From c78f07107d112589640deb92e39deb4b9d18fd15 Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 22 Jan 2025 17:55:13 -0800 Subject: [PATCH 1/5] updating detections for 5.0 alpha2 --- ...ndows_file_share_discovery_with_powerview.yml | 16 ++++++++-------- ...eventlog_channelaccess_registry_value_set.yml | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/detections/endpoint/windows_file_share_discovery_with_powerview.yml b/detections/endpoint/windows_file_share_discovery_with_powerview.yml index bd56073432..344bcb30ed 100644 --- a/detections/endpoint/windows_file_share_discovery_with_powerview.yml +++ b/detections/endpoint/windows_file_share_discovery_with_powerview.yml @@ -17,7 +17,7 @@ description: The following analytic detects the execution of the Invoke-ShareFin and sensitive data. search: '`powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode - ScriptBlockText | rename UserID as user | `security_content_ctime(firstTime)` | + ScriptBlockText | rename UserID as user | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_share_discovery_with_powerview_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -29,12 +29,12 @@ references: - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ - https://attack.mitre.org/techniques/T1135/ drilldown_searches: -- name: View the detection results for - "$Computer$" and "$user$" - search: '%original_detection_search% | search Computer = "$Computer$" user = "$user$"' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$Computer$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) @@ -43,12 +43,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Invoke-ShareFinder commandlet was executed on $Computer$ + message: Invoke-ShareFinder commandlet was executed on $dest$ risk_objects: - - field: Computer + - field: dest type: system score: 48 - - field: User + - field: user type: user score: 48 threat_objects: [] diff --git a/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml index 8c3b359024..30f031abec 100644 --- a/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml +++ b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml @@ -20,7 +20,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*", "*\Microsoft\Windows\EventLog\*") AND Registry.registry_value_name=ChannelAccess BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid - Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name + Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name Registry.registry_path | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_eventlog_channelaccess_registry_value_set_filter`' how_to_implement: To successfully implement this search, you must be ingesting data From 5b51fce4f0311ee18d7466f4cf14a6544240868c Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 22 Jan 2025 18:05:40 -0800 Subject: [PATCH 2/5] reg path --- ...s_new_custom_security_descriptor_set_on_eventlog_channel.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml index ce54597220..bfeca92a28 100644 --- a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml +++ b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml @@ -20,7 +20,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Services\\Eventlog\\*" AND Registry.registry_value_name=CustomSD BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name - Registry.user Registry.registry_value_name | `drop_dm_object_name(Registry)` | where + Registry.user Registry.registry_value_name Registry.registry_path | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_custom_security_descriptor_set_on_eventlog_channel_filter`' how_to_implement: To successfully implement this search, you must be ingesting data From 1a4f75aef1cb7535ea56a7ee96515af972edc644 Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 22 Jan 2025 18:32:39 -0800 Subject: [PATCH 3/5] updating message --- detections/endpoint/windows_ad_short_lived_server_object.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_ad_short_lived_server_object.yml b/detections/endpoint/windows_ad_short_lived_server_object.yml index 5d9c443b23..b06e00f517 100644 --- a/detections/endpoint/windows_ad_short_lived_server_object.yml +++ b/detections/endpoint/windows_ad_short_lived_server_object.yml @@ -48,7 +48,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Potential DCShadow Attack Detected on $Computer$ + message: A short-lived server object was created and deleted on $Computer$ risk_objects: - field: Computer type: system From ef9aa03385d4916f17c04c73723819c577345a4a Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 22 Jan 2025 18:39:19 -0800 Subject: [PATCH 4/5] updating SPL --- ...pre_authentication_flag_disabled_in_useraccountcontrol.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml index 24d391c160..f5d8ed8cf8 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml @@ -16,8 +16,7 @@ description: The following analytic detects when the Kerberos Pre-Authentication data_source: - Windows Event Log Security 4738 search: > - `wineventlog_security` EventCode=4738 MSADChangedAttributes=\"*Don't Require Preauth' - - Enabled*\" |rename Account_Name as user | table EventCode, user, dest, Security_ID, + `wineventlog_security` EventCode=4738 MSADChangedAttributes="*\'Don\'t Require Preauth\' - Enabled*" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter` how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account @@ -68,3 +67,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog + From 217666c5d120993139259f6566468b03bb477ba4 Mon Sep 17 00:00:00 2001 From: research-bot Date: Thu, 23 Jan 2025 09:56:40 -0800 Subject: [PATCH 5/5] all but one fixes --- ...urce_and_response_for_verify_push_request.yml | 4 ++-- ...s_defense_evasion_stop_logging_cloudtrail.yml | 3 ++- ...asl_aws_defense_evasion_update_cloudtrail.yml | 2 +- ..._control_list_created_with_all_open_ports.yml | 6 +++--- .../azure_ad_service_principal_enumeration.yml | 16 ++++++++-------- 5 files changed, 16 insertions(+), 15 deletions(-) diff --git a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml index d305ab358d..5b2d38b889 100644 --- a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml +++ b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml @@ -60,9 +60,9 @@ references: - https://splunkbase.splunk.com/app/6553 rba: message: A mismatch between source and response for verifying a push request has - occurred for $actor.alternateId$ + occurred for $user$ risk_objects: - - field: actor.alternateId + - field: user type: user score: 64 threat_objects: [] diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index f619aec6a7..28a9d9a628 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -8,7 +8,8 @@ type: TTP description: The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid + as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. references: diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index 70e9142d20..1b45a81b7f 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -8,7 +8,7 @@ type: TTP description: The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. references: diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml index d6bef2c61e..7d42dfa04e 100644 --- a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml @@ -16,8 +16,8 @@ search: '`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.opera | spath input=api.request.data path=networkAclId output=networkAclId | search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0 | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId cidrBlock + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_created_with_all_open_ports_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. @@ -32,7 +32,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$ + message: User $user$ has created network ACLs with all the ports opens to $cidrBlock$ risk_objects: - field: user type: user diff --git a/detections/cloud/azure_ad_service_principal_enumeration.yml b/detections/cloud/azure_ad_service_principal_enumeration.yml index 0b2628a773..67af2a74cc 100644 --- a/detections/cloud/azure_ad_service_principal_enumeration.yml +++ b/detections/cloud/azure_ad_service_principal_enumeration.yml @@ -6,15 +6,15 @@ author: Dean Luxton data_source: - Azure Active Directory MicrosoftGraphActivityLogs type: TTP -status: production +status: production description: >- This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools. search: >- - `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals) + `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals) | fillnull | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/beta\/servicePrincipals\/(?P.*?)\/" | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/(?P.*?)\/" - | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats min(_time) as _time dc(spn) as spn_count values(user) as user values(user_category) as user_category values(src_category) as src_category count by src tenantId properties.userAgent + | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats count min(_time) as _time dc(spn) as spn_count values(user_id) as user_id by src tenantId properties.userAgent | rename properties.userAgent as user_agent | where spn_count>9 | `azure_ad_service_principal_enumeration_filter` how_to_implement: >- @@ -27,16 +27,16 @@ references: - https://splunkbase.splunk.com/app/3110 - https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' +- name: View the detection results for - "$user_id$" + search: '%original_detection_search% | search user_id = "$user_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: $spn_count$ Service Principals have been enumerated by $user$ from IP $src$ + message: $spn_count$ Service Principals have been enumerated by $user_id$ from IP $src$ risk_objects: - field: tenantId type: other