From 990d09e2aa50ea86454f232aeba3a9c912fb55a1 Mon Sep 17 00:00:00 2001 From: zake <139054590+zake1god@users.noreply.github.com> Date: Thu, 2 Jan 2025 21:04:37 +0700 Subject: [PATCH 01/22] Add detection suspicious api / url from telegram User who's using telegram if got phishing/suspicious api/ or suspicious url will detected --- ...ram_detected_access_suspicious_api_url.yml | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 detections/endpoint/telegram_detected_access_suspicious_api_url.yml diff --git a/detections/endpoint/telegram_detected_access_suspicious_api_url.yml b/detections/endpoint/telegram_detected_access_suspicious_api_url.yml new file mode 100644 index 0000000000..6dfdb51d76 --- /dev/null +++ b/detections/endpoint/telegram_detected_access_suspicious_api_url.yml @@ -0,0 +1,100 @@ +data_source: +- Windows Security 4688 +name: Telegram Detected Access Suspicious API/URL +id: 6e106492-561f-4f0c-919c-6560861e27d3 +version: 1 +date: '2025-01-02' +author: Zaki Zarkasih Al Mustafa +type: TTP +status: production +description: Detects suspicious process activity related to Telegram API +search: index=windows (sourcetype=Wineventlog:Security OR source=Wineventlog:Security) + AND ParentProcessName=*Telegram* AND CommandLine=*api.telegram* | eval utc_time=strptime(TimeCreated, + "%Y-%m-%dT%H:%M:%S.%6NZ") | eval Time_Created=strftime(utc_time + 25200, "%Y-%m-%d + %H:%M:%S") | rename Time_Created as "Time Created", host as Host, src_user as User + | table "Time Created", Host, User, EventID, ParentProcessName, CommandLine, NewProcessName + | `telegram_detected_access_suspicious_api_url_filter` +macros: + - telegram_detected_access_suspicious_api_url_filter +lookups: [] +how_to_implement: | + Ensure the relevant data source (`Wineventlog:Security`) is ingested into Splunk. + Configure the macro `telegram_detected_access_suspicious_api_url_filter` to filter false positives or noisy data. + Deploy this detection rule in Splunk Enterprise Security or Splunk Cloud. + +known_false_positives: | + Non-malicious use of Telegram's API by legitimate applications or processes may trigger this detection. + Automated scripts or tools using Telegram for notifications or integrations might also appear as suspicious. + Developers testing Telegram API functionality in controlled environments. + +drilldown_searches: + - name: Original Detection + description: Original detection search results + search: "%original_detection_search%" + earliest_offset: -24h + latest_offset: now + + - name: Investigate Parent Process + description: | + This drilldown searches for other processes spawned by the same parent process + to identify potential patterns or related activities. + search: | + index=windows (sourcetype=Wineventlog:Security OR source=Wineventlog:Security) + AND ParentProcessName="$ParentProcessName$" + | table _time, ParentProcessName, NewProcessName, CommandLine + earliest_offset: -24h + latest_offset: now + + - name: Investigate User Activity + description: | + This drilldown searches for all activities performed by the same user in the + Windows Event Logs to provide additional context. + search: | + index=windows (sourcetype=Wineventlog:Security OR source=Wineventlog:Security) + AND src_user="$src_user$" + | table _time, src_user, EventID, host, CommandLine + earliest_offset: -24h + latest_offset: now + +references: +- https://securelist.com/telegram-phishing-services/109383/ +tags: + analytic_story: + - XMRig + asset_type: Endpoint + confidence: 85 + impact: 70 + message: Detects suspicious access to Telegram API for potential misuse or malicious activity. + mitre_attack_id: + - T1059.001 + - T1059.003 + - T1003.002 + - T1105 + - T1566 + observable: + - name: CommandLine + type: Process Name + role: + - Attacker + - name: Host + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - index + - sourcetype + - ParentProcessName + - CommandLine + risk_score: 59.5 + security_domain: endpoint + cve: [] +tests: +- name: True Positive Test + attack_data: + - data: https://github.com/splunk/contentctl/wiki + sourcetype: Wineventlog:Security + source: Wineventlog \ No newline at end of file From 5f473664d56de27d1371ad0ea2ef54b294a98c2d Mon Sep 17 00:00:00 2001 From: zake <139054590+zake1god@users.noreply.github.com> Date: Wed, 8 Jan 2025 03:10:08 +0700 Subject: [PATCH 02/22] Update telegram_detected_access_suspicious_api_url.yml fix drilldown and change index to macros `wineventlog_security` --- ...ram_detected_access_suspicious_api_url.yml | 22 +++++++------------ 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/detections/endpoint/telegram_detected_access_suspicious_api_url.yml b/detections/endpoint/telegram_detected_access_suspicious_api_url.yml index 6dfdb51d76..13cda2521d 100644 --- a/detections/endpoint/telegram_detected_access_suspicious_api_url.yml +++ b/detections/endpoint/telegram_detected_access_suspicious_api_url.yml @@ -8,7 +8,7 @@ author: Zaki Zarkasih Al Mustafa type: TTP status: production description: Detects suspicious process activity related to Telegram API -search: index=windows (sourcetype=Wineventlog:Security OR source=Wineventlog:Security) +search: `wineventlog_security` AND ParentProcessName=*Telegram* AND CommandLine=*api.telegram* | eval utc_time=strptime(TimeCreated, "%Y-%m-%dT%H:%M:%S.