processes)` + | eval join_guid = process_guid, + integrity_level = CASE( + match(process_integrity_level,"low"),1, + match(process_integrity_level,"medium"),2, + match(process_integrity_level,"high"),3, + match(process_integrity_level,"system"),4, + true(),0 + ) + | rename user as src_user, + parent_process* as orig_parent_process*, + process* as parent_process* + + | join max=0 dest join_guid [ + | tstats `security_content_summariesonly` + count max(_time) as lastTime + + from datamodel=Endpoint.Processes where + + ( + Processes.process_integrity_level IN ("system") + NOT Processes.user IN ( + "*SYSTEM", + "*LOCAL SERVICE", + "*NETWORK SERVICE", + "DWM-*", + "*$" + ) + ) + OR + ( + Processes.process_integrity_level IN ( + "high", + "system" + ) + ( + Processes.parent_process_path IN ( + "*\\\\*", + "*\\Users\\*", + "*\\Temp\\*", + "*\\ProgramData\\*" + ) + OR + Processes.process_path IN ( + "*\\\\*", + "*\\Users\\*", + "*\\Temp\\*", + "*\\ProgramData\\*" + ) + ) + ) + + by Processes.dest Processes.user Processes.parent_process_guid + Processes.process_name Processes.process + Processes.process_path Processes.process_integrity_level + Processes.process_current_directory + + | `drop_dm_object_name(Processes)` + + | eval elevated_integrity_level = CASE( + match(process_integrity_level,"low"),1, + match(process_integrity_level,"medium"),2, + match(process_integrity_level,"high"),3, + match(process_integrity_level,"system"),4, + true(),0 + ) + | rename parent_process_guid as join_guid + ] + + | where + elevated_integrity_level > integrity_level + OR + user != elevated_user + + | fields dest user src_user parent_process_name parent_process + parent_process_path parent_process_guid + parent_process_integrity_level parent_process_current_directory + process_name process process_path process_guid + process_integrity_level process_current_directory + orig_parent_process_name orig_parent_process + orig_parent_process_guid firstTime lastTime count + + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_privilege_escalation_suspicious_process_elevation_filter` +how_to_implement: |- + Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1. +known_false_positives: |- + False positives may be generated by administrators installing benign applications using run-as/elevation. references: - https://attack.mitre.org/techniques/T1068/ - https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor diff --git a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml index db9932b8b9..64dfeff1b4 100644 --- a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml +++ b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml @@ -1,14 +1,85 @@ name: Windows Privilege Escalation User Process Spawn System Process id: c9687a28-39ad-43c6-8bcf-eaf061ba0cbe -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-24' author: Steven Dick status: production type: TTP -description: The following analytic detects when a process with low, medium, or high integrity spawns a system integrity process from a user-controlled location. This behavior is indicative of privilege escalation attempts where attackers elevate their privileges to SYSTEM level from a user-controlled process or service. The detection leverages Sysmon data, specifically Event ID 15, to identify such transitions. Monitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level access, potentially leading to full control over the affected system, unauthorized access to sensitive data, and further malicious activities. +description: | + The following analytic detects when a process with low, medium, or high integrity spawns a system integrity process from a user-controlled location. + This behavior is indicative of privilege escalation attempts where attackers elevate their privileges to SYSTEM level from a user-controlled process or service. + The detection leverages Sysmon data, specifically Event ID 15, to identify such transitions. + Monitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level access, potentially leading to full control over the affected system, unauthorized access to sensitive data, and further malicious activities. data_source: - Sysmon EventID 1 AND Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") AND Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | eval join_guid = process_guid | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("system") AND Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid, process* as system_process*, user as system_user ] | fields dest, user, parent_process, parent_process_name, parent_process_guid, process, process_name, process_guid, process_integrity_level,process_path, process_current_directory, system_process_name, system_process, system_process_path, system_process_integrity_level, system_process_current_directory, system_user, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_user_process_spawn_system_process_filter`' +search: |- + | tstats `security_content_summariesonly` + count min(_time) as firstTime + + from datamodel=Endpoint.Processes where + + Processes.process_integrity_level IN ( + "low", + "medium", + "high" + ) + Processes.process_path IN ( + "*\\\\*", + "*\\ProgramData\\*", + "*\\Temp\\*", + "*\\Users\\*" + ) + NOT Processes.user IN ( + "*SYSTEM", + "*LOCAL SERVICE", + "*NETWORK SERVICE", + "DWM-*", + "*$" + ) + + by Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + + | `drop_dm_object_name(Processes)` + | eval join_guid = process_guid + + | join max=0 dest join_guid [ + + | tstats `security_content_summariesonly` + count max(_time) as lastTime + + from datamodel=Endpoint.Processes where + + Processes.process_integrity_level="system" + Processes.parent_process_path IN ( + "*\\\\*", + "*\\ProgramData\\*", + "*\\Temp\\*", + "*\\Users\\*" + ) + + by Processes.dest Processes.user Processes.parent_process_guid + Processes.process_name Processes.process Processes.process_path + Processes.process_integrity_level Processes.process_current_directory + + | `drop_dm_object_name(Processes)` + | rename parent_process_guid as join_guid, process* as system_process*, user as system_user + ] + | fields dest user parent_process parent_process_name parent_process_guid + process process_name process_guid process_integrity_level process_path + process_current_directory system_process_name system_process system_process_path + system_process_integrity_level system_process_current_directory system_user + firstTime lastTime count + + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_privilege_escalation_user_process_spawn_system_process_filter` how_to_implement: Target environment must ingest sysmon data, specifically Event ID 15. known_false_positives: No false positives have been identified at this time. references: diff --git a/detections/endpoint/windows_privileged_group_modification.yml b/detections/endpoint/windows_privileged_group_modification.yml index 31e81df3e0..a11cb3088c 100644 --- a/detections/endpoint/windows_privileged_group_modification.yml +++ b/detections/endpoint/windows_privileged_group_modification.yml @@ -1,31 +1,85 @@ name: Windows Privileged Group Modification id: b8cbef2c-2cc3-4550-b0fc-9715b7852df9 