updates and tunings

nasbench · nasbench · commit 7b4815f74545 · 2025-03-03T15:46:14.000+01:00
diff --git a/detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml b/detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml
@@ -1,11 +1,12 @@
 name: CertUtil Download With URLCache and Split Arguments
 id: 415b4306-8bfb-11eb-85c4-acde48001122
-version: 10
-date: '2024-12-10'
+version: 11
+date: '2025-03-03'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects the use of certutil.exe to download files
+description: This analytic has been deprecated in favor of "Windows CertUtil Download".
+  The following analytic detects the use of certutil.exe to download files
   using the `-urlcache` and `-f` arguments. It leverages Endpoint Detection and Response
   (EDR) data, focusing on command-line executions that include these specific arguments.
   This activity is significant because certutil.exe is typically used for certificate
diff --git a/detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml
@@ -1,11 +1,12 @@
 name: CertUtil Download With VerifyCtl and Split Arguments
 id: 801ad9e4-8bfb-11eb-8b31-acde48001122
-version: 10
-date: '2024-12-10'
+version: 11
+date: '2025-03-03'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects the use of `certutil.exe` to download
+description: This analytic has been deprecated in favor of "Windows CertUtil Download".
+  The following analytic detects the use of `certutil.exe` to download
   files using the `-VerifyCtl` and `-f` arguments. This behavior is identified by
   monitoring command-line executions for these specific arguments via Endpoint Detection
   and Response (EDR) telemetry. This activity is significant because `certutil.exe`
diff --git a/detections/deprecated/windows_certutil_download_with_url_argument.yml b/detections/deprecated/windows_certutil_download_with_url_argument.yml
@@ -1,11 +1,12 @@
 name: Windows CertUtil Download With URL Argument
 id: 4fc5ca00-4c7c-46b3-8772-c98a4b8bd944
-version: 3
-date: '2025-01-07'
+version: 4
+date: '2025-03-03'
 author: Nasreddine Bencherchali, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects the use of `certutil.exe` to download
+description: This analytic has been deprecated in favor of "Windows CertUtil Download".
+  The following analytic detects the use of `certutil.exe` to download
   files using the `-URL` arguments. This behavior is identified by monitoring command-line
   executions for these specific arguments via Endpoint Detection and Response (EDR)
   telemetry. This activity is significant because `certutil.exe` is a legitimate tool
diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml
@@ -1,15 +1,14 @@
 name: CHCP Command Execution
 id: 21d236ec-eec1-11eb-b23e-acde48001122
-version: 5
-date: '2025-02-19'
+version: 6
+date: '2025-02-28'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
-description: The following analytic detects the execution of the chcp.exe application,
+type: Anomaly
+description: The following analytic detects the execution of the chcp.com utility,
   which is used to change the active code page of the console. This detection leverages
   data from Endpoint Detection and Response (EDR) agents, focusing on process creation
-  events where chcp.exe is executed by cmd.exe with specific command-line arguments.
-  This activity is significant because it can indicate the presence of malware, such
+  events. This activity is significant because it can indicate the presence of malware, such
   as IcedID, which uses this technique to determine the locale region, language, or
   country of the compromised host. If confirmed malicious, this could lead to further
   system compromise and data exfiltration.
@@ -18,8 +17,7 @@ data_source:
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com
-  Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*)
-  by  Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process
+  by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process
   Processes.process_id Processes.parent_process_id Processes.dest Processes.user |
   `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `chcp_command_execution_filter`'
@@ -32,8 +30,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
-known_false_positives: other tools or script may used this to change code page to
-  UTF-* or others
+known_false_positives: other tools or script may used this to change code page to UTF-* or others
 references:
 - https://ss64.com/nt/chcp.html
 - https://twitter.com/tccontre18/status/1419941156633329665?s=20
diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml
@@ -5,8 +5,11 @@ date: '2024-11-13'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
-description: The following analytic identifies the execution of the 'whoami' command
-  with specific parameters to check for elevated privileges. It leverages data from
+description: The following analytic identifies the execution of the "whoami" command
+  with the "/group" flag, where the results are passed to the "find" command in order
+  to look for a the string "12288". This string represents the SID of the group
+  "Mandatory Label\High Mandatory Level" effectively checking if the current process
+  is running as a "High" integrity process or with Administrator privileges. It leverages data from
   Endpoint Detection and Response (EDR) agents, focusing on process and command-line
   telemetry. This activity is significant because it is commonly used by attackers,
   such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious,
@@ -31,7 +34,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
-known_false_positives: unknown
+known_false_positives: The combination of these commands is unlikely to occur in a production environment. Any matches should be investigated. 