%6NZ") | eval Time_Created=strftime(utc_time + 25200, "%Y-%m-%d %H:%M:%S") | rename Time_Created as "Time Created", host as Host, src_user as User @@ -28,33 +28,27 @@ known_false_positives: | Developers testing Telegram API functionality in controlled environments. drilldown_searches: - - name: Original Detection - description: Original detection search results - search: "%original_detection_search%" - earliest_offset: -24h - latest_offset: now - - name: Investigate Parent Process description: | This drilldown searches for other processes spawned by the same parent process to identify potential patterns or related activities. search: | - index=windows (sourcetype=Wineventlog:Security OR source=Wineventlog:Security) + `wineventlog_security` AND ParentProcessName="$ParentProcessName$" | table _time, ParentProcessName, NewProcessName, CommandLine - earliest_offset: -24h - latest_offset: now + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ - name: Investigate User Activity description: | This drilldown searches for all activities performed by the same user in the Windows Event Logs to provide additional context. search: | - index=windows (sourcetype=Wineventlog:Security OR source=Wineventlog:Security) + `wineventlog_security` AND src_user="$src_user$" | table _time, src_user, EventID, host, CommandLine - earliest_offset: -24h - latest_offset: now + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ references: - https://securelist.com/telegram-phishing-services/109383/ @@ -97,4 +91,4 @@ tests: attack_data: - data: https://github.com/splunk/contentctl/wiki sourcetype: Wineventlog:Security - source: Wineventlog \ No newline at end of file + source: Wineventlog From 602f4da9782fcd6b3b0eeadc1ca71c6ca03c1d6e Mon Sep 17 00:00:00 2001 From: zake <139054590+zake1god@users.noreply.github.com> Date: Wed, 8 Jan 2025 03:11:09 +0700 Subject: [PATCH 03/22] Update telegram_detected_access_suspicious_api_url.yml remove lookups --- .../endpoint/telegram_detected_access_suspicious_api_url.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detections/endpoint/telegram_detected_access_suspicious_api_url.yml b/detections/endpoint/telegram_detected_access_suspicious_api_url.yml index 13cda2521d..89274fdb05 100644 --- a/detections/endpoint/telegram_detected_access_suspicious_api_url.yml +++ b/detections/endpoint/telegram_detected_access_suspicious_api_url.yml @@ -16,7 +16,6 @@ search: `wineventlog_security` | `telegram_detected_access_suspicious_api_url_filter` macros: - telegram_detected_access_suspicious_api_url_filter -lookups: [] how_to_implement: | Ensure the relevant data source (`Wineventlog:Security`) is ingested into Splunk. Configure the macro `telegram_detected_access_suspicious_api_url_filter` to filter false positives or noisy data. From 4ef0485a33404040831bcfa9b91e6d78deb63780 Mon Sep 17 00:00:00 2001 From: zake <139054590+zake1god@users.noreply.github.com> Date: Wed, 8 Jan 2025 03:13:50 +0700 Subject: [PATCH 04/22] Update telegram_detected_access_suspicious_api_url.yml declare macros wineventlog_security --- .../endpoint/telegram_detected_access_suspicious_api_url.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detections/endpoint/telegram_detected_access_suspicious_api_url.yml b/detections/endpoint/telegram_detected_access_suspicious_api_url.yml index 89274fdb05..9d80eb7fec 100644 --- a/detections/endpoint/telegram_detected_access_suspicious_api_url.yml +++ b/detections/endpoint/telegram_detected_access_suspicious_api_url.yml @@ -16,6 +16,7 @@ search: `wineventlog_security` | `telegram_detected_access_suspicious_api_url_filter` macros: - telegram_detected_access_suspicious_api_url_filter + - wineventlog_security how_to_implement: | Ensure the relevant data source (`Wineventlog:Security`) is ingested into Splunk. Configure the macro `telegram_detected_access_suspicious_api_url_filter` to filter false positives or noisy data. From b039994bae800a4d60105909c67cbb13893fc8c6 Mon Sep 17 00:00:00 2001 From: zake <139054590+zake1god@users.noreply.github.com> Date: Wed, 8 Jan 2025 03:18:55 +0700 Subject: [PATCH 05/22] Update telegram_detected_access_suspicious_api_url.yml add | in the first search --- .../telegram_detected_access_suspicious_api_url.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/telegram_detected_access_suspicious_api_url.yml b/detections/endpoint/telegram_detected_access_suspicious_api_url.yml index 9d80eb7fec..230aa18177 100644 --- a/detections/endpoint/telegram_detected_access_suspicious_api_url.yml +++ b/detections/endpoint/telegram_detected_access_suspicious_api_url.yml @@ -8,7 +8,7 @@ author: Zaki Zarkasih Al Mustafa type: TTP status: production description: Detects suspicious process activity related to Telegram API -search: `wineventlog_security` +search: | `wineventlog_security` AND ParentProcessName=*Telegram* AND CommandLine=*api.telegram* | eval utc_time=strptime(TimeCreated, "%Y-%m-%dT%H:%M:%S.%6NZ") | eval Time_Created=strftime(utc_time + 25200, "%Y-%m-%d %H:%M:%S") | rename Time_Created as "Time Created", host as Host, src_user as User @@ -33,7 +33,7 @@ drilldown_searches: This drilldown searches for other processes spawned by the same parent process to identify potential patterns or related activities. search: | - `wineventlog_security` + `` AND ParentProcessName="$ParentProcessName$" | table _time, ParentProcessName, NewProcessName, CommandLine earliest_offset: $info_min_time$ @@ -44,7 +44,7 @@ drilldown_searches: This drilldown searches for all activities performed by the same user in the Windows Event Logs to provide additional context. search: | - `wineventlog_security` + `` AND src_user="$src_user$" | table _time, src_user, EventID, host, CommandLine earliest_offset: $info_min_time$ From f74a15dcd7de461656b0ccf9f186b5718fd58390 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 15:51:23 -0500 Subject: [PATCH 06/22] Add files via upload --- .../o365_exfiltration_via_file_access.yml | 78 +++++++++++++++++++ .../o365_exfiltration_via_file_download.yml | 75 ++++++++++++++++++ ...65_exfiltration_via_file_sync_download.yml | 77 ++++++++++++++++++ 3 files changed, 230 insertions(+) create mode 100644 detections/cloud/o365_exfiltration_via_file_access.yml create mode 100644 detections/cloud/o365_exfiltration_via_file_download.yml create mode 100644 detections/cloud/o365_exfiltration_via_file_sync_download.yml diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml new file mode 100644 index 0000000000..9478e196d8 --- /dev/null +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -0,0 +1,78 @@ +name: O365 Exfiltration via File Access +id: 80b44ae2-60ff-43f1-8e56-34beb49a340a +version: 1 +date: '2024-10-14' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the "open in app" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts. +data_source: +- Office 365 Universal Audit Log +search: '`o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg) +| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") +| where NOT match(SiteUrl,user_flat) +| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl +| eventstats avg(count) as avg stdev(count) as stdev by Workload +| rename SiteUrl as file_path,Workload as app +| where count > 50 AND count > (avg + (3*(stdev))) +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_exfiltration_via_file_access_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: It is possible that certain file access scenarios may trigger this alert, specifically OneDrive syncing and users accessing personal onedrives of other users. Adjust threshold and filtering as needed. +references: +- https://attack.mitre.org/techniques/T1567/exfil +- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data +- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate file access by $user$ + search: '`o365_management_activity` Operation IN ("fileaccessed") UserId="$UserId$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Data Exfiltration + - Office 365 Account Takeover + asset_type: Cloud + confidence: 50 + impact: 40 + message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$ + mitre_attack_id: + - T1567 + - T1530 + observable: + - name: user + type: User + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Operation + - UserId + - SourceFileExtension + - Workload + - SiteUrl + risk_score: 20 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log + source: o365 + sourcetype: o365:management:activity \ No newline at end of file diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml new file mode 100644 index 0000000000..af1d84e317 --- /dev/null +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -0,0 +1,75 @@ +name: O365 Exfiltration via File Download +id: 06b23921-bfe2-4576-89dd-616f06e129da +version: 1 +date: '2024-10-14' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an excessive number of files are downloaded from