diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index b25ff7064b..67537afc32 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -1,11 +1,12 @@ name: Ping Sleep Batch Command id: ce058d6c-79f2-11ec-b476-acde48001122 -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-05-19' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the execution of ping sleep batch commands. +description: | + The following analytic identifies the execution of ping sleep batch commands. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process command-line details. This activity is significant as it indicates an attempt to delay malicious code execution, potentially evading detection @@ -17,9 +18,21 @@ data_source: - Sysmon EventID 1 - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process - = "*ping*" Processes.parent_process = *-n* Processes.parent_process="* Nul*"Processes.parent_process="*>*") - OR (Processes.process = "*ping*" Processes.process = *-n* Processes.process="* Nul*"Processes.process="*>*") + as lastTime from datamodel=Endpoint.Processes where + ( + Processes.parent_process= "*ping*" + Processes.parent_process = *-n* + Processes.parent_process="* Nul*" + Processes.parent_process IN ("*>*", "*>*") + Processes.parent_process IN ("*&*", "*& *") + ) + OR ( + Processes.process = "*ping*" + Processes.process = *-n* + Processes.process="* Nul*" + Processes.process IN ("*>*", "*>*") + Processes.process IN ("*&*", "*& *") + ) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml index e40f6755f6..782f5f781d 100644 --- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml +++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml @@ -1,7 +1,7 @@ name: Schtasks scheduling job on remote system id: 1297fb80-f42a-4b4a-9c8a-88c066237cf6 -version: 14 -date: '2025-05-02' +version: 15 +date: '2025-05-19' author: David Dorsey, Mauricio Velazco, Splunk status: production type: TTP @@ -20,7 +20,7 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process="*/create*" AND - Processes.process="*/s*") by Processes.action Processes.dest Processes.original_file_name + Processes.process="*/s *") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml index ac746862da..9c7f4ba334 100644 --- a/detections/endpoint/windows_msiexec_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_dllregisterserver.yml @@ -1,7 +1,7 @@ name: Windows MSIExec DLLRegisterServer id: fdb59aef-d88f-4909-8369-ec2afbd2c398 -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-05-19' author: Michael Haag, Splunk status: production type: TTP @@ -21,7 +21,7 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process - IN ("*/y*", "*-y*") by Processes.action Processes.dest Processes.original_file_name + IN ("* /y*", "* -y*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash diff --git a/detections/endpoint/windows_process_commandline_discovery.yml b/detections/endpoint/windows_process_commandline_discovery.yml index 850db3f443..078b2034ce 100644 --- a/detections/endpoint/windows_process_commandline_discovery.yml +++ b/detections/endpoint/windows_process_commandline_discovery.yml @@ -1,7 +1,7 @@ name: Windows Process Commandline Discovery id: 67d2a52e-a7e2-4a5d-ae44-a21212048bc2 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-05-19' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -20,7 +20,7 @@ description: The following analytic detects the use of Windows Management Instru further exploitation or lateral movement. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process= - "* process *" Processes.process= "* get commandline *" by Processes.action Processes.dest + "* process *" Processes.process= "* get *" Processes.process= "*CommandLine*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid