From e9540be509db46425d4936adf9642075d59782c3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 14 Jan 2025 22:57:00 +0100 Subject: [PATCH 01/14] add cisco secure endpoint related analytics --- ...ecure_endpoint_related_service_stopped.yml | 68 +++++++++++++++++ ..._endpoint_stop_service_immunet_via_sfc.yml | 74 +++++++++++++++++++ ...o_secure_endpoint_unblock_file_via_sfc.yml | 74 +++++++++++++++++++ ...oint_uninstall_service_immunet_via_sfc.yml | 74 +++++++++++++++++++ 4 files changed, 290 insertions(+) create mode 100644 detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml create mode 100644 detections/endpoint/windows_cisco_secure_endpoint_stop_service_immunet_via_sfc.yml create mode 100644 detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml create mode 100644 detections/endpoint/windows_cisco_secure_endpoint_uninstall_service_immunet_via_sfc.yml diff --git a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml new file mode 100644 index 0000000000..cd5ed99fac --- /dev/null +++ b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml @@ -0,0 +1,68 @@ +name: Windows Cisco Secure Endpoint Related Service Stopped +id: df74f45f-01c8-4fd6-bcb8-f6a9ea58307a +version: 7 +date: '2024-12-09' +author: Nasreddine Bencherchali, Splunk +status: production +type: Anomaly +description: The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss. +data_source: +- Windows Event Log System 7036 +search: '`wineventlog_system` EventCode=7036 param1 IN ("Cisco AMP Orbital", "*Cisco Secure Endpoint*", "*Cisco Security Connector Monitoring*", "CiscoSAM", "CiscoAMPHeurDriver", "CiscoAMPELAMDriver", "CiscoAMPCEFWDriver", "ImmunetNetworkMonitorDriver", "ImmunetProtectDriver", "ImmunetSelfProtectDriver") param2 IN ("stopped", "arrêté") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode param1 dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_cisco_secure_endpoint_related_service_stopped_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints. +known_false_positives: Administrator or troubleshooting activities may trigger this alert. Investigate the process performing this action to determine if its a legitimate activity. +references: +- https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ +- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ +- https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/ +- https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Security Solution Tampering + asset_type: Endpoint + confidence: 70 + impact: 60 + message: Cisco Secure Endpoint Service $param1$ stopped on $dest$ + mitre_attack_id: + - T1490 + observable: + - name: dest + type: Endpoint + role: + - Victim + - name: param1 + type: Other + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Message + - dest + - Type + risk_score: 42 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/service_stop.log + source: XmlWinEventLog:System + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_cisco_secure_endpoint_stop_service_immunet_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_stop_service_immunet_via_sfc.yml new file mode 100644 index 0000000000..5a57bfde50 --- /dev/null +++ b/detections/endpoint/windows_cisco_secure_endpoint_stop_service_immunet_via_sfc.yml @@ -0,0 +1,74 @@ +name: Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc +id: 44badcb1-2e8c-4628-9537-021bbae571ad +version: 1 +date: '2025-01-08' +author: Nasreddine Bencherchali, Splunk +status: production +type: Anomaly +description: The following analytic detects the use of the `sfc.exe` utility, in order to stop the Immunet Protect service. The Sfc.exe utility is part of Cisco Secure Endpoint installation. This detection leverages telemetry from the endpoint, focusing on command-line executions involving the `-k` parameter. This activity is significant as it indicates potential tampering with defensive mechanisms. If confirmed malicious, attackers could partially blind the EDR, enabling further compromise and lateral movement within the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sfc.exe" Processes.process="* -k*" Processes.parent_process by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cisco_secure_endpoint_stop_immunet_service_via_sfc_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: It is possible that this action is executed during troubleshooting activity. Activity needs to be confirmed on a case by case basis. +references: +- https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213690-amp-for-endpoint-command-line-switches.html +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Security Solution Tampering + asset_type: Endpoint + confidence: 70 + impact: 60 + message: Suspicious use of `sfc.exe` stopping the Immunet Protect service on $dest$ by user $user$ + mitre_attack_id: + - T1562 + - T1562.001 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Endpoint + role: + - Victim + - name: parent_process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 42 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/sfc_tampering.