o365 by the same user over a short period of time. O365 may bundle these files together as a ZIP file, however each file will have it's own download event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts. +data_source: +- Office 365 Universal Audit Log +search: '`o365_management_activity` Operation IN ("filedownloaded") +| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") +| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl +| rename SiteUrl as file_path,Workload as app +| where count > 50 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_exfiltration_via_file_download_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: It is possible that certain file download scenarios may trigger this alert, specifically OneDrive syncing. Adjust threshold and filtering as needed. +references: +- https://attack.mitre.org/techniques/T1567/exfil +- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data +- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate file downloads by $user$ + search: '`o365_management_activity` Operation IN ("filedownloaded") UserId="$UserId$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Data Exfiltration + - Office 365 Account Takeover + asset_type: Cloud + confidence: 50 + impact: 50 + message: The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$ + mitre_attack_id: + - T1567 + - T1530 + observable: + - name: user + type: User + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Operation + - UserId + - Workload + - SiteUrl + risk_score: 25 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log + source: o365 + sourcetype: o365:management:activity \ No newline at end of file diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml new file mode 100644 index 0000000000..ae17efbac8 --- /dev/null +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -0,0 +1,77 @@ +name: O365 Exfiltration via File Sync Download +id: 350837b5-13d3-4c06-b688-db07afbe5050 +version: 1 +date: '2024-10-14' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an excessive number of files are sync from o365 by the same user over a short period of time. A malicious actor abuse the user-agent string through GUI or API access to evade triggering the FileDownloaded event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts. +data_source: +- Office 365 Universal Audit Log +search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserAgent="*SkyDriveSync*" +| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") +| where NOT match(SiteUrl,user_flat) +| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl +| rename SiteUrl as file_path,Workload as app +| where count > 50 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_exfiltration_via_file_sync_download_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: It is possible that certain file sync scenarios may trigger this alert, specifically OneNote. Adjust threshold and filtering as needed. +references: +- https://attack.mitre.org/techniques/T1567/exfil +- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data +- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate file sync downloads by $user$ + search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserId="$UserId$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Data Exfiltration + - Office 365 Account Takeover + asset_type: Cloud + confidence: 50 + impact: 50 + message: The user $user$ synced an excessive number of files [$count$] from $file_path$ using $src$ + mitre_attack_id: + - T1567 + - T1530 + observable: + - name: user + type: User + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Operation + - UserAgent + - Workload + - UserId + - SiteUrl + risk_score: 25 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log + source: o365 + sourcetype: o365:management:activity \ No newline at end of file From e29b0b3f01f071cfda420131f26ad73b148fb7e1 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 15:58:20 -0500 Subject: [PATCH 07/22] Update o365_exfiltration_via_file_sync_download.yml --- detections/cloud/o365_exfiltration_via_file_sync_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml index ae17efbac8..f02c5a3a93 100644 --- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity From 8297766f25e11948e5f2f0e774a6bf87686f984e Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 15:58:44 -0500 Subject: [PATCH 08/22] Update o365_exfiltration_via_file_download.yml --- detections/cloud/o365_exfiltration_via_file_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml index af1d84e317..c20775daf4 100644 --- a/detections/cloud/o365_exfiltration_via_file_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity From 039ef36865181239ace2c2229911749d138f4451 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 