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-23' author: Brandon Sternfield, Optiv + ClearShark +status: production +type: TTP +description: | + This analytic detects modifications to privileged groups in Active Directory, including addition, creation, deletion, and changes to various types of groups such as local, global, universal, and LDAP query groups. + It specifically monitors for changes to high-privilege groups like "Administrators", "Domain Admins", "Enterprise Admins", and "ESX Admins", among others. + This detection is particularly relevant in the context of potential exploitation of vulnerabilities like the VMware ESXi Active Directory Integration Authentication Bypass (CVE-2024-37085), where attackers may attempt to manipulate privileged groups to gain unauthorized access to systems. data_source: - Windows Event Log Security 4727 - Windows Event Log Security 4731 - Windows Event Log Security 4744 - Windows Event Log Security 4749 - Windows Event Log Security 4754 + - Windows Event Log Security 4756 - Windows Event Log Security 4759 - Windows Event Log Security 4783 - Windows Event Log Security 4790 -type: TTP -status: production -description: This analytic detects modifications to privileged groups in Active Directory, including creation, deletion, and changes to various types of groups such as local, global, universal, and LDAP query groups. It specifically monitors for changes to high-privilege groups like "Administrators", "Domain Admins", "Enterprise Admins", and "ESX Admins", among others. This detection is particularly relevant in the context of potential exploitation of vulnerabilities like the VMware ESXi Active Directory Integration Authentication Bypass (CVE-2024-37085), where attackers may attempt to manipulate privileged groups to gain unauthorized access to systems. search: |- - `wineventlog_security` EventCode IN (4727,4731,4744,4749,4754,4759,4783,4790) TargetUserName IN ("Account Operators", "Administrators", "Admins DNS", "Backup Operators", "DnsAdmins", "Domain Admins", "Enterprise Admins", "Enterprise Key Admins", "ESX Admins", "ESXi Admins", "Group Policy Creator Owners", "Hyper-V Administrators", "Key Admins", "Print Operators", "Remote Desktop Users", "Remote Management Users", "Replicators", "Schema Admins", "Server Operators") - | eval object_category=case( EventCode="4731", "Local Group (Security)", EventCode="4744", "Local Group (Distribution)", EventCode="4727", "Global Group (Security)", EventCode="4749", "Global Group (Distribution)", EventCode="4754", "Universal Group (Security)", EventCode="4759", "Universal Group (Distribution)", EventCode="4783", "Basic Application Group", EventCode="4790", "LDAP Query Group") - | rename Computer as dest, result AS change_type, TargetUserName AS object, TargetSid AS object_path - | stats count min(_time) as firstTime max(_time) as lastTime + `wineventlog_security` + EventCode IN ( + 4727, + 4731, + 4744, + 4749, + 4754, + 4756, + 4759, + 4783, + 4790 + ) + TargetUserName IN ( + "Account Operators", + "Administrators", + "Admins DNS", + "Backup Operators", + "DnsAdmins", + "Domain Admins", + "Enterprise Admins", + "Enterprise Key Admins", + "ESX Admins", + "ESXi Admins", + "Group Policy Creator Owners", + "Hyper-V Administrators", + "Key Admins", + "Print Operators", + "Remote Desktop Users", + "Remote Management Users", + "Replicators", + "Schema Admins", + "Server Operators" + ) + | eval object_category=case( + EventCode="4727", "Global Group (Security)", + EventCode="4731", "Local Group (Security)", + EventCode="4744", "Local Group (Distribution)", + EventCode="4749", "Global Group (Distribution)", + EventCode="4754", "Universal Group (Security)", + EventCode="4756", "Universal Group (Security)", + EventCode="4759", "Universal Group (Distribution)", + EventCode="4783", "Basic Application Group", + EventCode="4790", "LDAP Query Group" + ) + + | rename Computer as dest + result as change_type + TargetUserName as object + TargetSid as object_path + + | stats count min(_time) as firstTime + max(_time) as lastTime BY EventCode src_user object_category object object_path dest change_type status - | `windows_privileged_group_modification_filter` -how_to_implement: To successfully implement this search, ensure that Windows Security Event logging is enabled and being ingested into Splunk, particularly for event codes 4727, 4730, and 4737. Configure Group Policy settings to audit these specific events. -known_false_positives: Legitimate administrators might create, delete, or modify an a privileged group for valid reasons. Verify that the group changes are authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities. + | `windows_privileged_group_modification_filter` +how_to_implement: | + To successfully implement this search, ensure that Windows Security Event logging is enabled and being ingested into Splunk, particularly for event codes 4727, 4730, and 4737. Configure Group Policy settings to audit these specific events. +known_false_positives: | + Legitimate administrators might create, delete, or modify an a privileged group for valid reasons. Verify that the group changes are authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities. references: - https://nvd.nist.gov/vuln/detail/CVE-2024-37085 - https://www.rapid7.com/blog/post/2024/07/30/vmware-esxi-cve-2024-37085-targeted-in-ransomware-campaigns/%5C diff --git a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml index bc79cdba72..7c4ff4e7b7 100644 --- a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml +++ b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml @@ -1,17 +1,62 @@ name: Windows Scheduled Task Service Spawned Shell id: d8120352-3b62-4e3c-8cb6-7b47584dd5e8 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-18' author: Steven Dick status: production type: TTP -description: The following analytic detects when the Task Scheduler service ("svchost.exe -k netsvcs -p -s Schedule") spawns common command line, scripting, or shell execution binaries such as "powershell.exe" or "cmd.exe". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as attackers often abuse the Task Scheduler for execution and persistence, blending in with legitimate Windows operations. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges within the environment. +description: | + The following analytic detects when the Task Scheduler service ("svchost.exe -k netsvcs -p -s Schedule") spawns common command line, scripting, or shell execution binaries such as "powershell.exe" or "cmd.exe". + This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. + This activity is significant as attackers often abuse the Task Scheduler for execution and persistence, blending in with legitimate Windows operations. + If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges within the environment. data_source: - Sysmon EventID 1 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*\\system32\\svchost.exe*" AND Processes.parent_process="*-k*" AND Processes.parent_process= "*netsvcs*" AND Processes.parent_process="*-p*" AND Processes.parent_process="*-s*" AND Processes.parent_process="*Schedule*" Processes.process_name IN("powershell.exe", "wscript.exe", "cscript.exe", "cmd.exe", "sh.exe", "ksh.exe", "zsh.exe", "bash.exe", "scrcons.exe","pwsh.exe") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_service_spawned_shell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: No false positives have been identified at this time. +search: |- + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + from datamodel=Endpoint.Processes where + + Processes.parent_process_name="svchost.exe" + Processes.parent_process="*-k*" + Processes.parent_process= "*netsvcs*" + Processes.parent_process="*-p*" + Processes.parent_process="*-s*" + Processes.parent_process="*Schedule*" + Processes.process_name IN( + "bash.exe", + "cmd.exe", + "cscript.exe", + "ksh.exe", + "powershell.exe", + "pwsh.exe", + "scrcons.exe", + "sh.exe", + "wscript.exe", + "zsh.exe" + ) + + by Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_scheduled_task_service_spawned_shell_filter` +how_to_implement: | + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: | + Certain scheduled tasks will intentionally call a script via PowerShell or Cmd for example. + These will trigger this detection. Evaluate if they are legitimate and apply filters as needed. references: - https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations - https://nasbench.medium.com/a-deep-dive-into-windows-scheduled-tasks-and-the-processes-running-them-218d1eed4cce @@ -35,8 +80,12 @@ rba: type: user score: 50 threat_objects: + - field: parent_process_name + type: parent_process_name - field: process_name type: process_name + - field: process + type: process tags: analytic_story: - Windows Persistence Techniques diff --git a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml index f2fccc3935..20171c2710 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml @@ -1,52 +1,101 @@ name: Windows UAC Bypass Suspicious Escalation Behavior id: 00d050d3-a5b4-4565-a6a5-a31f69681dc3 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-25' author: Steven Dick status: production type: TTP -description: The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process. This detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access. +description: |- + The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process. + This detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables. + This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. + If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access. data_source: - Sysmon EventID 1 AND Sysmon EventID 1 search: |- - | tstats `security_content_summariesonly` count max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process_integrity_level IN ("low","medium") - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + | tstats `security_content_summariesonly` + count max(_time) as lastTime + + FROM datamodel=Endpoint.Processes WHERE + + Processes.process_integrity_level IN ( + "low", + "medium" + ) + + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id + Processes.process_integrity_level Processes.process_name + Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` - | eval original_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) - | rename process_guid as join_guid_1, process* as parent_process* + | eval original_integrity_level = CASE( + match(process_integrity_level,"low"),1, + match(process_integrity_level,"medium"),2, + match(process_integrity_level,"high"),3, + match(process_integrity_level,"system"),4, + true(),0 + ) + | rename process_guid as join_guid_1, + process* as parent_process* + | join max=0 dest join_guid_1 [ - | tstats `security_content_summariesonly` count min(_time) as firstTime FROM datamodel=Endpoint.Processes - WHERE Processes.process_integrity_level IN ("high","system") - AND + | tstats `security_content_summariesonly` + count min(_time) as firstTime + FROM datamodel=Endpoint.Processes WHERE + + Processes.process_integrity_level IN ( + "high", + "system" + ) Processes.process_name IN (`uacbypass_process_name`) - BY Processes.dest, Processes.parent_process_guid, Processes.process_name, - Processes.process_guid - | `drop_dm_object_name(Processes)` - | rename parent_process_guid as join_guid_1, process_guid as join_guid_2, process_name as uac_process_name ] + + BY Processes.dest Processes.parent_process_guid + Processes.process_name Processes.process_guid + + | `drop_dm_object_name(Processes)` + | rename parent_process_guid as join_guid_2, + process_guid as join_guid_2, + process_name as uac_process_name + ] | join max=0 dest join_guid_2 [ - | tstats `security_content_summariesonly` count min(_time) as firstTime FROM datamodel=Endpoint.Processes - WHERE Processes.parent_process_name IN (`uacbypass_process_name`) - AND - Processes.process_integrity_level IN ("high","system") - BY Processes.dest, Processes.parent_process_guid, Processes.process_name, - Processes.process, Processes.process_guid, Processes.process_path, - Processes.process_integrity_level, Processes.process_current_directory - | `drop_dm_object_name(Processes)` - | rename parent_process_guid as join_guid_2 - | eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0)] + | tstats `security_content_summariesonly` + count min(_time) as firstTime + FROM datamodel=Endpoint.Processes WHERE + + Processes.parent_process_name IN (`uacbypass_process_name`) + Processes.process_integrity_level IN ( + "high", + "system" + ) + BY Processes.dest Processes.parent_process_guid + Processes.process_name Processes.process + Processes.process_guid Processes.process_path + Processes.process_integrity_level Processes.process_current_directory + + | `drop_dm_object_name(Processes)` + | rename parent_process_guid as join_guid_3 + | eval elevated_integrity_level = CASE( + match(process_integrity_level,"low"),1, + match(process_integrity_level,"medium"),2, + match(process_integrity_level,"high"),3, + match(process_integrity_level,"system"),4, + true(),0 + ) + ] | where elevated_integrity_level > original_integrity_level | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_escalation_behavior_filter` -how_to_implement: Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data. -known_false_positives: Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques. +how_to_implement: |- + Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data. +known_false_positives: |- + Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques. references: - https://attack.mitre.org/techniques/T1548/002/ - https://atomicredteam.io/defense-evasion/T1548.002/ diff --git a/detections/network/detect_large_icmp_traffic.yml b/detections/network/detect_large_icmp_traffic.yml index cba58c1784..8510fac50b 100644 --- a/detections/network/detect_large_icmp_traffic.yml +++ b/detections/network/detect_large_icmp_traffic.yml @@ -1,25 +1,52 @@ name: Detect Large ICMP Traffic id: 9cd6d066-94d5-4ccd-a8b9-28c03ca91be8 -version: 4 -date: '2026-03-10' +version: 5 +date: '2026-03-23' author: Rico Valdez, Dean Luxton, Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes. It leverages the Network_Traffic data model to detect large ICMP packet that aren't blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities. If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation. +description: | + The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes. + It leverages the Network_Traffic data model to detect large ICMP packet that aren't blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities. + If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation. data_source: - Palo Alto Network Traffic search: |- - | tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) as action - from datamodel=Network_Traffic where All_Traffic.bytes > 1000 AND All_Traffic.action != blocked AND (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") - by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.protocol, All_Traffic.bytes, All_Traffic.app, All_Traffic.bytes_in, All_Traffic.bytes_out, All_Traffic.dest_port, All_Traffic.dvc, All_Traffic.protocol_version, - All_Traffic.src_port, All_Traffic.user, All_Traffic.vendor_product + | tstats `security_content_summariesonly` + count earliest(_time) as firstTime + latest(_time) as lastTime + values(All_Traffic.action) as action + from datamodel=Network_Traffic where + All_Traffic.bytes > 1000 + All_Traffic.action != blocked + AND + ( + All_Traffic.protocol=icmp + OR + All_Traffic.transport=icmp + ) + NOT All_Traffic.dest_ip IN ( + "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", + "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", + "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1" + ) + + by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.protocol + All_Traffic.bytes All_Traffic.app All_Traffic.bytes_in + All_Traffic.bytes_out All_Traffic.dest_port All_Traffic.dvc + All_Traffic.protocol_version All_Traffic.src_port + All_Traffic.user All_Traffic.vendor_product | `drop_dm_object_name("All_Traffic")` | iplocation dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_large_icmp_traffic_filter` -how_to_implement: The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_icmp_traffic_filter` to adjust the byte threshold or add specific IP addresses to an allow list. +how_to_implement: | + The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: | + ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_icmp_traffic_filter` to adjust the byte threshold or add specific IP addresses to an allow list. references: [] drilldown_searches: - name: View the detection results for - "$src_ip$" and "$dest_ip$" @@ -58,4 +85,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1095/palologs/large_icmp.log sourcetype: pan:traffic - source: pan:traffic + source: not_applicable diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml index 66816bdf90..13e88b2961 100644 --- a/detections/network/detect_outbound_ldap_traffic.yml +++ b/detections/network/detect_outbound_ldap_traffic.yml @@ -1,7 +1,7 @@ name: Detect Outbound LDAP Traffic id: 5e06e262-d7cd-4216-b2f8-27b437e18458 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-03-23' author: Bhavin Patel, Johan Bjerke, Splunk status: production type: Hunting @@ -10,29 +10,38 @@ data_source: - Palo Alto Network Traffic - Cisco Secure Firewall Threat Defense Connection Event search: |- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_ip) as dest_ip FROM datamodel=Network_Traffic.All_Traffic - WHERE All_Traffic.dest_port = 389 - OR - All_Traffic.dest_port = 636 - AND - NOT (All_Traffic.dest_ip = 10.0.0.0/8 - OR - All_Traffic.dest_ip=192.168.0.0/16 - OR - All_Traffic.dest_ip = 172.16.0.0/12) - BY All_Traffic.action All_Traffic.app All_Traffic.bytes - All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest - All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc - All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src - All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport - All_Traffic.user All_Traffic.vendor_product All_Traffic.rule + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + values(All_Traffic.dest_ip) as dest_ip + FROM datamodel=Network_Traffic.All_Traffic WHERE + + All_Traffic.dest_port IN ( + 389, + 636 + ) + NOT All_Traffic.dest_ip IN ( + "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", + "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", + "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1" + ) + by All_Traffic.action All_Traffic.app All_Traffic.bytes + All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest + All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc + All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src + All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport + All_Traffic.user All_Traffic.vendor_product All_Traffic.rule | `drop_dm_object_name("All_Traffic")` | where src_ip != dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_outbound_ldap_traffic_filter` -how_to_implement: In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like, Cisco Secure Firewall Threat Defense, Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. The search requires the Network_Traffic data model to be populated. -known_false_positives: No false positives have been identified at this time. allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate. +how_to_implement: | + In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like, Cisco Secure Firewall Threat Defense, Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. The search requires the Network_Traffic data model to be populated. +known_false_positives: | + No false positives have been identified at this time. allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate. references: - https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/ tags: @@ -55,7 +64,7 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/log4shell_ldap_traffic/pantraffic.log sourcetype: pan:traffic - source: pan:traffic + source: not_applicable - name: Cisco Secure Firewall True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml index ae0306330c..da84dd669c 100644 --- a/detections/network/detect_remote_access_software_usage_traffic.yml +++ b/detections/network/detect_remote_access_software_usage_traffic.yml @@ -1,11 +1,14 @@ name: Detect Remote Access Software Usage Traffic id: 885ea672-07ee-475a-879e-60d28aa5dd42 -version: 13 -date: '2026-03-10' +version: 14 +date: '2026-03-23' author: Steven Dick status: production type: Anomaly -description: The following analytic detects network traffic associated with known remote access software applications, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. It leverages Palo Alto traffic logs mapped to the Network_Traffic data model in Splunk. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments. If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security. +description: | + The following analytic detects network traffic associated with known remote access software applications, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. + It leverages Palo Alto traffic logs mapped to the Network_Traffic data model in Splunk. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments. + If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security. data_source: - Palo Alto Network Traffic search: | @@ -84,5 +87,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo_traffic.log - source: screenconnect_palo_traffic + source: not_applicable sourcetype: pan:traffic diff --git a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml index b5b0624574..c23d1ceb2e 100644 --- a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml +++ b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml @@ -1,24 +1,35 @@ name: F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 id: bb1c2c30-107a-4e56-a4b9-1f7022867bfe -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-23' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects attempts to exploit the F5 BIG-IP iControl REST API vulnerability (CVE-2022-1388) for unauthenticated remote code execution. It identifies suspicious URI paths and POST HTTP methods, along with specific request headers containing potential commands in the `utilcmdargs` field and a random base64 encoded value in the `X-F5-Auth-Token` field. This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary commands on the affected system. If confirmed malicious, this could lead to full system compromise and unauthorized access to sensitive data. +description: | + The following analytic detects attempts to exploit the F5 BIG-IP iControl REST API vulnerability (CVE-2022-1388) for unauthenticated remote code execution. + It identifies suspicious URI paths and POST HTTP methods, along with specific request headers containing potential commands in the `utilcmdargs` field and a random base64 encoded value in the `X-F5-Auth-Token` field. + This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary commands on the affected system. + If confirmed malicious, this could lead to full system compromise and unauthorized access to sensitive data. data_source: - Palo Alto Network Threat search: |- - | tstats count FROM datamodel=Web - WHERE Web.url="*/mgmt/tm/util/bash*" Web.http_method="POST" - BY Web.http_user_agent Web.http_method, Web.url,Web.url_length - Web.src, Web.dest + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + FROM datamodel=Web WHERE + Web.url="*/mgmt/tm/util/bash*" + Web.http_method="POST" + BY Web.http_user_agent Web.http_method + Web.url Web.url_length + Web.src Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter` -how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -known_false_positives: False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. +how_to_implement: | + To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. +known_false_positives: | + False positives may be present if the activity is blocked or was not successful. Filter known vulnerability scanners. Filter as needed. references: - https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml - https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/ @@ -60,5 +71,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5.log - source: pan:threat + source: not_applicable sourcetype: pan:threat diff --git a/detections/network/tor_traffic.yml b/detections/network/tor_traffic.yml index f172a2461c..e8fe1e1669 100644 --- a/detections/network/tor_traffic.yml +++ b/detections/network/tor_traffic.yml @@ -1,31 +1,36 @@ name: TOR Traffic id: ea688274-9c06-4473-b951-e4cb7a5d7a45 -version: 14 -date: '2026-03-10' +version: 15 +date: '2026-03-23' author: David Dorsey, Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies allowed network traffic to The Onion Router (TOR), an anonymity network often exploited for malicious activities. It leverages data from Next Generation Firewalls, using the Network_Traffic data model to detect traffic where the application is TOR and the action is allowed. This activity is significant as TOR can be used to bypass conventional monitoring, facilitating hacking, data breaches, and illicit content dissemination. If confirmed malicious, this could lead to unauthorized access, data exfiltration, and severe compliance violations, compromising the integrity and security of the network. +description: | + The following analytic identifies allowed network traffic to The Onion Router (TOR), an anonymity network often exploited for malicious activities. + It leverages data from Next Generation Firewalls, using the Network_Traffic data model to detect traffic where the application is TOR and the action is allowed. + This activity is significant as TOR can be used to bypass conventional monitoring, facilitating hacking, data breaches, and illicit content dissemination. + If confirmed malicious, this could lead to unauthorized access, data exfiltration, and severe compliance violations, compromising the integrity and security of the network. data_source: - Palo Alto Network Traffic - Cisco Secure Firewall Threat Defense Connection Event search: |- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Network_Traffic - WHERE All_Traffic.app=tor - AND - All_Traffic.action IN ("allowed", "allow") - BY All_Traffic.action All_Traffic.app All_Traffic.bytes - All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest - All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc - All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src - All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport - All_Traffic.user All_Traffic.vendor_product All_Traffic.rule + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Network_Traffic WHERE + All_Traffic.app=tor + All_Traffic.action IN ("allowed", "allow") + BY All_Traffic.action All_Traffic.app All_Traffic.bytes + All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest + All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc + All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src + All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport + All_Traffic.user All_Traffic.vendor_product All_Traffic.rule | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `tor_traffic_filter` -how_to_implement: In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like, Cisco Secure Firewall Threat Defense, Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model to be populated. -known_false_positives: No false positives have been identified at this time. +how_to_implement: | + In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like, Cisco Secure Firewall Threat Defense, Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model to be populated. +known_false_positives: | + No false positives have been identified at this time. references: - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK - https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/#:~:text=For%20enterprises%20concerned%20about%20the,the%20most%20important%20security%20risks. @@ -65,7 +70,7 @@ tests: - name: Palo Alto True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed.log - source: pan_tor_allowed + source: not_applicable sourcetype: pan:traffic - name: Cisco Secure Firewall True Positive Test attack_data: diff --git a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml index 69b28dd33b..8f774f6aca 100644 --- a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml +++ b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml @@ -1,19 +1,35 @@ name: Citrix ADC Exploitation CVE-2023-3519 id: 76ac2dcb-333c-4a77-8ae9-2720cfae47a8 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-03-23' author: Michael Haag, Splunk status: production