Merge pull request #3257 from nterl0k/nterl0k-t1219-rmm-update-2

Nterl0k - T1219 - RMM Detection for Registry locations.
splunk · Jan 14, 2025 · 416c239 · 416c239
2 parents d2592c5 + 55d4936
commit 416c239
Show file tree

Hide file tree

Showing 9 changed files with 186 additions and 18 deletions.
diff --git a/data_sources/github.yml → data_sources/github_webhooks.yml b/data_sources/github.yml → data_sources/github_webhooks.yml
@@ -1,15 +1,12 @@
-name: GitHub
+name: GitHub Webhooks
 id: 88aa4632-3c3e-43f6-a00a-998d71f558e3
 version: 1
 date: '2024-07-18'
 author: Patrick Bareiss, Splunk
-description: Data source object for GitHub
+description: Data source object for GitHub Webooks 
 source: github
 sourcetype: aws:firehose:json
-supported_TA:
-- name: Splunk Add-on for Github
-  url: https://splunkbase.splunk.com/app/6254
-  version: 3.1.0
+supported_TA: []
 fields:
 - _time
 - action

diff --git a/detections/cloud/github_actions_disable_security_workflow.yml b/detections/cloud/github_actions_disable_security_workflow.yml
@@ -7,9 +7,9 @@ status: production
 type: Anomaly
 description: The following analytic detects the disabling of a security workflow in GitHub Actions. It leverages GitHub logs to identify when a workflow, excluding those named *security-testing*, is disabled following a push or pull request event. This activity is significant as it may indicate an attempt by an attacker to conceal malicious code by disabling security checks. If confirmed malicious, this could allow the attacker to introduce and persist undetected malicious code within the repository, potentially compromising the integrity and security of the codebase.
 data_source:
-- GitHub
+- GitHub Webhooks
 search: '`github` workflow_run.event=push OR workflow_run.event=pull_request | stats values(workflow_run.name) as workflow_run.name by workflow_run.head_commit.id workflow_run.event workflow_run.head_branch workflow_run.head_commit.author.email workflow_run.head_commit.author.name workflow_run.head_commit.message workflow_run.head_commit.timestamp workflow_run.head_repository.full_name workflow_run.head_repository.owner.id workflow_run.head_repository.owner.login workflow_run.head_repository.owner.type | rename workflow_run.head_commit.author.name as user, workflow_run.head_commit.author.email as user_email, workflow_run.head_repository.full_name as repository, workflow_run.head_branch as branch | search NOT workflow_run.name=*security-testing* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_actions_disable_security_workflow_filter`'
-how_to_implement: You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions.
+how_to_implement: You must ingest GitHub logs using webhooks to enable this detection. You can follow the url in reference to onboard GitHub logs using webhooks.
 known_false_positives: unknown
 references:
 - https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html

diff --git a/detections/cloud/github_commit_changes_in_master.yml b/detections/cloud/github_commit_changes_in_master.yml
@@ -7,12 +7,12 @@ status: production
 type: Anomaly
 description: The following analytic detects direct commits or pushes to the master or main branch in a GitHub repository. It leverages GitHub logs to identify events where changes are made directly to these critical branches. This activity is significant because direct modifications to the master or main branch bypass the standard review process, potentially introducing unreviewed and harmful changes. If confirmed malicious, this could lead to unauthorized code execution, security vulnerabilities, or compromised project integrity.
 data_source:
-- GitHub
+- GitHub Webhooks
 search: '`github` branches{}.name = main OR branches{}.name = master |  stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name | rename commit.author.login as user, repository.full_name as repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_changes_in_master_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.
+how_to_implement: You must ingest GitHub logs using webhooks to enable this detection. You can follow the url in reference to onboard GitHub logs using webhooks.
 known_false_positives: Admin can do changes directly to master branch
 references:
-- https://www.redhat.com/en/topics/devops/what-is-devsecops
+- https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html
 drilldown_searches:
 - name: View the detection results for - "$commit.commit.author.email$"
   search: '%original_detection_search% | search  commit.commit.author.email = "$commit.commit.author.email$"'

