Merge branch 'splunk:develop' into nterl0k-t1053-suspicious-task-lookups

splunk · Feb 20, 2025 · f6646f5 · f6646f5
2 parents fe46608 + 32c10de
commit f6646f5
Show file tree

Hide file tree

Showing 8 changed files with 315 additions and 7 deletions.
diff --git a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml
@@ -1,7 +1,7 @@
 name: Exchange PowerShell Abuse via SSRF
 id: 29228ab4-0762-11ec-94aa-acde48001122
-version: 5
-date: '2024-11-13'
+version: 6
+date: '2025-02-19'
 author: Michael Haag, Splunk
 status: experimental
 type: TTP
@@ -14,7 +14,7 @@ description: The following analytic detects suspicious behavior indicative of Pr
   If confirmed malicious, this could lead to unauthorized access, privilege escalation,
   or persistent control over the Exchange environment.
 data_source: []
-search: '`exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST"
+search: '`windows_exchange_iis` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST"
   | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query,
   cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `exchange_powershell_abuse_via_ssrf_filter`'

diff --git a/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml b/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml
@@ -0,0 +1,65 @@
+name: Windows Compatibility Telemetry Suspicious Child Process
+id: 56fe46ca-ffef-46fe-8f0e-5cd4b7b4cc0c
+version: 1
+date: '2025-02-13'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal "Microsoft Compatibility Appraiser" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.
+data_source: 
+- Windows Security Event ID 4688
+- Sysmon Event ID 1
+- CrowdStrike ProcessRollup2
+search: |-
+  |  tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name = "CompatTelRunner.exe" AND Processes.process="* -cv:*" NOT Processes.process IN ("* -m:*") BY _time span=1h Processes.user Processes.dest Processes.parent_process_name Processes.process_name
+  |`drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `windows_compatibility_telemetry_suspicious_child_process_filter`
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: None identified
+references:
+- https://attack.mitre.org/techniques/T1546/
+- https://scythe.io/threat-thursday/windows-telemetry-persistence
+- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate processes on $dest$ 
+  search: '| from datamodel Endpoint.Processes
+| search dest = "$dest$" AND process_name = "$process_name$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: The process $process_name$ was launched in a suspicious manner by $parent_process_name$ on host $dest$
+  risk_objects: 
+  - field: dest
+    type: system
+    score: 70
+  threat_objects: 
+  - field: process_name
+    type: process
+tags:
+  analytic_story: 
+  - Windows Persistence Techniques
+  asset_type: Endpoint
+  mitre_attack_id: 
+  - T1546
+  - T1053.005
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml
@@ -0,0 +1,67 @@
+name: Windows Compatibility Telemetry Tampering Through Registry
+id: 43834687-cc48-4878-a2fa-f76e4271791f
+version: 1
+date: '2025-02-13'
+author: Steven Dick
+status: production
+type: TTP
+description: This detection identifies suspicious modifications to the Windows Compatibility Telemetry registry settings, specifically within the "TelemetryController" registry key and "Command" registry value. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.
+data_source: 
+- Sysmon Event ID 13
+search: |-
+  | tstats `security_content_summariesonly` min(_time) as firstTime, max(_time) as lastTime, count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController*" AND Registry.registry_value_name="Command" NOT Registry.registry_value_data IN ("(empty)")) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
+  | `drop_dm_object_name(Registry)`
+  | eval process = registry_value_data 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `windows_compatibility_telemetry_tampering_through_registry_filter`
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: None identified
+references:
+- https://attack.mitre.org/techniques/T1546/
+- https://scythe.io/threat-thursday/windows-telemetry-persistence
+- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
+drilldown_searches:
+- name: View the detection results for - "$dest$" and "$user$"
+  search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$" and "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate registry changes on $dest$ 
+  search: '| from datamodel Endpoint.Registry
+| search registry_path = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController*" AND dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: The process $process$ was added to registry settings for the Compatibility Appraiser by $user$ on host $dest$
+  risk_objects: 
+  - field: dest
+    type: system
+    score: 70
+  - field: user
+    type: user
+    score: 70
+  threat_objects: 
+  - field: process
+    type: process
+tags:
+  analytic_story: 
+  - Windows Persistence Techniques
+  asset_type: Endpoint
+  mitre_attack_id: 
+  - T1546
+  - T1053.005
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml
@@ -0,0 +1,78 @@
+name: Windows Service Created with Suspicious Service Name
+id: 35eb6d19-a497-400c-93c5-645562804b11
+version: 1
+date: '2025-02-07'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
+data_source: 
+- Windows Event Log System 7045
+search: |-
+  `wineventlog_system` EventCode=7045 
+  | stats values(user) as user, values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID
+  | eval process_name = mvindex(split(process,"\\"),-1)
+  | rename Computer as dest, ServiceName as object_name, ServiceType as object_type
+  | lookup windows_suspicious_services service_name as object_name
+  | where isnotnull(tool_name)
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_service_created_with_suspicious_service_name_filter`
+how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.
+known_false_positives: Legitimate applications may install services with uncommon services paths.
+references:
+- https://attack.mitre.org/techniques/T1569/002/
+- https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16
+- https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
+- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_services_names_list.csv
+drilldown_searches:
+- name: View the detection results for - "$dest$""
+  search: '%original_detection_search% | search dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate service events on $dest$ 
+  search: '`wineventlog_system` EventCode=7045 ServiceName = "$object_name$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A known malicious service name $object_name$ was created using $process$ on $dest$, this may indicate the presence of [$tool_name$]
+  risk_objects: 
+  - field: dest
+    type: system
+    score: 75
+  - field: user
+    type: user
+    score: 75
+  threat_objects: 
+  - field: process
+    type: process
+  - field: object_name
+    type: signature
+tags:
+  analytic_story: 
+  - Active Directory Lateral Movement
+  - Brute Ratel C4
+  - CISA AA23-347A
+  - Clop Ransomware
+  - Flax Typhoon
+  - PlugX
+  - Qakbot
+  - Snake Malware
+  asset_type: Endpoint
+  mitre_attack_id: 
+  - T1569.002
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log
+    source: XmlWinEventLog:System
+    sourcetype: XmlWinEventLog