type: Hunting data_source: - Palo Alto Network Threat -description: The following analytic identifies potential exploitation attempts against Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints associated with this vulnerability by leveraging the Web datamodel. This activity is significant as CVE-2023-3519 involves a SAML processing overflow issue that can lead to memory corruption, posing a high risk. If confirmed malicious, attackers could exploit this to execute arbitrary code, escalate privileges, or disrupt services, making it crucial for SOC analysts to monitor and investigate these alerts promptly. +description: | + The following analytic identifies potential exploitation attempts against Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints associated with this vulnerability by leveraging the Web datamodel. + This activity is significant as CVE-2023-3519 involves a SAML processing overflow issue that can lead to memory corruption, posing a high risk. + If confirmed malicious, attackers could exploit this to execute arbitrary code, escalate privileges, or disrupt services, making it crucial for SOC analysts to monitor and investigate these alerts promptly. search: |- - | tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web - WHERE Web.url IN ("*/saml/login","/cgi/samlauth","*/saml/activelogin","/cgi/samlart?samlart=*","*/cgi/logout","/gwtest/formssso?event=start&target=*","/netscaler/ns_gui/vpn/*") Web.http_method=POST - BY Web.http_user_agent, Web.status Web.http_method, - Web.url, Web.url_length, Web.src, - Web.dest, sourcetype + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + FROM datamodel=Web WHERE + + Web.http_method=POST + Web.url IN ( + "*/cgi/logout", + "*/saml/activelogin", + "*/saml/login", + "/cgi/samlart?samlart=*", + "/cgi/samlauth", + "/gwtest/formssso?event=start&target=*", + "/netscaler/ns_gui/vpn/*" + ) + BY Web.http_user_agent, Web.status + Web.http_method Web.url Web.url_length + Web.src Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -44,5 +60,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve20233519.log - source: pan:threat + source: not_applicable sourcetype: pan:threat diff --git a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml index 26515e5014..c8b901ae78 100644 --- a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml +++ b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml @@ -1,32 +1,53 @@ name: Confluence Unauthenticated Remote Code Execution CVE-2022-26134 id: fcf4bd3f-a79f-4b7a-83bf-2692d60b859c -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-23' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence. It leverages the Web datamodel to analyze network and CIM-compliant web logs, identifying suspicious URL patterns and parameters indicative of exploitation attempts. This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, and further lateral movement within the network. Immediate investigation and remediation are crucial to prevent extensive damage. +description: | + The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence. It leverages the Web datamodel to analyze network and CIM-compliant web logs, identifying suspicious URL patterns and parameters indicative of exploitation attempts. This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, and further lateral movement within the network. Immediate investigation and remediation are crucial to prevent extensive damage. data_source: - Palo Alto Network Threat search: |- - | tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web - WHERE Web.url IN ("*${*", "*%2F%7B*") (Web.url="*org.apache.commons.io.IOUtils*" Web.url="*java.lang.Runtime@getRuntime().exec*") + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Web WHERE + + Web.url IN ( + "*${*", + "*%2F%7B*" + ) + AND + ( + ( + Web.url="*org.apache.commons.io.IOUtils*" + Web.url="*java.lang.Runtime@getRuntime().exec*" + ) OR - (Web.url="*java.lang.Runtime%40getRuntime%28%29.exec*") + ( + Web.url="*java.lang.Runtime%40getRuntime%28%29.exec*" + ) OR - (Web.url="*getEngineByName*" - AND - Web.url="*nashorn*" - AND - Web.url="*ProcessBuilder*") - BY Web.http_user_agent Web.http_method, Web.url,Web.url_length - Web.src, Web.dest sourcetype + ( + Web.url="*getEngineByName*" + Web.url="*nashorn*" + Web.url="*ProcessBuilder*" + ) + ) + BY Web.http_user_agent Web.http_method + Web.url,Web.url_length + Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter` -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat. -known_false_positives: Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query. +how_to_implement: | + This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat. +known_false_positives: | + Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query. references: - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html - https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html @@ -70,5 +91,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/confluence.log - source: pan:threat + source: not_applicable sourcetype: pan:threat diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index 8b2f9e4705..4ac7152602 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -1,25 +1,36 @@ name: Detect Remote Access Software Usage URL id: 9296f515-073c-43a5-88ec-eda5a4626654 -version: 13 -date: '2026-03-10' +version: 14 +date: '2026-03-23' author: Steven Dick status: production type: Anomaly -description: The following analytic detects the execution of known remote access software within the environment. It leverages network logs mapped to the Web data model, identifying specific URLs and user agents associated with remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these utilities to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further compromise the network, posing a severe security risk. +description: | + The following analytic detects the execution of known remote access software within the environment. + It leverages network logs mapped to the Web data model, identifying specific URLs and user agents associated with remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. + This activity is significant as adversaries often use these utilities to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further compromise the network, posing a severe security risk. data_source: - Palo Alto Network Threat search: | - | tstats count min(_time) as firstTime + | tstats `security_content_summariesonly` + count min(_time) as firstTime max(_time) as lastTime latest(Web.http_method) as http_method latest(Web.http_user_agent) as http_user_agent latest(Web.url) as url latest(Web.user) as user latest(Web.dest) as dest + from datamodel=Web where + Web.url_domain=* - NOT Web.url_domain IN ("-", "unknown") - by Web.action Web.src Web.category Web.url_domain Web.url_length + NOT Web.url_domain IN ( + "-", + "unknown" + ) + by Web.action Web.src Web.category + Web.url_domain Web.url_length + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("Web")` @@ -28,8 +39,10 @@ search: | | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_url_filter` -how_to_implement: The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" that lets you