 references: []
 drilldown_searches:
 - name: View the detection results for - "$dest$" and "$user$"
diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml
@@ -1,12 +1,12 @@
 name: System Processes Run From Unexpected Locations
 id: a34aae96-ccf8-4aef-952c-3ea21444444d
-version: 10
-date: '2025-02-10'
-author: David Dorsey, Michael Haag, Splunk
+version: 11
+date: '2025-03-03'
+author: David Dorsey, Michael Haag, Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
 description: The following analytic identifies system processes running from unexpected
-  locations outside `C:\Windows\System32\` or `C:\Windows\SysWOW64`. It leverages
+  locations outside of paths such as `C:\Windows\System32\` or `C:\Windows\SysWOW64`. It leverages
   data from Endpoint Detection and Response (EDR) agents, focusing on process paths,
   names, and hashes. This activity is significant as it may indicate a malicious process
   attempting to masquerade as a legitimate system process. If confirmed malicious,
@@ -17,8 +17,7 @@ data_source:
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !="C:\\Windows\\System32*"
-  Processes.process_path !="C:\\Windows\\SysWOW64*" by Processes.dest Processes.user
+  as lastTime FROM datamodel=Endpoint.Processes where  NOT Processes.process_path IN ("C:\\$WINDOWS.~BT\\*", "C:\\$WinREAgent\\*", "C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\System32\\*", "C:\\Windows\\SystemTemp\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\uus\\*", "C:\\Windows\\WinSxS\\*") by Processes.dest Processes.user
   Processes.parent_process Processes.process_path Processes.process_name Processes.process
   Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")`
   | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file_macro`
diff --git a/detections/endpoint/windows_file_download_via_certutil.yml b/detections/endpoint/windows_file_download_via_certutil.yml
@@ -0,0 +1,86 @@
+name: Windows File Download Via CertUtil
+id: 7fac8d40-e370-45ea-a4a3-031bbcc18b02
+version: 1
+date: '2025-03-03'
+author: Nasreddine Bencherchali, Michael Haag, Splunk
+status: production
+type: TTP
+description: The following analytic detects the use of `certutil.exe` to download files using the `-URL`, `-urlcache` or '-verifyctl' arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where `process_certutil` AND ((Processes.process IN ("*-URL *", "*/URL *")) OR (Processes.process IN ("*urlcache*", "*verifyctl*") AND Processes.process IN ("*/f *", "*-f *"))) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_download_via_certutil_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: Limited false positives in most environments, however tune
+  as needed based on parent-child relationship or network connection.
+references:
+- https://attack.mitre.org/techniques/T1105/
+- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/
+- https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats
+- https://web.archive.org/web/20210921110637/https://www.fireeye.com/blog/threat-research/2019/10/certutil-qualms-they-came-to-drop-fombs.html
+- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#-verifyctl
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: An instance of $parent_process_name$ spawning $process_name$ was identified
+    on endpoint $dest$ by user $user$ attempting to download a file.
+  risk_objects:
+  - field: user
+    type: user
+    score: 90
+  - field: dest
+    type: system
+    score: 90
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+  - field: process_name
+    type: process_name
+tags:
+  analytic_story:
+  - Living Off The Land
+  - Ingress Tool Transfer
+  - ProxyNotShell
+  - DarkSide Ransomware
+  - Forest Blizzard
+  - Flax Typhoon
+  - Compromised Windows Host
+  - CISA AA22-277A
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1105
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml
@@ -1,7 +1,7 @@
 name: Windows Process With NamedPipe CommandLine
 id: e64399d4-94a8-11ec-a9da-acde48001122
-version: 4
-date: '2024-11-13'
+version: 5
+date: '2025-03-03'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -19,7 +19,7 @@ data_source:
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process = "*\\\\.\\pipe\\*"
-  NOT (Processes.process_path IN ("*\\program files*")) by Processes.parent_process_name
+  NOT Processes.process_path IN ("C:\\Program Files\\*", "C:\\Program Files (x86)\\*") by Processes.parent_process_name
   Processes.parent_process Processes.process_name Processes.process Processes.original_file_name
   Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id
   Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)`
diff --git a/detections/endpoint/windows_query_registry_browser_list_application.yml b/detections/endpoint/windows_query_registry_browser_list_application.yml
@@ -1,7 +1,7 @@
 name: Windows Query Registry Browser List Application
 id: 45ebd21c-f4bf-4ced-bd49-d25b6526cebb
-version: 4
-date: '2024-11-13'
+version: 5
+date: '2025-03-03'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -16,8 +16,8 @@ description: The following analytic detects a suspicious process accessing the r
   confirmed malicious, this behavior could enable attackers to exfiltrate sensitive
   information and compromise user accounts.