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml new file mode 100644 index 0000000000..b6d1c326a4 --- /dev/null +++ b/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml @@ -0,0 +1,74 @@ +name: Windows Cisco Secure Endpoint Unblock File Via Sfc +id: 9a7a490c-5581-4c95-bab5-a21e351293ef +version: 1 +date: '2025-01-08' +author: Nasreddine Bencherchali, Splunk +status: production +type: Anomaly +description: The following analytic detects the use of the sfc.exe utility with the "-unblock" parameter, a feature within Cisco Secure Endpoint. The "-unblock" flag is used to remove system blocks imposed by the endpoint protection. This detection focuses on command-line activity that includes the "-unblock" parameter, as it may indicate an attempt to restore access to files or processes previously blocked by the security software. While this action could be legitimate in troubleshooting scenarios, malicious actors might use it to override protective measures, enabling execution of blocked malicious payloads or bypassing other security mechanisms. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sfc.exe" Processes.process="* -unblock *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cisco_secure_endpoint_unblock_file_via_sfc_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: It is possible that this action is executed during troubleshooting activity. Activity needs to be confirmed on a case by case basis. +references: +- https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213690-amp-for-endpoint-command-line-switches.html +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Security Solution Tampering + asset_type: Endpoint + confidence: 70 + impact: 60 + message: Suspicious use of `sfc.exe` unblocking a potentially harmful file on $dest$ by user $user$ + mitre_attack_id: + - T1562 + - T1562.001 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Endpoint + role: + - Victim + - name: parent_process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 42 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/sfc_tampering.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_cisco_secure_endpoint_uninstall_service_immunet_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_service_immunet_via_sfc.yml new file mode 100644 index 0000000000..e1e51411f7 --- /dev/null +++ b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_service_immunet_via_sfc.yml @@ -0,0 +1,74 @@ +name: Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc +id: ba6e7f4d-a85e-4a14-8e7d-41f4b82e3c9a +version: 1 +date: '2025-01-08' +author: Nasreddine Bencherchali, Splunk +status: production +type: Anomaly +description: The following analytic detects the use of the sfc.exe utility with the "-u" parameter, which is part of the Cisco Secure Endpoint installation. The "-u" flag allows the uninstallation of Cisco Secure Endpoint components. This detection leverages endpoint telemetry to monitor command-line executions that include the "-u" parameter. The use of this flag is significant as it could indicate an attempt to disable or remove endpoint protection, potentially leaving the system vulnerable to further exploitation. If identified as malicious, this action may be part of a broader effort to disable security mechanisms and avoid detection. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sfc.exe" Processes.process="* -u*" NOT Processes.process="* -unblock *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: It is possible that this action is executed during troubleshooting activity. Activity needs to be confirmed on a case by case basis. +references: +- https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213690-amp-for-endpoint-command-line-switches.html +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Security Solution Tampering + asset_type: Endpoint + confidence: 70 + impact: 60 + message: Suspicious use of `sfc.exe` to uninstall the Immunet Protect service on $dest$ by user $user$ + mitre_attack_id: + - T1562 + - T1562.001 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Endpoint + role: + - Victim + - name: parent_process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 42 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/sfc_tampering.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog From 7ff17f0b25468352f37863ba5cfdb37460dcd519 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 21 Jan 2025 11:07:13 +0100 Subject: [PATCH 02/14] Create security_solution_tampering.yml --- stories/security_solution_tampering.