15:59:01 -0500 Subject: [PATCH 09/22] Update o365_exfiltration_via_file_access.yml --- detections/cloud/o365_exfiltration_via_file_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml index 9478e196d8..023bfd6968 100644 --- a/detections/cloud/o365_exfiltration_via_file_access.yml +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity From 2fdbb800e2834f538c6731660d057641e82e3fc2 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 16:02:55 -0500 Subject: [PATCH 10/22] Update o365_exfiltration_via_file_access.yml --- detections/cloud/o365_exfiltration_via_file_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml index 023bfd6968..af52f2e214 100644 --- a/detections/cloud/o365_exfiltration_via_file_access.yml +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -41,7 +41,7 @@ tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover - asset_type: Cloud + asset_type: O365 Tenant confidence: 50 impact: 40 message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$ From 2f99dd11212fe4b8cb6ea5274dfd58ce4ec75795 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 16:03:10 -0500 Subject: [PATCH 11/22] Update o365_exfiltration_via_file_download.yml --- detections/cloud/o365_exfiltration_via_file_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml index c20775daf4..0bcffe5be7 100644 --- a/detections/cloud/o365_exfiltration_via_file_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -39,7 +39,7 @@ tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover - asset_type: Cloud + asset_type: O365 Tenant confidence: 50 impact: 50 message: The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$ From bef252afde383ed40b2d423ef1cf88e6c47501f5 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 16:03:29 -0500 Subject: [PATCH 12/22] Update o365_exfiltration_via_file_sync_download.yml --- detections/cloud/o365_exfiltration_via_file_sync_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml index f02c5a3a93..82ceaf64de 100644 --- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -40,7 +40,7 @@ tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover - asset_type: Cloud + asset_type: O365 Tenant confidence: 50 impact: 50 message: The user $user$ synced an excessive number of files [$count$] from $file_path$ using $src$ From 7a00c0567331c1613228975e85057381e7b2a7ab Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:45:35 -0500 Subject: [PATCH 13/22] Update o365_exfiltration_via_file_access.yml --- .../o365_exfiltration_via_file_access.yml | 31 ++++++------------- 1 file changed, 10 insertions(+), 21 deletions(-) diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml index af52f2e214..d435a3bc99 100644 --- a/detections/cloud/o365_exfiltration_via_file_access.yml +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -37,38 +37,27 @@ drilldown_searches: search: '`o365_management_activity` Operation IN ("fileaccessed") UserId="$UserId$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$ + risk_objects: + - field: user + type: user + score: 20 + threat_objects: + - field: src + type: src tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover - asset_type: O365 Tenant - confidence: 50 - impact: 40 - message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$ + asset_type: O365 Tenant mitre_attack_id: - T1567 - T1530 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - UserId - - SourceFileExtension - - Workload - - SiteUrl - risk_score: 20 security_domain: threat tests: - name: True Positive Test From 38c3f574a749cd483d437e6a4db4048cd47f91b1 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:47:03 -0500 Subject: [PATCH 14/22] Update o365_exfiltration_via_file_download.yml --- .../o365_exfiltration_via_file_download.yml | 28 ++++++------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml index 0bcffe5be7..4f738b2fa7 100644 --- a/detections/cloud/o365_exfiltration_via_file_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -35,37 +35,27 @@ drilldown_searches: search: '`o365_management_activity` Operation IN ("filedownloaded") UserId="$UserId$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: src + type: src tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 50 - impact: 50 - message: The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$ mitre_attack_id: - T1567 - T1530 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - UserId - - Workload - - SiteUrl - risk_score: 25 security_domain: threat tests: - name: True Positive Test From a136609516b69eb0b39ca772345dfa64b01daa14 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:48:07 -0500 Subject: [PATCH 15/22] Update o365_exfiltration_via_file_sync_download.yml --- ...65_exfiltration_via_file_sync_download.yml | 29 ++++++------------- 1 file changed, 9 insertions(+), 20 deletions(-) diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml index 82ceaf64de..f061d4eb56 100644 --- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -36,38 +36,27 @@ drilldown_searches: search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserId="$UserId$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ synced an excessive number of files [$count$] from $file_path$ using $src$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: src + type: src tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 50 - impact: 50 - message: The user $user$ synced an excessive number of files [$count$] from $file_path$ using $src$ mitre_attack_id: - T1567 - T1530 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - UserAgent - - Workload - - UserId - - SiteUrl - risk_score: 25 security_domain: threat tests: - name: True Positive Test From 842ee121151b58c5556bd95ebd3fcb17d6e696d3 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:50:31 -0500 Subject: [PATCH 16/22] Update o365_exfiltration_via_file_access.yml --- detections/cloud/o365_exfiltration_via_file_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml index d435a3bc99..2b70c92c61 100644 --- a/detections/cloud/o365_exfiltration_via_file_access.yml +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -45,7 +45,7 @@ rba: score: 20 threat_objects: - field: src - type: src + type: ip_address tags: analytic_story: - Data Exfiltration From 0e8ac8a29dbfdb23658fb7463234dce9d1286325 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:50:45 -0500 Subject: [PATCH 17/22] Update o365_exfiltration_via_file_download.yml --- detections/cloud/o365_exfiltration_via_file_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml index 4f738b2fa7..3a0a3b4a36 100644 --- a/detections/cloud/o365_exfiltration_via_file_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -43,7 +43,7 @@ rba: score: 25 threat_objects: - field: src - type: src + type: ip_address tags: analytic_story: - Data Exfiltration From ae1b755f2ff14349566e90ab8774119667665984 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:51:10 -0500 Subject: [PATCH 18/22] Update o365_exfiltration_via_file_sync_download.yml --- detections/cloud/o365_exfiltration_via_file_sync_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml index f061d4eb56..d5d8058148 100644 --- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -44,7 +44,7 @@ rba: score: 25 threat_objects: - field: src - type: src + type: ip_address tags: analytic_story: - Data Exfiltration From 9de89087f343693901e22404fa5dd3eeb30cc50c Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sun, 2 Feb 2025 12:30:38 -0500 Subject: [PATCH 19/22] Update o365_exfiltration_via_file_access.yml update search yaml for better readability / remove single quote in SPL issues --- .../o365_exfiltration_via_file_access.yml | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml index 2b70c92c61..7ad89f9c6f 100644 --- a/detections/cloud/o365_exfiltration_via_file_access.yml +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -8,16 +8,17 @@ type: Anomaly description: The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the "open in app" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg) -| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") -| where NOT match(SiteUrl,user_flat) -| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl -| eventstats avg(count) as avg stdev(count) as stdev by Workload -| rename SiteUrl as file_path,Workload as app -| where count > 50 AND count > (avg + (3*(stdev))) -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_exfiltration_via_file_access_filter`' +search: |- + `o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg) + | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") + | where NOT match(SiteUrl,user_flat) + | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl + | eventstats avg(count) as avg stdev(count) as stdev by Workload + | rename SiteUrl as file_path,Workload as app + | where count > 50 AND count > (avg + (3*(stdev))) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_exfiltration_via_file_access_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: It is possible that certain file access scenarios may trigger this alert, specifically OneDrive syncing and users accessing personal onedrives of other users. Adjust threshold and filtering as needed. references: From 84c1a4c5e273451a789b2fb19b95967606f3b2e1 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sun, 2 Feb 2025 12:31:04 -0500 Subject: [PATCH 20/22] Update o365_exfiltration_via_file_download.yml update search yaml for better readability / remove single quote in SPL issues --- .../o365_exfiltration_via_file_download.