track and maintain device- based exceptions for this set of detections. -known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content +how_to_implement: | + The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" that lets you track and maintain device- based exceptions for this set of detections. +known_false_positives: | + It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -83,5 +96,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo.log - source: screenconnect_palo + source: not_applicable sourcetype: pan:threat diff --git a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml index 38037a1131..350d5dcb5b 100644 --- a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml +++ b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml @@ -1,25 +1,37 @@ name: Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 id: 2038f5c6-5aba-4221-8ae2-ca76e2ca8b97 -version: 8 -date: '2026-03-10' +version: 9 +date: '2026-03-23' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server. +description: | + The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. + The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. + This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. + If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server. data_source: - Palo Alto Network Threat search: |- - | tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web - WHERE Web.url IN ("*configWizard/keyUpload.jsp*") - BY Web.http_user_agent, Web.status Web.http_method, - Web.url, Web.url_length, Web.src, - Web.dest, sourcetype + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Web WHERE + + Web.url IN ("*configWizard/keyUpload.jsp*") + + BY Web.http_user_agent Web.status + Web.http_method Web.url Web.url_length + Web.src Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter` -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source). +how_to_implement: | + This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. +known_false_positives: | + False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source). references: - https://github.com/horizon3ai/CVE-2022-39952 - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/ @@ -59,5 +71,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/web_fortinetnac.log - source: pan:threat + source: not_applicable sourcetype: pan:threat diff --git a/detections/web/fortinet_appliance_auth_bypass.yml b/detections/web/fortinet_appliance_auth_bypass.yml index 3cbf5162b6..e0b1992a0b 100644 --- a/detections/web/fortinet_appliance_auth_bypass.yml +++ b/detections/web/fortinet_appliance_auth_bypass.yml @@ -1,25 +1,41 @@ name: Fortinet Appliance Auth bypass id: a83122f2-fa09-4868-a230-544dbc54bc1c -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-23' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects attempts to exploit CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability. It identifies REST API requests to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that may indicate unauthorized modifications, such as adding SSH keys or creating new users. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it can lead to unauthorized access and control over the appliance. If confirmed malicious, attackers could gain persistent access, reroute network traffic, or capture sensitive information. +description: | + The following analytic detects attempts to exploit CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability. + It identifies REST API requests to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that may indicate unauthorized modifications, such as adding SSH keys or creating new users. + This detection leverages the Web datamodel to monitor specific URL patterns and HTTP methods. + This activity is significant as it can lead to unauthorized access and control over the appliance. + If confirmed malicious, attackers could gain persistent access, reroute network traffic, or capture sensitive information. data_source: - Palo Alto Network Threat search: |- - | tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web - WHERE Web.url IN ("*/api/v2/cmdb/system/admin*") Web.http_method IN ("GET", "PUT") - BY Web.http_user_agent, Web.http_method, Web.url, - Web.url_length, Web.src, Web.dest, - sourcetype + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Web WHERE + + Web.url = "*/api/v2/cmdb/system/admin*" + Web.http_method IN ("GET", "PUT") + BY Web.http_user_agent + Web.http_method Web.url + Web.url_length + Web.src Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter` -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used. +how_to_implement: | + This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto. +known_false_positives: | + GET requests will be noisy and need to be filtered out or removed from the query based on volume. + Restrict analytic to known publicly facing Fortigates, or run analytic as a Hunt until properly tuned. + It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used. references: - https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/ - https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/ @@ -61,5 +77,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/fortinetcve202240684.log - source: pan:threat + source: not_applicable sourcetype: pan:threat diff --git a/detections/web/vmware_aria_operations_exploit_attempt.yml b/detections/web/vmware_aria_operations_exploit_attempt.yml index c378055a7b..990ed6c6f6 100644 --- a/detections/web/vmware_aria_operations_exploit_attempt.yml +++ b/detections/web/vmware_aria_operations_exploit_attempt.yml @@ -1,25 +1,41 @@ name: VMWare Aria Operations Exploit Attempt id: d5d865e4-03e6-43da-98f4-28a4f42d4df7 -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-23' author: Michael Haag, Splunk status: production type: TTP data_source: - Palo Alto Network Threat -description: The following analytic detects potential exploitation attempts against VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability. It monitors web traffic for HTTP POST requests directed at the vulnerable endpoint "/saas./resttosaasservlet." This detection leverages web traffic data, focusing on specific URL patterns and HTTP methods. Identifying this behavior is crucial for a SOC as it indicates an active exploit attempt. If confirmed malicious, the attacker could execute arbitrary code, leading to unauthorized access, data theft, or further network compromise. +description: | + The following analytic detects potential exploitation attempts against VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability. + It monitors web traffic for HTTP POST requests directed at the vulnerable endpoint "/saas./resttosaasservlet." This detection leverages web traffic data, focusing on specific URL patterns and HTTP methods. + Identifying this behavior is crucial for a SOC as it indicates an active exploit attempt. + If confirmed malicious, the attacker could execute arbitrary code, leading to unauthorized access, data theft, or further network compromise. search: |- - | tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web - WHERE Web.url IN ("*/saas./resttosaasservlet*") Web.http_method=POST Web.status IN ("unknown", "200") - BY