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 stories/security_solution_tampering.yml diff --git a/stories/security_solution_tampering.yml b/stories/security_solution_tampering.yml new file mode 100644 index 0000000000..1ac981a993 --- /dev/null +++ b/stories/security_solution_tampering.yml @@ -0,0 +1,25 @@ +name: Security Solution Tampering +id: c17cde5f-9f00-472b-9d4e-fceb2f47d656 +version: 1 +date: '2025-01-21' +author: Nasreddine Bencherchali, Splunk +description: | + This analytic story focuses on identifying behaviors associated with the misuse of security solution utilities, such as antivirus (AV) and endpoint detection and response (EDR) tools, on endpoints. Adversaries often exploit these utilities to disable critical security services, modify configurations, or execute defense evasion actions. Such activities are typically aimed at bypassing detection mechanisms, disrupting incident response efforts, and maintaining persistence within a compromised environment. By monitoring for these suspicious behaviors, this story empowers security teams to detect, investigate, and respond to potential tampering or manipulation of endpoint defenses effectively. +narrative: | + Attackers often target security solutions as part of their defense evasion strategies. By disabling or tampering with AV and EDR services, they can reduce the likelihood of detection and freely execute malicious activities. This analytic story focuses on detecting such malicious interactions with security utilities, helping organizations to identify and respond to potential threats promptly. + + The detections within this story leverage various data sources to monitor for suspicious activities, such as the execution of known security utility binaries with parameters that disable protections, unexpected stopping of security services, or modification of security-related registry keys. Implementing these detections enables security teams to enhance their visibility into potential tampering attempts and strengthen their overall security posture. +references: + - https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213690-amp-for-endpoint-command-line-switches.html + - https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/appendices/windows-commands-for-the-endpoint-protection-clien-v9567615-d19e6200.html + - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2025-ps + - https://support.kaspersky.com/keswin/11.1.1/en-US/178723.htm + - https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/defender +tags: + category: + - Defense Evasion + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Threat Detection From edc6bfba75308d1434ef47497b7e9e9f5a581c54 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 21 Jan 2025 11:12:19 +0100 Subject: [PATCH 03/14] Update security_solution_tampering.yml --- stories/security_solution_tampering.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stories/security_solution_tampering.yml b/stories/security_solution_tampering.yml index 1ac981a993..9c2861a585 100644 --- a/stories/security_solution_tampering.yml +++ b/stories/security_solution_tampering.yml @@ -17,9 +17,9 @@ references: - https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/defender tags: category: - - Defense Evasion + - Adversary Tactics product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - usecase: Threat Detection + usecase: Advanced Threat Detection From f07c0ee112f2e6a62574d664e4224688544f8b0d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 21 Jan 2025 11:17:47 +0100 Subject: [PATCH 04/14] rename analytics --- ...indows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml} | 0 ...s_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename detections/endpoint/{windows_cisco_secure_endpoint_stop_service_immunet_via_sfc.yml => windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml} (100%) rename detections/endpoint/{windows_cisco_secure_endpoint_uninstall_service_immunet_via_sfc.yml => windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml} (100%) diff --git a/detections/endpoint/windows_cisco_secure_endpoint_stop_service_immunet_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml similarity index 100% rename from detections/endpoint/windows_cisco_secure_endpoint_stop_service_immunet_via_sfc.yml rename to detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml diff --git a/detections/endpoint/windows_cisco_secure_endpoint_uninstall_service_immunet_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml similarity index 100% rename from detections/endpoint/windows_cisco_secure_endpoint_uninstall_service_immunet_via_sfc.yml rename to detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml From e66b4d3cb12bdc795cdef0b338ecd046e9f94ccf Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 21 Jan 2025 13:13:34 +0100 Subject: [PATCH 05/14] Update windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml --- ...ndows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml index 5a57bfde50..3d0dc10042 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sfc.exe" Processes.process="* -k*" Processes.parent_process by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cisco_secure_endpoint_stop_immunet_service_via_sfc_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sfc.exe" Processes.process="* -k*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cisco_secure_endpoint_stop_immunet_service_via_sfc_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: It is possible that this action is executed