From 60164de4e7cde1851d99f49c1874fb407844631c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 3 Mar 2025 15:46:14 +0100 Subject: [PATCH 01/11] updates and tunings --- ...load_with_urlcache_and_split_arguments.yml | 5 +- ...oad_with_verifyctl_and_split_arguments.yml | 5 +- ...ws_certutil_download_with_url_argument.yml | 5 +- .../endpoint/chcp_command_execution.yml | 22 ++--- .../check_elevated_cmd_using_whoami.yml | 9 +- ...rocesses_run_from_unexpected_locations.yml | 20 ++--- .../windows_file_download_via_certutil.yml | 86 +++++++++++++++++++ ...ows_process_with_namedpipe_commandline.yml | 15 ++-- ...uery_registry_browser_list_application.yml | 4 +- ..._execution_malicious_url_shortcut_file.yml | 33 +++---- ...ls_passing_authentication_in_cleartext.yml | 9 +- 11 files changed, 142 insertions(+), 71 deletions(-) rename detections/{endpoint => deprecated}/certutil_download_with_urlcache_and_split_arguments.yml (96%) rename detections/{endpoint => deprecated}/certutil_download_with_verifyctl_and_split_arguments.yml (96%) rename detections/{endpoint => deprecated}/windows_certutil_download_with_url_argument.yml (96%) create mode 100644 detections/endpoint/windows_file_download_via_certutil.yml diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml similarity index 96% rename from detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml rename to detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml index d83fd1f502..7c2519c3b0 100644 --- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml @@ -3,9 +3,10 @@ id: 415b4306-8bfb-11eb-85c4-acde48001122 version: 12 date: '2025-04-16' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects the use of certutil.exe to download files +description: This analytic has been deprecated in favor of "Windows CertUtil Download". + The following analytic detects the use of certutil.exe to download files using the `-urlcache` and `-f` arguments. It leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions that include these specific arguments. This activity is significant because certutil.exe is typically used for certificate diff --git a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml similarity index 96% rename from detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml rename to detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml index d183056cf4..d93f16be39 100644 --- a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml @@ -3,9 +3,10 @@ id: 801ad9e4-8bfb-11eb-8b31-acde48001122 version: 12 date: '2025-04-16' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects the use of `certutil.exe` to download +description: This analytic has been deprecated in favor of "Windows CertUtil Download". + The following analytic detects the use of `certutil.exe` to download files using the `-VerifyCtl` and `-f` arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` diff --git a/detections/endpoint/windows_certutil_download_with_url_argument.yml b/detections/deprecated/windows_certutil_download_with_url_argument.yml similarity index 96% rename from detections/endpoint/windows_certutil_download_with_url_argument.yml rename to detections/deprecated/windows_certutil_download_with_url_argument.yml index edf48a4bef..d0b2b97673 100644 --- a/detections/endpoint/windows_certutil_download_with_url_argument.yml +++ b/detections/deprecated/windows_certutil_download_with_url_argument.yml @@ -3,9 +3,10 @@ id: 4fc5ca00-4c7c-46b3-8772-c98a4b8bd944 version: 5 date: '2025-04-16' author: Nasreddine Bencherchali, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects the use of `certutil.exe` to download +description: This analytic has been deprecated in favor of "Windows CertUtil Download". + The following analytic detects the use of `certutil.exe` to download files using the `-URL` arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index e24a0ed294..dd4ccea74b 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -1,15 +1,14 @@ name: CHCP Command Execution id: 21d236ec-eec1-11eb-b23e-acde48001122 version: 6 -date: '2025-02-19' +date: '2025-02-28' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic detects the execution of the chcp.exe application, +type: Anomaly +description: The following analytic detects the execution of the chcp.com utility, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation - events where chcp.exe is executed by cmd.exe with specific command-line arguments. - This activity is significant because it can indicate the presence of malware, such + events. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration. @@ -18,13 +17,9 @@ data_source: - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com - Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) - by Processes.action Processes.dest Processes.original_file_name Processes.parent_process - Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id - Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec - Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process + Processes.process_id Processes.parent_process_id Processes.dest Processes.user | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -35,8 +30,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: other tools or script may used this to change code page to - UTF-* or others +known_false_positives: other tools or script may used this to change code page to UTF-* or others references: - https://ss64.com/nt/chcp.html - https://twitter.com/tccontre18/status/1419941156633329665?s=20 diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml index 2921928934..0ac703695c 100644 --- a/detections/endpoint/check_elevated_cmd_using_whoami.yml +++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml @@ -5,8 +5,11 @@ date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies the execution of the 'whoami' command - with specific parameters to check for elevated privileges. It leverages data from +description: The following analytic identifies the execution of the "whoami" command + with the "/group" flag, where the results are passed to the "find" command in order + to look for a the string "12288". This string represents the SID of the group + "Mandatory Label\High Mandatory Level" effectively checking if the current process + is running as a "High" integrity process or with Administrator privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because it is commonly used by attackers, such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious, @@ -35,7 +38,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: unknown +known_false_positives: The combination of these commands is unlikely to occur in a production environment. Any matches should be investigated. references: [] drilldown_searches: - name: View the detection results for - "$dest$" and "$user$" diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index 52ded1d414..847a6a5e8c 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -1,12 +1,12 @@ name: System Processes Run From Unexpected Locations id: a34aae96-ccf8-4aef-952c-3ea21444444d version: 11 -date: '2025-02-10' -author: David Dorsey, Michael Haag, Splunk +date: '2025-03-03' +author: David Dorsey, Michael Haag, Nasreddine Bencherchali, Splunk status: production type: Anomaly description: The following analytic identifies system processes running from unexpected - locations outside `C:\Windows\System32\` or `C:\Windows\SysWOW64`. It leverages + locations outside of paths such as `C:\Windows\System32\` or `C:\Windows\SysWOW64`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths, names, and hashes. This activity is significant as it may indicate a malicious process attempting to masquerade as a legitimate system process. If confirmed malicious, @@ -17,15 +17,11 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !="C:\\Windows\\System32*" - Processes.process_path !="C:\\Windows\\SysWOW64*" by Processes.action Processes.dest - Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name - Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `is_windows_system_file_macro` | `system_processes_run_from_unexpected_locations_filter`' + as lastTime FROM datamodel=Endpoint.Processes where NOT Processes.process_path IN ("C:\\$WINDOWS.~BT\\*", "C:\\$WinREAgent\\*", "C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\System32\\*", "C:\\Windows\\SystemTemp\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\uus\\*", "C:\\Windows\\WinSxS\\*") by Processes.dest Processes.user + Processes.parent_process Processes.process_path Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file_macro` + | `system_processes_run_from_unexpected_locations_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/windows_file_download_via_certutil.yml b/detections/endpoint/windows_file_download_via_certutil.yml new file mode 100644 index 0000000000..90640fc8f2 --- /dev/null +++ b/detections/endpoint/windows_file_download_via_certutil.yml @@ -0,0 +1,86 @@ +name: Windows File Download Via CertUtil +id: 7fac8d40-e370-45ea-a4a3-031bbcc18b02 +version: 1 +date: '2025-03-03' +author: Nasreddine Bencherchali, Michael Haag, Splunk +status: production +type: TTP +description: The following analytic detects the use of `certutil.exe` to download files using the `-URL`, `-urlcache` or '-verifyctl' arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_certutil` AND ((Processes.process IN ("*-URL *", "*/URL *")) OR (Processes.process IN ("*urlcache*", "*verifyctl*") AND Processes.process IN ("*/f *", "*-f *"))) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_download_via_certutil_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives in most environments, however tune + as needed based on parent-child relationship or network connection. +references: +- https://attack.mitre.org/techniques/T1105/ +- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/ +- https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats +- https://web.archive.org/web/20210921110637/https://www.fireeye.com/blog/threat-research/2019/10/certutil-qualms-they-came-to-drop-fombs.html +- https://lolbas-project.github.io/lolbas/Binaries/Certutil/ +- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#-verifyctl +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to download a file. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - Living Off The Land + - Ingress Tool Transfer + - ProxyNotShell + - DarkSide Ransomware + - Forest Blizzard + - Flax Typhoon + - Compromised Windows Host + - CISA AA22-277A + asset_type: Endpoint + mitre_attack_id: + - T1105 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml index f3e83be25f..9999d9c1d6 100644 --- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml +++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml @@ -1,7 +1,7 @@ name: Windows Process With NamedPipe CommandLine id: e64399d4-94a8-11ec-a9da-acde48001122 version: 5 -date: '2024-11-13' +date: '2025-03-03' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -19,14 +19,11 @@ data_source: - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*\\\\.