Web.http_user_agent, Web.status Web.http_method, - Web.url, Web.url_length, Web.src, - Web.dest, sourcetype + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Web WHERE + + Web.url="*/saas./resttosaasservlet*" + Web.http_method=POST + Web.status IN ( + "unknown", + "200" + ) + BY Web.http_user_agent Web.status + Web.http_method Web.url Web.url_length + Web.src Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter` -how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives. -known_false_positives: False positives will be present based on gateways in use, modify the status field as needed. +how_to_implement: | + To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives. +known_false_positives: | + False positives will be present based on gateways in use, modify the status field as needed. references: - https://nvd.nist.gov/vuln/detail/CVE-2023-20887 - https://viz.greynoise.io/tag/vmware-aria-operations-for-networks-rce-attempt?days=30 @@ -64,5 +80,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_aria.log - source: pan:threat + source: not_applicable sourcetype: pan:threat diff --git a/detections/web/vmware_server_side_template_injection_hunt.yml b/detections/web/vmware_server_side_template_injection_hunt.yml index e4c92642c6..14e8270ad0 100644 --- a/detections/web/vmware_server_side_template_injection_hunt.yml +++ b/detections/web/vmware_server_side_template_injection_hunt.yml @@ -1,26 +1,41 @@ name: VMware Server Side Template Injection Hunt id: 5796b570-ad12-44df-b1b5-b7e6ae3aabb0 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-03-23' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies potential server-side template injection attempts related to CVE-2022-22954. It detects suspicious URL patterns containing "deviceudid" and keywords like "java.lang.ProcessBuilder" or "freemarker.template.utility.ObjectConstructor" using web or proxy logs within the Web Datamodel. This activity is significant as it may indicate an attempt to exploit a known vulnerability in VMware, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise the affected system, posing a severe security risk. +description: | + The following analytic identifies potential server-side template injection attempts related to CVE-2022-22954. + It detects suspicious URL patterns containing "deviceudid" and keywords like "java.lang.ProcessBuilder" or "freemarker.template.utility.ObjectConstructor" using web or proxy logs within the Web Datamodel. + This activity is significant as it may indicate an attempt to exploit a known vulnerability in VMware, potentially leading to remote code execution. + If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise the affected system, posing a severe security risk. data_source: - Palo Alto Network Threat search: |- - | tstats count FROM datamodel=Web - WHERE Web.http_method IN ("GET") Web.url="*deviceudid=*" - AND - Web.url IN ("*java.lang.ProcessBuilder*","*freemarker.template.utility.ObjectConstructor*") - BY Web.http_user_agent Web.http_method, Web.url,Web.url_length - Web.src, Web.dest sourcetype + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Web WHERE + + Web.http_method="GET" + Web.url="*deviceudid=*" + Web.url IN ( + "*freemarker.template.utility.ObjectConstructor*", + "*java.lang.ProcessBuilder*" + ) + BY Web.http_user_agent Web.status + Web.http_method Web.url Web.url_length + Web.src Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_server_side_template_injection_hunt_filter` -how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -known_false_positives: False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. +how_to_implement: | + To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. +known_false_positives: | + False positives may be present if the activity is blocked or was not successful. Filter known vulnerability scanners. Filter as needed. references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-138b - https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb @@ -46,5 +61,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log - source: pan:threat + source: not_applicable sourcetype: pan:threat diff --git a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml index ffe1d21ad8..7db3f29418 100644 --- a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml +++ b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml @@ -1,26 +1,38 @@ name: VMware Workspace ONE Freemarker Server-side Template Injection id: 9e5726fe-8fde-460e-bd74-cddcf6c86113 -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-23' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects server-side template injection attempts related to CVE-2022-22954 in VMware Workspace ONE. It leverages web or proxy logs to identify HTTP GET requests to the endpoint catalog-portal/ui/oauth/verify with the freemarker.template.utility.Execute command. This activity is significant as it indicates potential exploitation attempts that could lead to remote code execution. If confirmed malicious, an attacker could execute arbitrary commands on the server, leading to full system compromise, data exfiltration, or further lateral movement within the network. +description: | + The following analytic detects server-side template injection attempts related to CVE-2022-22954 in VMware Workspace ONE. + It leverages web or proxy logs to identify HTTP GET requests to the endpoint catalog-portal/ui/oauth/verify with the freemarker.template.utility.Execute command. + This activity is significant as it indicates potential exploitation attempts that could lead to remote code execution. + If confirmed malicious, an attacker could execute arbitrary commands on the server, leading to full system compromise, data exfiltration, or further lateral movement within the network. data_source: - Palo Alto Network Threat search: |- - | tstats count FROM datamodel=Web - WHERE Web.http_method IN ("GET") Web.url="*/catalog-portal/ui/oauth/verify?error=&deviceudid=*" - AND - Web.url="*freemarker.template.utility.Execute*" - BY Web.http_user_agent Web.http_method, Web.url,Web.url_length - Web.src, Web.dest sourcetype + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Web WHERE + Web.http_method="GET" + Web.url="*/catalog-portal/ui/oauth/verify?error=&deviceudid=*" + Web.url="*freemarker.template.utility.Execute*" + BY Web.http_user_agent Web.http_method + Web.url Web.url_length + Web.src Web.dest sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_workspace_one_freemarker_server_side_template_injection_filter` -how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -known_false_positives: False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. +how_to_implement: | + To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. +known_false_positives: | + False positives may be present if the activity is blocked or was not successful. + Filter known vulnerability scanners. Filter as needed. references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-138b - https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb @@ -61,5 +73,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log - source: pan:threat + source: not_applicable sourcetype: pan:threat