during troubleshooting activity. Activity needs to be confirmed on a case by case basis. references: From be99b0ff83739a5b9787d28c0f777427c1118b5d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 29 Jan 2025 01:01:32 +0100 Subject: [PATCH 06/14] fix: add missing rba object --- ...ecure_endpoint_related_service_stopped.yml | 31 +++++-------- ..._endpoint_stop_immunet_service_via_sfc.yml | 44 ++++++------------ ...o_secure_endpoint_unblock_file_via_sfc.yml | 46 ++++++------------- ...oint_uninstall_immunet_service_via_sfc.yml | 44 ++++++------------ 4 files changed, 55 insertions(+), 110 deletions(-) diff --git a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml index cd5ed99fac..478696bece 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml @@ -30,35 +30,28 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Cisco Secure Endpoint Service $param1$ stopped on $dest$ + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: param1 + type: other tags: analytic_story: - Security Solution Tampering asset_type: Endpoint - confidence: 70 - impact: 60 - message: Cisco Secure Endpoint Service $param1$ stopped on $dest$ mitre_attack_id: - T1490 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: param1 - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - dest - - Type - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml index 3d0dc10042..9b8f072618 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml @@ -24,47 +24,31 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious use of `sfc.exe` stopping the Immunet Protect service on $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Security Solution Tampering asset_type: Endpoint - confidence: 70 - impact: 60 - message: Suspicious use of `sfc.exe` stopping the Immunet Protect service on $dest$ by user $user$ mitre_attack_id: - T1562 - T1562.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml index b6d1c326a4..13d1f0f897 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml @@ -24,47 +24,31 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious use of `sfc.exe` unblocking a potentially harmful file on $dest$ by user $user$ + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Security Solution Tampering - asset_type: Endpoint - confidence: 70 - impact: 60 - message: Suspicious use of `sfc.exe` unblocking a potentially harmful file on $dest$ by user $user$ + asset_type: Endpoint mitre_attack_id: - T1562 - T1562.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml index e1e51411f7..ea57dfd252 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml @@ -24,47 +24,31 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious use of `sfc.exe` to uninstall the Immunet Protect service on $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Security Solution Tampering asset_type: Endpoint - confidence: 70 - impact: 60 - message: Suspicious use of `sfc.exe` to uninstall the Immunet Protect service on $dest$ by user $user$ mitre_attack_id: - T1562 - T1562.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test From 9f6736a672d0822f59c01e59ff435ff9cae94ee6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 29 Jan 2025 01:22:48 +0100 Subject: [PATCH 07/14] Update security_solution_tampering.yml --- stories/security_solution_tampering.yml | 27 +++++++++++-------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/stories/security_solution_tampering.yml b/stories/security_solution_tampering.yml index 9c2861a585..1e43700613 100644 --- a/stories/security_solution_tampering.yml +++ b/stories/security_solution_tampering.yml @@ -3,23 +3,20 @@ id: c17cde5f-9f00-472b-9d4e-fceb2f47d656 version: 1 date: '2025-01-21' author: Nasreddine Bencherchali, Splunk -description: | - This analytic story focuses on identifying behaviors associated with the misuse of security solution utilities, such as antivirus (AV) and endpoint detection and response (EDR) tools, on endpoints. Adversaries often exploit these utilities to disable critical security services, modify configurations, or execute defense evasion actions. Such activities are typically aimed at bypassing detection mechanisms, disrupting incident response efforts, and maintaining persistence within a compromised environment. By monitoring for these suspicious behaviors, this story empowers security teams to detect, investigate, and respond to potential tampering or manipulation of endpoint defenses effectively. -narrative: | - Attackers often target security solutions as part of their defense evasion strategies. By disabling or tampering with AV and EDR services, they can reduce the likelihood of detection and freely execute malicious activities. This analytic story focuses on detecting such malicious interactions with security utilities, helping organizations to identify and respond to potential threats promptly. - - The detections within this story leverage various data sources to monitor for suspicious activities, such as the execution of known security utility binaries with parameters that disable protections, unexpected stopping