diff --git a/detections/cloud/github_commit_in_develop.yml b/detections/cloud/github_commit_in_develop.yml
@@ -7,12 +7,12 @@ status: production
 type: Anomaly
 description: The following analytic detects commits pushed directly to the 'develop' or 'main' branches in a GitHub repository. It leverages GitHub logs, focusing on commit metadata such as author details, commit messages, and timestamps. This activity is significant as direct commits to these branches can bypass the review process, potentially introducing unvetted changes. If confirmed malicious, this could lead to unauthorized code modifications, introducing vulnerabilities or backdoors into the codebase, and compromising the integrity of the development lifecycle.
 data_source:
-- GitHub
+- GitHub Webhooks
 search: '`github` branches{}.name = main OR branches{}.name = develop |  stats count min(_time) as firstTime max(_time) as lastTime  by commit.author.html_url commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_in_develop_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.
+how_to_implement: You must ingest GitHub logs using webhooks to enable this detection. You can follow the url in reference to onboard GitHub logs using webhooks.
 known_false_positives: admin can do changes directly to develop branch
 references:
-- https://www.redhat.com/en/topics/devops/what-is-devsecops
+- https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html
 drilldown_searches:
 - name: View the detection results for - "$commit.commit.author.email$"
   search: '%original_detection_search% | search  commit.commit.author.email = "$commit.commit.author.email$"'

diff --git a/detections/cloud/github_dependabot_alert.yml b/detections/cloud/github_dependabot_alert.yml
@@ -7,9 +7,9 @@ status: production
 type: Anomaly
 description: The following analytic identifies the creation of GitHub Dependabot alerts, which indicate potential vulnerabilities in the codebase. It detects this activity by searching for logs with the "create" action and analyzing fields such as affected package, severity, and fixed version. This detection is significant for a SOC because it helps identify and address security risks in the codebase proactively. If confirmed malicious, these vulnerabilities could be exploited by attackers to gain unauthorized access or cause breaches, leading to potential data loss or system compromise.
 data_source:
-- GitHub
+- GitHub Webhooks
 search: '`github` alert.id=* action=create | rename repository.full_name as repository, repository.html_url as repository_url sender.login as user | stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_dependabot_alert_filter`'
-how_to_implement: You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.
+how_to_implement: You must ingest GitHub logs using webhooks to enable this detection. You can follow the url in reference to onboard GitHub logs using webhooks.
 known_false_positives: unknown
 references:
 - https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html

diff --git a/detections/cloud/github_pull_request_from_unknown_user.yml b/detections/cloud/github_pull_request_from_unknown_user.yml
@@ -7,9 +7,9 @@ status: production
 type: Anomaly
 description: The following analytic detects pull requests from unknown users on GitHub. It uses a Splunk query to identify pull requests where the user ID is not specified and cross-references these with a known users lookup table. This activity is significant because pull requests from unknown users can introduce malicious code or unauthorized changes to repositories. If confirmed malicious, this could lead to unauthorized code changes, data breaches, or other security incidents. Immediate steps include reviewing the author's name, repository, head reference, and commit message, and investigating any related artifacts and processes.
 data_source:
-- GitHub
+- GitHub Webhooks
 search: '`github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message | rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message | search NOT `github_known_users` | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_pull_request_from_unknown_user_filter`'
-how_to_implement: You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.
+how_to_implement: You must ingest GitHub logs using webhooks to enable this detection. You can follow the url in reference to onboard GitHub logs using webhooks.
 known_false_positives: unknown
 references:
 - https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html