\\pipe\\*" - NOT (Processes.process_path IN ("*\\program files*")) by Processes.action Processes.dest - Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name - Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_process_with_namedpipe_commandline_filter`' + NOT Processes.process_path IN ("C:\\Program Files\\*", "C:\\Program Files (x86)\\*") by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.original_file_name + Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id + Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_with_namedpipe_commandline_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/windows_query_registry_browser_list_application.yml b/detections/endpoint/windows_query_registry_browser_list_application.yml index efe1db1c2d..3f5f4af6bd 100644 --- a/detections/endpoint/windows_query_registry_browser_list_application.yml +++ b/detections/endpoint/windows_query_registry_browser_list_application.yml @@ -16,8 +16,8 @@ description: The following analytic detects a suspicious process accessing the r confirmed malicious, this behavior could enable attackers to exfiltrate sensitive information and compromise user accounts. search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\SOFTWARE\\Clients\\StartMenuInternet\\*", - "*\\SOFTWARE\\Clients\\StartMenuInternet\\*") AND NOT (process_path IN ("*:\\Windows\\System32\\*", - "*:\\Windows\\SysWow64\\*", "*:\\Program Files*", "*:\\Windows\\*")) | stats count + "*\\SOFTWARE\\Clients\\StartMenuInternet\\*") AND NOT process_path IN ("*:\\Windows\\System32\\*", + "*:\\Windows\\SysWow64\\*", *:\\Windows\\WinSxS\\*, "*:\\Program Files\\*", "*:\\Program Files (x86)\\*") | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_browser_list_application_filter`' diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index 65a41a6789..c1f8e63216 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -1,27 +1,20 @@ name: Windows User Execution Malicious URL Shortcut File id: 5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc version: 6 -date: '2025-02-10' -author: Teoderick Contreras, Splunk +date: '2025-03-03' +author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production -type: TTP -description: The following analytic detects the creation of suspicious URL shortcut - link files, often used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem - datamodel to identify .url files created outside standard directories, such as Program - Files. This activity is significant as it may indicate an attempt to execute malicious - code upon system reboot. If confirmed malicious, this could allow an attacker to - achieve persistence and execute harmful payloads, potentially leading to further - system compromise and data loss. +type: Anomaly +description: The following analytic detects the creation URL shortcut files, often used by malware like CHAOS ransomware. + It leverages the Endpoint.Filesystem datamodel to identify ".url" files created outside common directories, such as "Program Files". + This activity can be significant as ".URL" files can be used as mean to trick the user into visiting certain websites unknowingly, or when placed in certain locations such as "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\", it may allow the execution of malicious code upon system reboot. If confirmed malicious, this could allow an attacker to achieve persistence and execute harmful payloads, potentially leading to further system compromise and data loss. data_source: - Sysmon EventID 11 search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN - ("*\\Program Files*")) Filesystem.file_name = *.url by Filesystem.action Filesystem.dest - Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time - Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size - Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product - | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_user_execution_malicious_url_shortcut_file_filter`' + as lastTime from datamodel=Endpoint.Filesystem where NOT Filesystem.file_path IN + ("*:\\Program Files\\*", "*:\\Program Files (x86)\\*", "*\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", "*:\\Windows\\WinSxS\\*") Filesystem.file_name=*.url by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path + Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. @@ -45,14 +38,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: a process created URL shortcut file in $file_path$ of $dest$ + message: A process created a .URL shortcut file in $file_path$ of $dest$ risk_objects: - field: user type: user - score: 64 + score: 50 - field: dest type: system - score: 64 + score: 50 threat_objects: [] tags: analytic_story: diff --git a/detections/network/protocols_passing_authentication_in_cleartext.yml b/detections/network/protocols_passing_authentication_in_cleartext.yml index ba3d3d5577..33cf2063ad 100644 --- a/detections/network/protocols_passing_authentication_in_cleartext.yml +++ b/detections/network/protocols_passing_authentication_in_cleartext.yml @@ -1,10 +1,10 @@ name: Protocols passing authentication in cleartext id: 6923cd64-17a0-453c-b945-81ac2d8c6db9 -version: 6 -date: '2024-11-15' +version: 7 +date: '2025-03-03' author: Rico Valdez, Splunk status: experimental -type: TTP +type: Anomaly description: The following analytic identifies the use of cleartext protocols that risk leaking sensitive information. It detects network traffic on legacy protocols such as Telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP @@ -25,8 +25,7 @@ how_to_implement: This search requires you to be ingesting your network traffic, populating the Network_Traffic data model. For more accurate result it's better to limit destination to organization private and public IP range, like All_Traffic.dest IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22) -known_false_positives: Some networks may use kerberized FTP or telnet servers, however, - this is rare. +known_false_positives: Some networks may use kerberos, FTP or telnet servers, however, this is rare. references: - https://www.rackaid.com/blog/secure-your-email-and-file-transfers/ - https://www.infosecmatter.com/capture-passwords-using-wireshark/ From 4aa6e92c3b3e76817eb14ed4e369473cbdf6a597 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 3 Mar 2025 20:15:54 +0100 Subject: [PATCH 02/11] Update check_elevated_cmd_using_whoami.yml --- detections/endpoint/check_elevated_cmd_using_whoami.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml index 0ac703695c..8270863d7e 100644 --- a/detections/endpoint/check_elevated_cmd_using_whoami.yml +++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml @@ -1,7 +1,7 @@ name: Check Elevated CMD using whoami id: a9079b18-1633-11ec-859c-acde48001122 version: 6 -date: '2024-11-13' +date: '2025-03-03' author: Teoderick Contreras, Splunk status: production type: TTP From 629bc01aaed79944d349ec639c76c501964d6517 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 24 Apr 2025 18:23:55 +0200 Subject: [PATCH 03/11] update output and nirsoft tools --- .../endpoint/chcp_command_execution.yml | 13 ++- .../detection_of_tools_built_by_nirsoft.yml | 8 +- ...rocesses_run_from_unexpected_locations.yml | 18 ++-- .../windows_file_download_via_certutil.yml | 12 ++- ...ows_process_with_namedpipe_commandline.yml | 14 +-- ..._execution_malicious_url_shortcut_file.yml | 16 +++- lookups/is_nirsoft_software.csv | 95 ++++++++++++++++++- lookups/is_nirsoft_software.yml | 4 +- 8 files changed, 150 insertions(+), 30 deletions(-) diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index dd4ccea74b..1532d3e1fd 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -1,7 +1,7 @@ name: CHCP Command Execution id: 21d236ec-eec1-11eb-b23e-acde48001122 -version: 6 -date: '2025-02-28' +version: 7 +date: '2025-04-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -17,9 +17,12 @@ data_source: - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com - by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process - Processes.process_id Processes.parent_process_id Processes.dest Processes.user | - `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related diff --git a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml index 945bb2a461..ea14e18c85 100644 --- a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml +++ b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml @@ -1,10 +1,10 @@ name: Detection of tools built by NirSoft id: 3d8d201c-aa03-422d-b0ee-2e5ecf9718c0 version: 7 -date: '2024-11-13' +date: '2025-02-20' author: Bhavin Patel, Splunk status: experimental -type: TTP +type: Anomaly description: The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as "/stext" and "/scomma". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process @@ -37,10 +37,10 @@ how_to_implement: The detection is based on data that originates from Endpoint D data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: While legitimate, these NirSoft tools are prone to abuse. You - should verfiy that the tool was used for a legitimate purpose. + should verify that the tool was used for a legitimate purpose. references: [] rba: - message: NirSoft tools detected on $dest$ + message: NirSoft tool detected on $dest$ risk_objects: - field: user type: user diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index 847a6a5e8c..6b5ceb288a 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -1,7 +1,7 @@ name: System Processes Run From Unexpected Locations id: a34aae96-ccf8-4aef-952c-3ea21444444d -version: 11 -date: '2025-03-03' +version: 12 +date: '2025-04-24' author: David Dorsey, Michael Haag, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -17,10 +17,16 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes where NOT Processes.process_path IN ("C:\\$WINDOWS.~BT\\*", "C:\\$WinREAgent\\*", "C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\System32\\*", "C:\\Windows\\SystemTemp\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\uus\\*", "C:\\Windows\\WinSxS\\*") by Processes.dest Processes.user - Processes.parent_process Processes.process_path Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file_macro` + as lastTime FROM datamodel=Endpoint.Processes where NOT Processes.process_path IN ("C:\\$WINDOWS.