of security services, or modification of security-related registry keys. Implementing these detections enables security teams to enhance their visibility into potential tampering attempts and strengthen their overall security posture. +status: production +description: This analytic story focuses on identifying behaviors associated with the misuse of security solution utilities, such as antivirus (AV) and endpoint detection and response (EDR) tools, on endpoints. Adversaries often exploit these utilities to disable critical security services, modify configurations, or execute defense evasion actions. Such activities are typically aimed at bypassing detection mechanisms, disrupting incident response efforts, and maintaining persistence within a compromised environment. By monitoring for these suspicious behaviors, this story empowers security teams to detect, investigate, and respond to potential tampering or manipulation of endpoint defenses effectively. +narrative: Attackers often target security solutions as part of their defense evasion strategies. By disabling or tampering with AV and EDR services, they can reduce the likelihood of detection and freely execute malicious activities. This analytic story focuses on detecting such malicious interactions with security utilities, helping organizations to identify and respond to potential threats promptly. The detections within this story leverage various data sources to monitor for suspicious activities, such as the execution of known security utility binaries with parameters that disable protections, unexpected stopping of security services, or modification of security-related registry keys. Implementing these detections enables security teams to enhance their visibility into potential tampering attempts and strengthen their overall security posture. references: - - https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213690-amp-for-endpoint-command-line-switches.html - - https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/appendices/windows-commands-for-the-endpoint-protection-clien-v9567615-d19e6200.html - - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2025-ps - - https://support.kaspersky.com/keswin/11.1.1/en-US/178723.htm - - https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/defender +- https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213690-amp-for-endpoint-command-line-switches.html +- https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/appendices/windows-commands-for-the-endpoint-protection-clien-v9567615-d19e6200.html +- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2025-ps +- https://support.kaspersky.com/keswin/11.1.1/en-US/178723.htm +- https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/defender tags: category: - - Adversary Tactics + - Adversary Tactics product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud usecase: Advanced Threat Detection From 18a70bf7b815141f644b44d97ee78b47c559505d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 29 Jan 2025 01:29:55 +0100 Subject: [PATCH 08/14] Update windows_cisco_secure_endpoint_related_service_stopped.yml --- .../windows_cisco_secure_endpoint_related_service_stopped.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml index 478696bece..6f0d9b3e92 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml @@ -41,7 +41,7 @@ rba: score: 64 threat_objects: - field: param1 - type: other + type: service tags: analytic_story: - Security Solution Tampering From 86fcf40b2e5df11173a512e1c7c48bc9bb8f9b67 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 29 Jan 2025 12:08:03 +0100 Subject: [PATCH 09/14] Update windows_cisco_secure_endpoint_related_service_stopped.yml --- ...windows_cisco_secure_endpoint_related_service_stopped.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml index 6f0d9b3e92..d700d8303d 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml @@ -33,12 +33,9 @@ drilldown_searches: rba: message: Cisco Secure Endpoint Service $param1$ stopped on $dest$ risk_objects: - - field: user - type: user - score: 64 - field: dest type: system - score: 64 + score: 60 threat_objects: - field: param1 type: service From 7570a68a130f13e959043618420efe8b8827c818 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 19 Feb 2025 11:15:07 +0100 Subject: [PATCH 10/14] update logic to account for built-in sfc rare edge case --- ...ws_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml | 5 ++--- .../windows_cisco_secure_endpoint_unblock_file_via_sfc.yml | 5 ++--- ...sco_secure_endpoint_uninstall_immunet_service_via_sfc.yml | 5 ++--- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml index 9b8f072618..c89ebdfcec 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml @@ -1,7 +1,7 @@ name: Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc id: 44badcb1-2e8c-4628-9537-021bbae571ad version: 1 -date: '2025-01-08' +date: '2025-02-19' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sfc.exe" Processes.process="* -k*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cisco_secure_endpoint_stop_immunet_service_via_sfc_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sfc.exe" Processes.process="* -k*" AND NOT Processes.process_path IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*", ":\\Windows\\WinSxS\\*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cisco_secure_endpoint_stop_immunet_service_via_sfc_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: It is possible that this action is executed during troubleshooting activity. Activity needs to be confirmed on a case by case basis. references: @@ -43,7 +43,6 @@ tags: - Security Solution Tampering asset_type: Endpoint mitre_attack_id: - - T1562 - T1562.001 product: - Splunk Enterprise diff --git a/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml index 13d1f0f897..ee9f8746c9 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml @@ -1,7 +1,7 @@ name: Windows Cisco Secure Endpoint Unblock File Via Sfc id: 9a7a490c-5581-4c95-bab5-a21e351293ef version: 1 -date: '2025-01-08' +date: '2025-02-19' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sfc.exe" Processes.process="* -unblock *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cisco_secure_endpoint_unblock_file_via_sfc_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sfc.exe" Processes.process="* -unblock *" AND NOT Processes.process_path IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*", ":\\Windows\\WinSxS\\*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cisco_secure_endpoint_unblock_file_via_sfc_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: It is possible that this action is executed during troubleshooting activity. Activity needs to be confirmed on a case by case basis. references: @@ -43,7 +43,6 @@ tags: - Security Solution Tampering asset_type: Endpoint mitre_attack_id: - - T1562 - T1562.001 product: - Splunk Enterprise diff --git a/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml index ea57dfd252..c05cf68fc3 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml @@ -1,7 +1,7 @@ name: Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc id: ba6e7f4d-a85e-4a14-8e7d-41f4b82e3c9a version: 1 -date: '2025-01-08' +date: '2025-02-19' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sfc.exe" Processes.process="* -u*" NOT Processes.process="* -unblock *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sfc.exe" Processes.process="* -u*" NOT Processes.process="* -unblock *" AND NOT Processes.process_path IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*", ":\\Windows\\WinSxS\\*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: It is possible that this action is executed during troubleshooting activity. Activity needs to be confirmed on a case by case basis. references: @@ -43,7 +43,6 @@ tags: - Security Solution Tampering asset_type: Endpoint mitre_attack_id: - - T1562 - T1562.001 product: - Splunk Enterprise From c47a2b85afc96aa8aaf95fad65ad45baf12f83cb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 19 Feb 2025 20:31:55 +0100 Subject: [PATCH 11/14] Update windows_cisco_secure_endpoint_related_service_stopped.yml --- .../windows_cisco_secure_endpoint_related_service_stopped.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml index d700d8303d..b5799808dc 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml @@ -8,7 +8,7 @@ type: Anomaly description: The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss. data_source: - Windows Event Log System 7036 -search: '`wineventlog_system` EventCode=7036 param1 IN ("Cisco AMP Orbital", "*Cisco Secure Endpoint*", "*Cisco Security Connector Monitoring*", "CiscoSAM", "CiscoAMPHeurDriver", "CiscoAMPELAMDriver", "CiscoAMPCEFWDriver", "ImmunetNetworkMonitorDriver", "ImmunetProtectDriver", "ImmunetSelfProtectDriver") param2 IN ("stopped", "arrêté") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode param1 dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_cisco_secure_endpoint_related_service_stopped_filter`' +search: '`wineventlog_system` `normalized_service_binary_field` | rename param1 as display_name | EventCode=7036 display_name IN ("Cisco AMP Orbital", "*Cisco Secure Endpoint*", "*Cisco Security Connector Monitoring*", "CiscoSAM", "CiscoAMPHeurDriver", "CiscoAMPELAMDriver", "CiscoAMPCEFWDriver", "ImmunetNetworkMonitorDriver", "ImmunetProtectDriver", "ImmunetSelfProtectDriver") param2 IN ("stopped", "arrêté") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode display_name normalized_service_name dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_cisco_secure_endpoint_related_service_stopped_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints. known_false_positives: Administrator or troubleshooting activities may trigger this alert. Investigate the process performing this action to determine if its a legitimate activity. references: From 4f0bbc250f9da9d5dd9700617468639a90f820af Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 19 Feb 2025 20:32:52 +0100 Subject: [PATCH 12/14] Update windows_cisco_secure_endpoint_related_service_stopped.yml --- .../windows_cisco_secure_endpoint_related_service_stopped.