Merge branch 'develop' into shadow_single

Author: ljstella

detections/endpoint/disable_registry_tool.yml

@@ -1,11 +1,12 @@
 name: Disable Registry Tool
 id: cd2cf33c-9201-11eb-a10a-acde48001122
-version: 11
-date: '2025-02-10'
+version: 12
+date: '2025-04-22'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
-description: The following analytic detects modifications to the Windows registry
+description:
+  The following analytic detects modifications to the Windows registry
   aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry
   data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools"
   with a value of "0x00000001". This activity is significant because malware, such
@@ -14,60 +15,63 @@ description: The following analytic detects modifications to the Windows registr
   could hinder incident response efforts and allow the attacker to maintain control
   over the compromised system.
 data_source:
-- Sysmon EventID 13
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  - Sysmon EventID 13
+search:
+  '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools"
   Registry.registry_value_data = "0x00000001") by Registry.action Registry.dest Registry.process_guid
   Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name
   Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type
   Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)`|
   where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `disable_registry_tool_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting
+how_to_implement:
+  To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
   endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: admin may disable this application for non technical user.
 references:
-- https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+  - https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
 drilldown_searches:
-- name: View the detection results for - "$dest$"
-  search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$dest$"
+    search: '%original_detection_search% | search  dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
   message: Disabled Registry Tools on $dest$
   risk_objects:
-  - field: dest
-    type: system
-    score: 40
+    - field: dest
+      type: system
+      score: 40
   threat_objects: []
 tags:
   analytic_story:
-  - Windows Defense Evasion Tactics
-  - Windows Registry Abuse
-  - NjRAT
+    - Windows Defense Evasion Tactics
+    - Windows Registry Abuse
+    - NjRAT
   asset_type: Endpoint
   mitre_attack_id:
-  - T1112
-  - T1562.001
+    - T1112
+    - T1562.001
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log
-    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log
+        source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+        sourcetype: XmlWinEventLog

detections/endpoint/disable_security_logs_using_minint_registry.yml

@@ -1,11 +1,12 @@
 name: Disable Security Logs Using MiniNt Registry
 id: 39ebdc68-25b9-11ec-aec7-acde48001122
-version: 10
-date: '2024-12-08'
+version: 11
+date: '2025-04-22'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
-description: The following analytic detects a suspicious registry modification aimed
+description:
+  The following analytic detects a suspicious registry modification aimed
   at disabling security audit logs by adding a specific registry entry. It leverages
   data from the Endpoint.Registry data model, focusing on changes to the "Control\\MiniNt"
   registry path. This activity is significant because it can prevent Windows from
@@ -14,61 +15,64 @@ description: The following analytic detects a suspicious registry modification a
   undetected, making it difficult to trace their actions and compromising the integrity
   of security audits.
 data_source:
-- Sysmon EventID 13
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  - Sysmon EventID 13
+search:
+  '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Control\\MiniNt\\*")
   by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive
   Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
   Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
   | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting
+how_to_implement:
+  To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
   endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: Unknown.
 references:
-- https://twitter.com/0gtweet/status/1182516740955226112
+  - https://twitter.com/0gtweet/status/1182516740955226112
 drilldown_searches:
-- name: View the detection results for - "$dest$" and "$user$"
-  search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$" and "$user$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$",
-    "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
-    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
-    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
-    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
-    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$dest$" and "$user$"
+    search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$" and "$user$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$",
+      "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+      as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+      Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
   message: Modified/added/deleted registry entry $registry_path$ on $dest$
   risk_objects:
-  - field: dest
-    type: system
-    score: 80
-  - field: user
-    type: user
-    score: 80
+    - field: dest
+      type: system
+      score: 80
+    - field: user
+      type: user
+      score: 80
   threat_objects: []
 tags:
   analytic_story:
-  - Windows Defense Evasion Tactics
-  - CISA AA23-347A
-  - Windows Registry Abuse
+    - Windows Defense Evasion Tactics
+    - CISA AA23-347A
+    - Windows Registry Abuse
   asset_type: Endpoint
   mitre_attack_id:
-  - T1112
+    - T1112
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/minint_reg/sysmon.log
-    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/minint_reg/sysmon.log
+        source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+        sourcetype: XmlWinEventLog

detections/endpoint/disable_show_hidden_files.yml

@@ -1,20 +1,22 @@
 name: Disable Show Hidden Files
 id: 6f3ccfa2-91fe-11eb-8f9b-acde48001122
-version: 11
-date: '2025-02-10'
+version: 12
+date: '2025-04-22'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: Anomaly
-description: The following analytic detects modifications to the Windows registry
+description:
+  The following analytic detects modifications to the Windows registry
   that disable the display of hidden files. It leverages data from the Endpoint.Registry
   data model, specifically monitoring changes to registry paths associated with hidden
   file settings. This activity is significant because malware, such as worms and trojan
   spyware, often use hidden files to evade detection. If confirmed malicious, this
   behavior could allow an attacker to conceal malicious files on the system, making
   it harder for security tools and analysts to identify and remove the threat.
 data_source:
-- Sysmon EventID 13
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  - Sysmon EventID 13
+search:
+  '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden"
   OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt"
   Registry.registry_value_data = "0x00000001") OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden"
@@ -24,58 +26,60 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
   | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting
+how_to_implement:
+  To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
   endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: unknown
 references:
-- https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis
+  - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis
 drilldown_searches:
-- name: View the detection results for - "$dest$"
-  search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$dest$"
+    search: '%original_detection_search% | search  dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
   message: Disabled 'Show Hidden Files' on $dest$
   risk_objects:
-  - field: dest
-    type: system
-    score: 40
+    - field: dest
+      type: system
+      score: 40
   threat_objects: []
 tags:
   analytic_story:
-  - Windows Defense Evasion Tactics
-  - Windows Registry Abuse
-  - Azorult
+    - Windows Defense Evasion Tactics
+    - Windows Registry Abuse
+    - Azorult
   asset_type: Endpoint
   mitre_attack_id:
-  - T1112
-  - T1562.001
-  - T1564.001
+    - T1112
+    - T1562.001
+    - T1564.001
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log
-    source: WinEventLog:Security
-    sourcetype: WinEventLog
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log
-    source: WinEventLog:System
-    sourcetype: WinEventLog
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log
-    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log
+        source: WinEventLog:Security
+        sourcetype: WinEventLog
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log
+        source: WinEventLog:System
+        sourcetype: WinEventLog
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log
+        source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+        sourcetype: XmlWinEventLog