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml index 3a0a3b4a36..a4b504d0d8 100644 --- a/detections/cloud/o365_exfiltration_via_file_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -8,14 +8,15 @@ type: Anomaly description: The following analytic detects when an excessive number of files are downloaded from o365 by the same user over a short period of time. O365 may bundle these files together as a ZIP file, however each file will have it's own download event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Operation IN ("filedownloaded") -| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") -| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl -| rename SiteUrl as file_path,Workload as app -| where count > 50 -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_exfiltration_via_file_download_filter`' +search: |- + `o365_management_activity` Operation IN ("filedownloaded") + | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") + | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl + | rename SiteUrl as file_path,Workload as app + | where count > 50 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_exfiltration_via_file_download_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: It is possible that certain file download scenarios may trigger this alert, specifically OneDrive syncing. Adjust threshold and filtering as needed. references: From 1ac26e3bc855b31b68e42b950c2236da203cf1b4 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sun, 2 Feb 2025 12:31:31 -0500 Subject: [PATCH 21/22] Update o365_exfiltration_via_file_sync_download.yml update search yaml for better readability / remove single quote in SPL issues --- ...65_exfiltration_via_file_sync_download.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml index d5d8058148..684ef625ec 100644 --- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -8,15 +8,16 @@ type: Anomaly description: The following analytic detects when an excessive number of files are sync from o365 by the same user over a short period of time. A malicious actor abuse the user-agent string through GUI or API access to evade triggering the FileDownloaded event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserAgent="*SkyDriveSync*" -| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") -| where NOT match(SiteUrl,user_flat) -| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl -| rename SiteUrl as file_path,Workload as app -| where count > 50 -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_exfiltration_via_file_sync_download_filter`' +search: |- + `o365_management_activity` Operation IN ("filesyncdownload*") UserAgent="*SkyDriveSync*" + | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") + | where NOT match(SiteUrl,user_flat) + | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl + | rename SiteUrl as file_path,Workload as app + | where count > 50 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_exfiltration_via_file_sync_download_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: It is possible that certain file sync scenarios may trigger this alert, specifically OneNote. Adjust threshold and filtering as needed. references: From de2162b94d1dd2e5db5d2a1a1ae02fee2b94c1b1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 19 Feb 2025 14:50:57 +0100 Subject: [PATCH 22/22] update logic and analytic --- ...l_telegram_api_request_via_commandline.yml | 62 ++++++++++++ ...ram_detected_access_suspicious_api_url.yml | 94 ------------------- 2 files changed, 62 insertions(+), 94 deletions(-) create mode 100644 detections/endpoint/potential_telegram_api_request_via_commandline.yml delete mode 100644 detections/endpoint/telegram_detected_access_suspicious_api_url.yml diff --git a/detections/endpoint/potential_telegram_api_request_via_commandline.yml b/detections/endpoint/potential_telegram_api_request_via_commandline.yml new file mode 100644 index 0000000000..6e704fe58a --- /dev/null +++ b/detections/endpoint/potential_telegram_api_request_via_commandline.yml @@ -0,0 +1,62 @@ +name: Potential Telegram API Request Via CommandLine +id: d6b0d627-d0bf-46b1-936f-c48284767d21 +version: 1 +date: '2025-02-19' +author: Nasreddine Bencherchali, Splunk, Zaki Zarkasih Al Mustafa +status: production +type: Anomaly +description: The following analytic detects the presence of "api.telegram.org" in the CommandLine of a process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity can be significant as the telegram API has been used as an exfiltration mechanism or even as a C2 channel. If confirmed malicious, this could allow an attacker or malware to exfiltrate data or receive additional C2 instruction, potentially leading to further