Skip to content

Commit cace3d9

Browse files
srv-rr-gh-researchbtsrv-rr-gh-researchbt
authored
Branch was auto-updated.
2 parents b325d6e + 433973d commit cace3d9

28 files changed

+36
-115
lines changed

detections/endpoint/7zip_commandline_to_smb_share_path.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -41,13 +41,13 @@ tags:
4141
- T1560
4242
observable:
4343
- name: dest
44-
type: Hostname
44+
type: Endpoint
4545
role:
4646
- Victim
47-
- name: SourceImage
48-
type: Process
47+
- name: user
48+
type: User
4949
role:
50-
- Attacker
50+
- Victim
5151
product:
5252
- Splunk Enterprise
5353
- Splunk Enterprise Security

detections/endpoint/active_setup_registry_autostart.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ description: This analytic is to detect a suspicious modification of the active
1414
valid setup installer that creating or modifying this registry.
1515
data_source:
1616
- Sysmon Event ID 1
17-
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
17+
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user
1818
| `drop_dm_object_name(Registry)`
1919
| `security_content_ctime(firstTime)`
2020
| `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`'
@@ -35,7 +35,7 @@ tags:
3535
asset_type: Endpoint
3636
confidence: 80
3737
impact: 80
38-
message: modified/added/deleted registry entry $Registry.registry_path$ in $dest$
38+
message: modified/added/deleted registry entry $registry_path$ in $dest$
3939
mitre_attack_id:
4040
- T1547.014
4141
- T1547

detections/endpoint/add_defaultuser_and_password_in_registry.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ description: this search is to detect a suspicious registry modification to impl
1313
premise.
1414
data_source:
1515
- Sysmon Event ID 1
16-
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
16+
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid
1717
| `drop_dm_object_name(Registry)`
1818
| `security_content_ctime(firstTime)`
1919
| `security_content_ctime(lastTime)`

detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ description: This analytic detects a potential suspicious modification of firewa
1111
by allowing the traffic in a firewall rule.
1212
data_source:
1313
- Sysmon Event ID 1
14-
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.registry_value_data = "*|Action=Allow|*" Registry.registry_value_data = "*|Dir=In|*" Registry.registry_value_data = "*|LPort=*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
14+
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.registry_value_data = "*|Action=Allow|*" Registry.registry_value_data = "*|Dir=In|*" Registry.registry_value_data = "*|LPort=*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user
1515
| `drop_dm_object_name(Registry)`
1616
| `security_content_ctime(firstTime)`
1717
| `security_content_ctime(lastTime)`

detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ tags:
3434
- T1021.001
3535
- T1021
3636
observable:
37-
- name: user
37+
- name: User
3838
type: User
3939
role:
4040
- Victim

detections/endpoint/allow_operation_with_consent_admin.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ description: This analytic identifies a potential privilege escalation attempt t
1212
machine.
1313
data_source:
1414
- Sysmon Event ID 1
15-
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
15+
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user
1616
| `drop_dm_object_name(Registry)`
1717
| `security_content_ctime(firstTime)`
1818
| `security_content_ctime(lastTime)`

detections/endpoint/any_powershell_downloadfile.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ data_source:
1414
- Sysmon Event ID 1
1515
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
1616
as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile*
17-
by Processes.dest Processes.user Processes.parent_process Processes.process_name
17+
by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name
1818
Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
1919
| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`|
2020
`any_powershell_downloadfile_filter`'

detections/endpoint/any_powershell_downloadstring.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ data_source:
1414
- Sysmon Event ID 1
1515
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
1616
as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by
17-
Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name
17+
Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name
1818
Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
1919
| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`'
2020
how_to_implement: To successfully implement this search you need to be ingesting information

detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,7 @@ data_source:
1010
- Sysmon Event ID 1
1111
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process)
1212
as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil`
13-
(Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process
14-
Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
13+
(Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
1514
| `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`
1615
| `attempt_to_add_certificate_to_untrusted_store_filter`'
1716
how_to_implement: You must be ingesting data that records process activity from your

detections/endpoint/attempt_to_stop_security_service.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ data_source:
1212
search: '| tstats `security_content_summariesonly` values(Processes.process) as process
1313
min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
1414
where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop
15-
*" by Processes.dest Processes.user Processes.parent_process Processes.process_name
15+
*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name
1616
Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
1717
| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
1818
|lookup security_services_lookup service as process OUTPUTNEW category, description

0 commit comments

Comments
 (0)