diff --git a/detections/cloud/github_template.yml b/detections/cloud/github_template.yml
@@ -0,0 +1,55 @@
+name: GitHub 
+id: 66d95ea9-c0c5-4aa7-86f2-76e242fcd802
+version: 1
+date: '2025-01-14'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects 
+data_source:
+- GitHub 
+search: '`github_enterprise` 
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_actions_disable_security_workflow_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using the Splunk Add-on for GitHub https://splunkbase.splunk.com/app/6254 . 
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  confidence: 90
+  impact: 30
+  message: Security Workflow is disabled in branch $branch$ for repository $repository$
+  mitre_attack_id:
+  - T1195.002
+  - T1195
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - user
+  risk_score: 27
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow.log
+    source: github
+    sourcetype: aws:firehose:json
diff --git a/detections/endpoint/detect_remote_access_software_usage_registry.yml b/detections/endpoint/detect_remote_access_software_usage_registry.yml
@@ -0,0 +1,92 @@
+name: Detect Remote Access Software Usage Registry
+id: 33804986-25dd-43cf-bb6b-dc14956c7cbc
+version: 1
+date: '2024-11-21'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic detects when a known remote access software is added to common persistence locations on a device within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.
+data_source: 
+- Sysmon EventID 12
+- Sysmon EventID 13
+search: '| tstats `security_content_summariesonly` latest(Registry.process_guid) as process_guid  count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\Microsoft\\Windows\\CurrentVersion\\Run*" OR (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services\\*" AND Registry.registry_value_name="ImagePath")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.registry_key_name 
+| `drop_dm_object_name(Registry)` 
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)` 
+| rex field=registry_value_data "(\")?.+\\\(?<file_name_1>[^\"=]+\.[^\" ]{1,5})(\")?"
+| rex field=registry_value_data "(?<file_name_2>[^\.]+\.[^\" ]{1,5}$)"
+| eval file_name = coalesce(file_name_1,file_name_2)
+| lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category 
+| search isutility = TRUE
+| `remote_access_software_usage_exceptions`
+| `detect_remote_access_software_usage_registry_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file path, file name, and the user that created the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Registry` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" that lets you track and maintain device-based exceptions for this set of detections.
+known_false_positives: Known or approved applications used by the organization or usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content
+references:
+- https://attack.mitre.org/techniques/T1219/
+- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
+- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
+drilldown_searches:
+- name: View the detection results for - "$dest$" and "$user$"
+  search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$" and "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate registry changes on $dest$ 
+  search: '| from datamodel:Endpoint.Registry| search dest=$dest$ registry_path=$registry_path$'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story: 
+  - Insider Threat
+  - Command And Control
+  - Ransomware
+  - Gozi Malware
+  - CISA AA24-241A
+  asset_type: Endpoint
+  confidence: 50
+  impact: 50
+  message: A process for a known remote access software [$signature$] was detected on $dest$
+  mitre_attack_id: 
+  - T1219
+  observable: 
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: registry_path
+    type: Other
+    role:
+    - Attacker
+  - name: signature
+    type: Other
+    role:
+    - Attacker
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields: 
+  - _time
+  - Registry.dest 
+  - Registry.user 
+  - Registry.registry_path 
+  - Registry.registry_value_name 
+  - Registry.registry_value_data 
+  - Registry.registry_key_name
+  risk_score: 25
+  security_domain: endpoint
+  manual_test: This detection uses A&I lookups from Enterprise Security.
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/stories/github_malicious_activity.yml b/stories/github_malicious_activity.yml
@@ -0,0 +1,24 @@
+name: GitHub Malicious Activity
+id: 9abdd884-909d-46a8-bf11-9fbcd076fac2
+version: 1
+date: '2025-01-14'
+author: Patrick Bareiss, Splunk
+description: Leverage searches that allow you to detect and investigate suspicious GitHub activities
+  that might indicate malicious behavior, including pull requests from unknown users, disabled security
+  workflows, and other potentially harmful repository modifications. These detections help identify
+  attempts to compromise repositories through unauthorized code changes, bypassed security controls,
+  and other suspicious actions that could lead to supply chain attacks or data breaches.
+narrative: GitHub is a popular platform for developers to collaborate on code and manage projects.
+  However, it can also be used by malicious actors to conduct various types of attacks, including
+  supply chain attacks, data breaches, and other malicious activities.
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+tags:
+  category:
+  - Cloud Security
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Security Monitoring
+