compromise and persistence within the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process= "*api.telegram.org*" NOT Processes.process IN ("*-osint -url*", "* --single-argument*") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_id Processes.process_name Processes.process Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `potential_telegram_api_request_via_commandline_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positive may stem from application or users requesting the API directly via CommandLine for testing purposes. Investigate the matches and apply the necessary filters. +references: +- https://www.virustotal.com/gui/file/0b3ef5e04329cefb5bb4bf30b3edcb32d1ec6bbcb29d22695a079bfb5b56e8ac/behavior +- https://www.virustotal.com/gui/file/72c59eeb15b5ec1d95e72e4b06a030bc058822bc10e5cb807e78a4624d329666/behavior +- https://www.virustotal.com/gui/file/72c59eeb15b5ec1d95e72e4b06a030bc058822bc10e5cb807e78a4624d329666/content +- https://www.virustotal.com/gui/file/1c4541bf70b6e251ef024ec4dde8dce400539c2368461c0d90e15a81b11ace44/content +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Process $process_name$ with command line $process$ in $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - XMRig + asset_type: Endpoint + mitre_attack_id: + - T1102.002 + - T1041 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1102.002/telegram_api_cli/telegram_cli.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/telegram_detected_access_suspicious_api_url.yml b/detections/endpoint/telegram_detected_access_suspicious_api_url.yml deleted file mode 100644 index 230aa18177..0000000000 --- a/detections/endpoint/telegram_detected_access_suspicious_api_url.yml +++ /dev/null @@ -1,94 +0,0 @@ -data_source: -- Windows Security 4688 -name: Telegram Detected Access Suspicious API/URL -id: 6e106492-561f-4f0c-919c-6560861e27d3 -version: 1 -date: '2025-01-02' -author: Zaki Zarkasih Al Mustafa -type: TTP -status: production -description: Detects suspicious process activity related to Telegram API -search: | `wineventlog_security` - AND ParentProcessName=*Telegram* AND CommandLine=*api.telegram* | eval utc_time=strptime(TimeCreated, - "%Y-%m-%dT%H:%M:%S.%6NZ") | eval Time_Created=strftime(utc_time + 25200, "%Y-%m-%d - %H:%M:%S") | rename Time_Created as "Time Created", host as Host, src_user as User - | table "Time Created", Host, User, EventID, ParentProcessName, CommandLine, NewProcessName - | `telegram_detected_access_suspicious_api_url_filter` -macros: - - telegram_detected_access_suspicious_api_url_filter - - wineventlog_security -how_to_implement: | - Ensure the relevant data source (`Wineventlog:Security`) is ingested into Splunk. - Configure the macro `telegram_detected_access_suspicious_api_url_filter` to filter false positives or noisy data. - Deploy this detection rule in Splunk Enterprise Security or Splunk Cloud. - -known_false_positives: | - Non-malicious use of Telegram's API by legitimate applications or processes may trigger this detection. - Automated scripts or tools using Telegram for notifications or integrations might also appear as suspicious. - Developers testing Telegram API functionality in controlled environments. - -drilldown_searches: - - name: Investigate Parent Process - description: | - This drilldown searches for other processes spawned by the same parent process - to identify potential patterns or related activities. - search: | - `` - AND ParentProcessName="$ParentProcessName$" - | table _time, ParentProcessName, NewProcessName, CommandLine - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - - name: Investigate User Activity - description: | - This drilldown searches for all activities performed by the same user in the - Windows Event Logs to provide additional context. - search: | - `` - AND src_user="$src_user$" - | table _time, src_user, EventID, host, CommandLine - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - -references: -- https://securelist.com/telegram-phishing-services/109383/ -tags: - analytic_story: - - XMRig - asset_type: Endpoint - confidence: 85 - impact: 70 - message: Detects suspicious access to Telegram API for potential misuse or malicious activity. - mitre_attack_id: - - T1059.001 - - T1059.003 - - T1003.002 - - T1105 - - T1566 - observable: - - name: CommandLine - type: Process Name - role: - - Attacker - - name: Host - type: Hostname - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - index - - sourcetype - - ParentProcessName - - CommandLine - risk_score: 59.5 - security_domain: endpoint - cve: [] -tests: -- name: True Positive Test - attack_data: - - data: https://github.com/splunk/contentctl/wiki - sourcetype: Wineventlog:Security - source: Wineventlog