 search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\SOFTWARE\\Clients\\StartMenuInternet\\*",
-  "*\\SOFTWARE\\Clients\\StartMenuInternet\\*") AND NOT (process_path IN ("*:\\Windows\\System32\\*",
-  "*:\\Windows\\SysWow64\\*", "*:\\Program Files*", "*:\\Windows\\*")) | stats count
+  "*\\SOFTWARE\\Clients\\StartMenuInternet\\*") AND NOT process_path IN ("*:\\Windows\\System32\\*",
+  "*:\\Windows\\SysWow64\\*", *:\\Windows\\WinSxS\\*, "*:\\Program Files\\*", "*:\\Program Files (x86)\\*") | stats count
   min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path
   process_name process_path  process_id EventCode dest | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `windows_query_registry_browser_list_application_filter`'
diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml
@@ -1,23 +1,18 @@
 name: Windows User Execution Malicious URL Shortcut File
 id: 5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc
-version: 5
-date: '2025-02-10'
-author: Teoderick Contreras, Splunk
+version: 6
+date: '2025-03-03'
+author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
 status: production
-type: TTP
-description: The following analytic detects the creation of suspicious URL shortcut
-  link files, often used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem
-  datamodel to identify .url files created outside standard directories, such as Program
-  Files. This activity is significant as it may indicate an attempt to execute malicious
-  code upon system reboot. If confirmed malicious, this could allow an attacker to
-  achieve persistence and execute harmful payloads, potentially leading to further
-  system compromise and data loss.
+type: Anomaly
+description: The following analytic detects the creation URL shortcut files, often used by malware like CHAOS ransomware.
+  It leverages the Endpoint.Filesystem datamodel to identify ".url" files created outside common directories, such as "Program Files".
+  This activity can be significant as ".URL" files can be used as mean to trick the user into visiting certain websites unknowingly, or when placed in certain locations such as "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\", it may allow the execution of malicious code upon system reboot. If confirmed malicious, this could allow an attacker to achieve persistence and execute harmful payloads, potentially leading to further system compromise and data loss.
 data_source:
 - Sysmon EventID 11
 search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN
-  ("*\\Program Files*")) Filesystem.file_name = *.url by Filesystem.file_create_time
-  Filesystem.process_id  Filesystem.file_name Filesystem.user Filesystem.file_path
+  as lastTime from datamodel=Endpoint.Filesystem where NOT Filesystem.file_path IN
+  ("*:\\Program Files\\*", "*:\\Program Files (x86)\\*", "*\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", "*:\\Windows\\WinSxS\\*") Filesystem.file_name=*.url by Filesystem.file_create_time Filesystem.process_id  Filesystem.file_name Filesystem.user Filesystem.file_path
   Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
@@ -43,14 +38,14 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: a process created URL shortcut file in $file_path$ of $dest$
+  message: A process created a .URL shortcut file in $file_path$ of $dest$
   risk_objects:
   - field: user
     type: user
-    score: 64
+    score: 50
   - field: dest
     type: system
-    score: 64
+    score: 50
   threat_objects: []
 tags:
   analytic_story:
diff --git a/detections/network/protocols_passing_authentication_in_cleartext.yml b/detections/network/protocols_passing_authentication_in_cleartext.yml
@@ -1,10 +1,10 @@
 name: Protocols passing authentication in cleartext
 id: 6923cd64-17a0-453c-b945-81ac2d8c6db9
-version: 6
-date: '2024-11-15'
+version: 7
+date: '2025-03-03'
 author: Rico Valdez, Splunk
 status: experimental
-type: TTP
+type: Anomaly
 description: The following analytic identifies the use of cleartext protocols that
   risk leaking sensitive information. It detects network traffic on legacy protocols
   such as Telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP
@@ -25,8 +25,7 @@ how_to_implement: This search requires you to be ingesting your network traffic,
   populating the Network_Traffic data model. For more accurate result it's better
   to limit destination to organization private and public IP range, like All_Traffic.dest
   IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22)
-known_false_positives: Some networks may use kerberized FTP or telnet servers, however,
-  this is rare.
+known_false_positives: Some networks may use kerberos, FTP or telnet servers, however, this is rare.
 references:
 - https://www.rackaid.com/blog/secure-your-email-and-file-transfers/
 - https://www.infosecmatter.com/capture-passwords-using-wireshark/