~BT\\*", "C:\\$WinREAgent\\*", "C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\System32\\*", "C:\\Windows\\SystemTemp\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\uus\\*", "C:\\Windows\\WinSxS\\*") by Processes.action Processes.dest + Processes.original_file_name Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name + Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name + Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `is_windows_system_file_macro` | `system_processes_run_from_unexpected_locations_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related diff --git a/detections/endpoint/windows_file_download_via_certutil.yml b/detections/endpoint/windows_file_download_via_certutil.yml index 90640fc8f2..3bb8b31ab1 100644 --- a/detections/endpoint/windows_file_download_via_certutil.yml +++ b/detections/endpoint/windows_file_download_via_certutil.yml @@ -11,7 +11,17 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_certutil` AND ((Processes.process IN ("*-URL *", "*/URL *")) OR (Processes.process IN ("*urlcache*", "*verifyctl*") AND Processes.process IN ("*/f *", "*-f *"))) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_download_via_certutil_filter`' + as lastTime from datamodel=Endpoint.Processes where `process_certutil` AND ((Processes.process IN ("*-URL *", "*/URL *")) OR (Processes.process IN ("*urlcache*", "*verifyctl*") AND Processes.process IN ("*/f *", "*-f *"))) + by Processes.action Processes.dest + Processes.original_file_name Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name + Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name + Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_file_download_via_certutil_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml index 9999d9c1d6..4f2630f753 100644 --- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml +++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml @@ -1,7 +1,7 @@ name: Windows Process With NamedPipe CommandLine id: e64399d4-94a8-11ec-a9da-acde48001122 -version: 5 -date: '2025-03-03' +version: 6 +date: '2025-04-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -19,10 +19,12 @@ data_source: - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*\\\\.\\pipe\\*" - NOT Processes.process_path IN ("C:\\Program Files\\*", "C:\\Program Files (x86)\\*") by Processes.parent_process_name - Processes.parent_process Processes.process_name Processes.process Processes.original_file_name - Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id - Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` + NOT Processes.process_path IN ("C:\\Program Files\\*", "C:\\Program Files (x86)\\*") by Processes.action Processes.dest + Processes.original_file_name Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name + Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name + Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_with_namedpipe_commandline_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index c1f8e63216..d4ebca8efb 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -1,7 +1,7 @@ name: Windows User Execution Malicious URL Shortcut File id: 5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc -version: 6 -date: '2025-03-03' +version: 7 +date: '2025-04-24' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -12,9 +12,15 @@ data_source: - Sysmon EventID 11 search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT Filesystem.file_path IN - ("*:\\Program Files\\*", "*:\\Program Files (x86)\\*", "*\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", "*:\\Windows\\WinSxS\\*") Filesystem.file_name=*.url by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path - Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`' + ("*:\\Program Files\\*", "*:\\Program Files (x86)\\*", "*\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", "*:\\Windows\\WinSxS\\*") Filesystem.file_name=*.url + by Filesystem.action Filesystem.dest + Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time + Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size + Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product + | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_user_execution_malicious_url_shortcut_file_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. diff --git a/lookups/is_nirsoft_software.csv b/lookups/is_nirsoft_software.csv index 8e2ad32430..c1bbedf957 100644 --- a/lookups/is_nirsoft_software.csv +++ b/lookups/is_nirsoft_software.csv @@ -1,15 +1,108 @@ filename,nirsoftFile AdvancedRun.exe,True +awatch.exe,True +BrowsingHistoryView.exe,True +BulletsPassView.exe,True +ChromeCacheView.exe,True +ChromeHistoryView.exe,True ChromePass.exe,True +cports.exe,True +CredentialsFileView.exe,True CredHistView.exe,True +DataProtectionDecryptor.exe,True +DeviceIOView.exe,True Dialupass.exe,True +dllexp.exe,True +DNSDataView.exe,True +DNSQuerySniffer.exe,True +DotNetResourcesExtract.exe,True +DownTester.exe,True +DriverView.exe,True +EncryptedRegView.exe,True +ESEDatabaseView.exe,True +EventLogChannelsView.exe,True +FastResolver.exe,True +faview.exe,True +FBCacheView.exe,True +FileTypesMan.exe,True +FirefoxDownloadsView.exe,True +FlashCookiesView.exe,True +FolderChangesView.exe,True +FolderTimeUpdate.exe,True +FullEventLogView.exe,True +gacview.exe,True +GDIView.exe,True +HeapMemView.exe,True +HTTPNetworkSniffer.exe,True +IECacheView.exe,True +iecv.exe,True +iehv.exe,True iepv.exe,True +ImageCacheViewer.exe,True +InstalledPackagesView.exe,True +IPNetInfo.exe,True +LastActivityView.exe,True LostMyPassword.exe,True mailpv.exe,True +MozillaCacheView.exe,True +MozillaHistoryView.exe,True mspass.exe,True +MyLastSearch.exe,True +mzcv.exe,True +NetBScanner.exe,True +NetConnectChoose.exe,True netpass.exe,True +NetResView.exe,True +NetRouteView.exe,True +NetworkLatencyView.exe,True +NetworkTrafficView.exe,True +OpenedFilesView.exe,True +OperaCacheView.exe,True PasswordFox.exe,True PasswordHashesView.exe,True +PingInfoView.exe,True +ProcessActivityView.exe,True +ProcessThreadsView.exe,True +ProduKey.exe,True PstPassword.exe,True +QuickSetDNS.exe,True +RegDllView.exe,True +RegFromApp.exe,True RegHiveBackup.exe,True -WebBrowserPassView.exe,True \ No newline at end of file +RegScanner.exe,True +ResourcesExtract.exe,True +RouterPassView.exe,True +RunAsDate.exe,True +SafariCacheView.exe,True +SafariHistoryView.exe,True +SearchMyFiles.exe,True +shexview.exe,True +shmnview.exe,True +SimpleProgramDebugger.exe,True +SiteShoter.exe,True +smsniff.exe,True +SniffPass.exe,True +SocketSniff.exe,True +SpecialFoldersView.exe,True +sysexp.exe,True +TaskSchedulerView.exe,True +TcpLogView.exe,True +TurnedOnTimesView.exe,True +UninstallView.exe,True +URLProtocolView.exe,True +USBDeview.exe,True +VaultPasswordView.exe,True +volumouse.exe,True +WebBrowserPassView.exe,True +WebCacheImageInfo.exe,True +WebCookiesSniffer.exe,True +WebSiteSniffer.exe,True +WhatIsHang.exe,True +WhoisTD.exe,True +WifiChannelMonitor.exe,True +WifiInfoView.exe,True +WinCrashReport.exe,True +WinLogOnView.exe,True +WirelessKeyView.exe,True +WirelessNetView.exe,True +WNetWatcher.exe,True \ No newline at end of file diff --git a/lookups/is_nirsoft_software.yml b/lookups/is_nirsoft_software.yml index 12337fbbca..8adb625a12 100644 --- a/lookups/is_nirsoft_software.yml +++ b/lookups/is_nirsoft_software.yml @@ -1,6 +1,6 @@ name: is_nirsoft_software -date: 2024-12-23 -version: 2 +date: 2025-04-24 +version: 3 id: 28966a08-55e4-4ccb-a20d-dc4cc154b09c author: Splunk Threat Research Team lookup_type: csv From 5676c6691c5595f07b70fa05b8d19b1473d8c1d9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 24 Apr 2025 18:36:06 +0200 Subject: [PATCH 04/11] Update deprecation_mapping.YML --- removed/deprecation_mapping.YML | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index 99e8eb5874..58fe777c18 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -1030,4 +1030,13 @@ stories: - Suspicious Cloud Instance Activities - content: Web Fraud Detection removed_in_version: 5.2.0 - reason: Analytic Story deprecated as it no longer effectively identifies the intended malicious activity \ No newline at end of file + reason: Analytic Story deprecated as it no longer effectively identifies the intended malicious activity + - content: CertUtil Download With URLCache and Split Arguments + removed_in_version: 5.4.0 + reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert + - content: Windows CertUtil Download With URL Argument + removed_in_version: 5.4.0 + reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert + - content: CertUtil Download With VerifyCtl and Split Arguments + removed_in_version: 5.4.0 + reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert From 194d99c6558fec17b0f9e02137d743bed705b897 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 24 Apr 2025 18:55:29 +0200 Subject: [PATCH 05/11] Update deprecation_mapping.YML --- removed/deprecation_mapping.YML | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index 58fe777c18..4f83ba2393 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -759,6 +759,16 @@ detections: - content: Excel Spawning Windows Script Host removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity + - content: CertUtil Download With URLCache and Split Arguments + removed_in_version: 5.4.0 + reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert + - content: Windows CertUtil Download With URL Argument + removed_in_version: 5.4.0 + reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert + - content: CertUtil Download With VerifyCtl and Split Arguments + removed_in_version: 5.4.0 + reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert + baselines: - content: Previously Seen AWS Cross Account Activity removed_in_version: 5.4.0 @@ -1031,12 +1041,3 @@ stories: - content: Web Fraud Detection removed_in_version: 5.2.0 reason: Analytic Story deprecated as it no longer effectively identifies the intended malicious activity - - content: CertUtil Download With URLCache and Split Arguments - removed_in_version: 5.4.0 - reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert - - content: Windows CertUtil Download With URL Argument - removed_in_version: 5.4.0 - reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert - - content: CertUtil Download With VerifyCtl and Split Arguments - removed_in_version: 5.4.0 - reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert From 75cb7af28dc7c8e64af3f5e4554041885241ab76 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 24 Apr 2025 19:14:31 +0200 Subject: [PATCH 06/11] Update deprecation_mapping.YML --- removed/deprecation_mapping.YML | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index 4f83ba2393..4d44357540 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -762,12 +762,18 @@ detections: - content: CertUtil Download With URLCache and Split Arguments removed_in_version: 5.4.0 reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert + replacement_content: + - Windows CertUtil Download - content: Windows CertUtil Download With URL Argument removed_in_version: 5.4.0 reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert + replacement_content: + - Windows CertUtil Download - content: CertUtil Download With VerifyCtl and Split Arguments removed_in_version: 5.4.0 reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert + replacement_content: + - Windows CertUtil Download baselines: - content: Previously Seen AWS Cross Account Activity From ce07cb9ded8438b7ff54750174084707d6951abb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 24 Apr 2025 19:40:31 +0200 Subject: [PATCH 07/11] Update deprecation_mapping.YML --- removed/deprecation_mapping.YML | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index 4d44357540..b53518fedf 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -760,21 +760,20 @@ detections: removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity - content: CertUtil Download With URLCache and Split Arguments - removed_in_version: 5.4.0 + removed_in_version: 5.6.0 reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert replacement_content: - Windows CertUtil Download - content: Windows CertUtil Download With URL Argument - removed_in_version: 5.4.0 + removed_in_version: 5.6.0 reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert replacement_content: - Windows CertUtil Download - content: CertUtil Download With VerifyCtl and Split Arguments - removed_in_version: 5.4.0 + removed_in_version: 5.6.0 reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert replacement_content: - Windows CertUtil Download - baselines: - content: Previously Seen AWS Cross Account Activity removed_in_version: 5.4.0 From 44b110d9e68c5b9bfc4807089002fd955b484938 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 24 Apr 2025 19:43:37 +0200 Subject: [PATCH 08/11] update date and deprecation replacement --- .../windows_file_download_via_certutil.yml | 2 +- removed/deprecation_mapping.YML | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/detections/endpoint/windows_file_download_via_certutil.yml b/detections/endpoint/windows_file_download_via_certutil.yml index 3bb8b31ab1..bf5000df1e 100644 --- a/detections/endpoint/windows_file_download_via_certutil.yml +++ b/detections/endpoint/windows_file_download_via_certutil.yml @@ -1,7 +1,7 @@ name: Windows File Download Via CertUtil id: 7fac8d40-e370-45ea-a4a3-031bbcc18b02 version: 1 -date: '2025-03-03' +date: '2025-04-24' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: TTP diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index b53518fedf..fbad64ef86 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -761,19 +761,19 @@ detections: reason: Detection deprecated as it no longer effectively identifies the intended malicious activity - content: CertUtil Download With URLCache and Split Arguments removed_in_version: 5.6.0 - reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert + reason: Detection deprecated in favor of "Windows File Download Via CertUtil", in order to provide a better experience of the alert replacement_content: - - Windows CertUtil Download - - content: Windows CertUtil Download With URL Argument + - Windows File Download Via CertUtil + - content: Windows File Download Via CertUtil With URL Argument removed_in_version: 5.6.0 - reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert + reason: Detection deprecated in favor of "Windows File Download Via CertUtil", in order to provide a better experience of the alert replacement_content: - - Windows CertUtil Download + - Windows File Download Via CertUtil - content: CertUtil Download With VerifyCtl and Split Arguments removed_in_version: 5.6.0 - reason: Detection deprecated in favor of "Windows CertUtil Download", in order to provide a better experience of the alert + reason: Detection deprecated in favor of "Windows File Download Via CertUtil", in order to provide a better experience of the alert replacement_content: - - Windows CertUtil Download + - Windows File Download Via CertUtil baselines: - content: Previously Seen AWS Cross Account Activity removed_in_version: 5.4.0 From eb99c36454f1c7c7245214b406ace9c315f95d02 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 24 Apr 2025 19:48:12 +0200 Subject: [PATCH 09/11] Update deprecation_mapping.YML --- removed/deprecation_mapping.YML | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index fbad64ef86..dac753de15 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -764,7 +764,7 @@ detections: reason: Detection deprecated in favor of "Windows File Download Via CertUtil", in order to provide a better experience of the alert replacement_content: - Windows File Download Via CertUtil - - content: Windows File Download Via CertUtil With URL Argument + - content: Windows CertUtil Download With URL Argument removed_in_version: 5.6.0 reason: Detection deprecated in favor of "Windows File Download Via CertUtil", in order to provide a better experience of the alert replacement_content: From 1dc4f1c45a0752d61786572ec2ad9aa9dbfb7d2c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 24 Apr 2025 19:53:19 +0200 Subject: [PATCH 10/11] bump versions --- .../certutil_download_with_urlcache_and_split_arguments.yml | 4 ++-- .../certutil_download_with_verifyctl_and_split_arguments.yml | 4 ++-- .../windows_certutil_download_with_url_argument.yml | 4 ++-- detections/endpoint/check_elevated_cmd_using_whoami.yml | 4 ++-- detections/endpoint/detection_of_tools_built_by_nirsoft.yml | 4 ++-- .../windows_query_registry_browser_list_application.yml | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml b/detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml index 7c2519c3b0..5faea2cb93 100644 --- a/detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml @@ -1,7 +1,7 @@ name: CertUtil Download With URLCache and Split Arguments id: 415b4306-8bfb-11eb-85c4-acde48001122 -version: 12 -date: '2025-04-16' +version: 13 +date: '2025-04-24' author: Michael Haag, Splunk status: deprecated type: TTP diff --git a/detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml index d93f16be39..aae4d4ca8b 100644 --- a/detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml @@ -1,7 +1,7 @@ name: CertUtil Download With VerifyCtl and Split Arguments id: 801ad9e4-8bfb-11eb-8b31-acde48001122 -version: 12 -date: '2025-04-16' +version: 13 +date: '2025-04-24' author: Michael Haag, Splunk status: deprecated type: TTP diff --git a/detections/deprecated/windows_certutil_download_with_url_argument.yml b/detections/deprecated/windows_certutil_download_with_url_argument.yml index d0b2b97673..73b11d501f 100644 --- a/detections/deprecated/windows_certutil_download_with_url_argument.yml +++ b/detections/deprecated/windows_certutil_download_with_url_argument.yml @@ -1,7 +1,7 @@ name: Windows CertUtil Download With URL Argument id: 4fc5ca00-4c7c-46b3-8772-c98a4b8bd944 -version: 5 -date: '2025-04-16' +version: 6 +date: '2025-04-24' author: Nasreddine Bencherchali, Splunk status: deprecated type: TTP diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml index 8270863d7e..692218967c 100644 --- a/detections/endpoint/check_elevated_cmd_using_whoami.yml +++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml @@ -1,7 +1,7 @@ name: Check Elevated CMD using whoami id: a9079b18-1633-11ec-859c-acde48001122 -version: 6 -date: '2025-03-03' +version: 7 +date: '2025-04-24' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml index ea14e18c85..2a0e7986d7 100644 --- a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml +++ b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml @@ -1,7 +1,7 @@ name: Detection of tools built by NirSoft id: 3d8d201c-aa03-422d-b0ee-2e5ecf9718c0 -version: 7 -date: '2025-02-20' +version: 8 +date: '2025-04-24' author: Bhavin Patel, Splunk status: experimental type: Anomaly diff --git a/detections/endpoint/windows_query_registry_browser_list_application.yml b/detections/endpoint/windows_query_registry_browser_list_application.yml index 3f5f4af6bd..77d905faa0 100644 --- a/detections/endpoint/windows_query_registry_browser_list_application.yml +++ b/detections/endpoint/windows_query_registry_browser_list_application.yml @@ -1,7 +1,7 @@ name: Windows Query Registry Browser List Application id: 45ebd21c-f4bf-4ced-bd49-d25b6526cebb -version: '6' -date: '2025-03-19' +version: 7 +date: '2025-04-24' author: Teoderick Contreras, Splunk status: production type: Anomaly From a7f0e38586e9c11282ddf3003a8f4298e272c582 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 1 May 2025 11:33:07 -0700 Subject: [PATCH 11/11] updating removed in version --- removed/deprecation_mapping.YML | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index dac753de15..4d4d7f77e7 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -1,4 +1,19 @@ detections: + - content: CertUtil Download With URLCache and Split Arguments + removed_in_version: 5.8.0 + reason: Detection deprecated in favor of "Windows File Download Via CertUtil", in order to provide a better experience of the alert + replacement_content: + - Windows File Download Via CertUtil + - content: Windows CertUtil Download With URL Argument + removed_in_version: 5.8.0 + reason: Detection deprecated in favor of "Windows File Download Via CertUtil", in order to provide a better experience of the alert + replacement_content: + - Windows File Download Via CertUtil + - content: CertUtil Download With VerifyCtl and Split Arguments + removed_in_version: 5.8.0 + reason: Detection deprecated in favor of "Windows File Download Via CertUtil", in order to provide a better experience of the alert + replacement_content: + - Windows File Download Via CertUtil - content: Detect Large Outbound ICMP Packets removed_in_version: 5.6.0 reason: Detection has been replaced by a new detection with a more specific name @@ -759,21 +774,6 @@ detections: - content: Excel Spawning Windows Script Host removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity - - content: CertUtil Download With URLCache and Split Arguments - removed_in_version: 5.6.0 - reason: Detection deprecated in favor of "Windows File Download Via CertUtil", in order to provide a better experience of the alert - replacement_content: - - Windows File Download Via CertUtil - - content: Windows CertUtil Download With URL Argument - removed_in_version: 5.6.0 - reason: Detection deprecated in favor of "Windows File Download Via CertUtil", in order to provide a better experience of the alert - replacement_content: - - Windows File Download Via CertUtil - - content: CertUtil Download With VerifyCtl and Split Arguments - removed_in_version: 5.6.0 - reason: Detection deprecated in favor of "Windows File Download Via CertUtil", in order to provide a better experience of the alert - replacement_content: - - Windows File Download Via CertUtil baselines: - content: Previously Seen AWS Cross Account Activity removed_in_version: 5.4.0