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml index b5799808dc..44707ce2db 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml @@ -8,7 +8,7 @@ type: Anomaly description: The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss. data_source: - Windows Event Log System 7036 -search: '`wineventlog_system` `normalized_service_binary_field` | rename param1 as display_name | EventCode=7036 display_name IN ("Cisco AMP Orbital", "*Cisco Secure Endpoint*", "*Cisco Security Connector Monitoring*", "CiscoSAM", "CiscoAMPHeurDriver", "CiscoAMPELAMDriver", "CiscoAMPCEFWDriver", "ImmunetNetworkMonitorDriver", "ImmunetProtectDriver", "ImmunetSelfProtectDriver") param2 IN ("stopped", "arrêté") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode display_name normalized_service_name dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_cisco_secure_endpoint_related_service_stopped_filter`' +search: '`wineventlog_system` `normalized_service_binary_field` | rename param1 as display_name | rename param2 as status | EventCode=7036 display_name IN ("Cisco AMP Orbital", "*Cisco Secure Endpoint*", "*Cisco Security Connector Monitoring*", "CiscoSAM", "CiscoAMPHeurDriver", "CiscoAMPELAMDriver", "CiscoAMPCEFWDriver", "ImmunetNetworkMonitorDriver", "ImmunetProtectDriver", "ImmunetSelfProtectDriver") status IN ("stopped", "arrêté") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode display_name normalized_service_name status dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_cisco_secure_endpoint_related_service_stopped_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints. known_false_positives: Administrator or troubleshooting activities may trigger this alert. Investigate the process performing this action to determine if its a legitimate activity. references: From 5ff1deea69d397744d8c32aa2789a380dedb634f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 19 Feb 2025 20:35:33 +0100 Subject: [PATCH 13/14] Update windows_cisco_secure_endpoint_related_service_stopped.yml --- ...indows_cisco_secure_endpoint_related_service_stopped.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml index 44707ce2db..644b804872 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml @@ -1,6 +1,6 @@ name: Windows Cisco Secure Endpoint Related Service Stopped id: df74f45f-01c8-4fd6-bcb8-f6a9ea58307a -version: 7 +version: 1 date: '2024-12-09' author: Nasreddine Bencherchali, Splunk status: production @@ -31,13 +31,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Cisco Secure Endpoint Service $param1$ stopped on $dest$ + message: Cisco Secure Endpoint Service $display_name$ stopped on $dest$ risk_objects: - field: dest type: system score: 60 threat_objects: - - field: param1 + - field: display_name type: service tags: analytic_story: From fe00a4bbb375b730cfe617232ed097f03a819b87 Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Wed, 19 Feb 2025 11:52:46 -0800 Subject: [PATCH 14/14] Update windows_cisco_secure_endpoint_related_service_stopped.yml add missing "search" keyword which caused unit testing to fail. --- .../windows_cisco_secure_endpoint_related_service_stopped.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml index 644b804872..d68ccfda48 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml @@ -8,7 +8,7 @@ type: Anomaly description: The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss. data_source: - Windows Event Log System 7036 -search: '`wineventlog_system` `normalized_service_binary_field` | rename param1 as display_name | rename param2 as status | EventCode=7036 display_name IN ("Cisco AMP Orbital", "*Cisco Secure Endpoint*", "*Cisco Security Connector Monitoring*", "CiscoSAM", "CiscoAMPHeurDriver", "CiscoAMPELAMDriver", "CiscoAMPCEFWDriver", "ImmunetNetworkMonitorDriver", "ImmunetProtectDriver", "ImmunetSelfProtectDriver") status IN ("stopped", "arrêté") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode display_name normalized_service_name status dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_cisco_secure_endpoint_related_service_stopped_filter`' +search: '`wineventlog_system` `normalized_service_binary_field` | rename param1 as display_name | rename param2 as status | search EventCode=7036 display_name IN ("Cisco AMP Orbital", "*Cisco Secure Endpoint*", "*Cisco Security Connector Monitoring*", "CiscoSAM", "CiscoAMPHeurDriver", "CiscoAMPELAMDriver", "CiscoAMPCEFWDriver", "ImmunetNetworkMonitorDriver", "ImmunetProtectDriver", "ImmunetSelfProtectDriver") status IN ("stopped", "arrêté") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode display_name normalized_service_name status dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_cisco_secure_endpoint_related_service_stopped_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints. known_false_positives: Administrator or troubleshooting activities may trigger this alert. Investigate the process performing this action to determine if its a legitimate activity. references: