splunk · tccontre · Oct 31, 2025 · Oct 31, 2025 · Oct 31, 2025
@@ -1,7 +1,7 @@
 name: Cisco NVM - Suspicious Network Connection to IP Lookup Service API
 id: 568cb83e-d79e-4a23-85ec-6e1f6c30cb2f
-version: 3
-date: '2025-09-09'
+version: 4
+date: '2025-10-31'
 author: Nasreddine Bencherchali, Splunk, Janantha Marasinghe
 status: production
 type: Anomaly
@@ -14,7 +14,7 @@ description: |
   The detection relies on Cisco Network Visibility Module (NVM) telemetry and excludes known browser
   processes to reduce noise.
 data_source:
-  - Cisco Network Visibility Module Flow Data
+- Cisco Network Visibility Module Flow Data
 search: |
   `cisco_network_visibility_module_flowdata`
   dest_hostname IN (
@@ -64,45 +64,48 @@ known_false_positives: |
   Internal scripts or agents performing network checks may query IP geolocation services.
   Tune by excluding known tools or adding internal allowlists for destination domains or process names and commandlines.
 references:
-  - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml
-  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
+- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
 drilldown_searches:
-  - name: View the detection results for - "$src$"
-    search: '%original_detection_search% | search  src = "$src$"'
-    earliest_offset: $info_min_time$
-    latest_offset: $info_max_time$
-  - name: View risk events for the last 7 days for - "$src$"
-    search:
-      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time)
-      as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
-      as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
-      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
-      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-    earliest_offset: $info_min_time$
-    latest_offset: $info_max_time$
+- name: View the detection results for - "$src$"
+  search: '%original_detection_search% | search  src = "$src$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
-  message: The host $src$ made a network request to IP lookup service $dest_hostname$ using suspicious process $process_path$
+  message: The host $src$ made a network request to IP lookup service 
+    $dest_hostname$ using suspicious process $process_path$
   risk_objects:
-    - field: src
-      type: system
-      score: 40
+  - field: src
+    type: system
+    score: 40
   threat_objects:
-    - field: process_name
-      type: process_name
+  - field: process_name
+    type: process_name
 tags:
   analytic_story:
-    - Cisco Network Visibility Module Analytics
+  - Cisco Network Visibility Module Analytics
+  - Castle RAT
   asset_type: Endpoint
   mitre_attack_id:
-    - T1590.005
-    - T1016
+  - T1590.005
+  - T1016
   product:
-    - Splunk Enterprise
-    - Splunk Enterprise Security
+  - Splunk Enterprise
+  - Splunk Enterprise Security
   security_domain: endpoint
 tests:
-  - name: True Positive Test - Cisco NVM
-    attack_data:
-      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
-        source: not_applicable
-        sourcetype: cisco:nvm:flowdata
+- name: True Positive Test - Cisco NVM
+  attack_data:
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
+    source: not_applicable
+    sourcetype: cisco:nvm:flowdata
@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 19
-date: '2025-09-30'
+version: 20
+date: '2025-10-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -117,6 +117,7 @@ tags:
   - PromptLock
   - GhostRedirector IIS Module and Rungan Backdoor
   - Lokibot
+  - Castle RAT
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

@@ -1,27 +1,28 @@
 name: Schedule Task with Rundll32 Command Trigger
 id: 75b00fd8-a0ff-11eb-8b31-acde48001122
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-10-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
-description: The following analytic detects the creation of scheduled tasks in Windows
-  that use the rundll32 command. It leverages Windows Security EventCode 4698, which
-  logs the creation of scheduled tasks, and filters for tasks executed via rundll32.
-  This activity is significant as it is a common technique used by malware, such as
-  TrickBot, to persist in an environment or deliver additional payloads. If confirmed
-  malicious, this could lead to data theft, ransomware deployment, or other damaging
-  outcomes. Immediate investigation and mitigation are crucial to prevent further
-  compromise.
+description: The following analytic detects the creation of scheduled tasks in 
+  Windows that use the rundll32 command. It leverages Windows Security EventCode
+  4698, which logs the creation of scheduled tasks, and filters for tasks 
+  executed via rundll32. This activity is significant as it is a common 
+  technique used by malware, such as TrickBot, to persist in an environment or 
+  deliver additional payloads. If confirmed malicious, this could lead to data 
+  theft, ransomware deployment, or other damaging outcomes. Immediate 
+  investigation and mitigation are crucial to prevent further compromise.
 data_source:
 - Windows Event Log Security 4698
 search: '`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN
   ("*rundll32*") | stats count min(_time) as firstTime max(_time) as lastTime by dest,
   Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `schedule_task_with_rundll32_command_trigger_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting
-  logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and
-  filter known instances of Task schedule used in your environment.
+how_to_implement: To successfully implement this search, you need to be 
+  ingesting logs with the task schedule (Exa. Security Log EventCode 4698) 
+  endpoints. Tune and filter known instances of Task schedule used in your 
+  environment.
 known_false_positives: unknown
 references:
 - https://labs.vipre.com/trickbot-and-its-modules/
@@ -41,8 +42,8 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A scheduled task process commandline rundll32 arguments $Arguments$ on
-    host $dest$
+  message: A scheduled task process commandline rundll32 arguments $Arguments$ 
+    on host $dest$
   risk_objects:
   - field: dest
     type: system
@@ -56,6 +57,7 @@ tags:
   - Scheduled Tasks
   - Compromised Windows Host
   - Trickbot
+  - Castle RAT
   asset_type: Endpoint
   mitre_attack_id:
   - T1053

@@ -1,35 +1,34 @@
 name: Windows Anonymous Pipe Activity
 id: ee301e1e-cd81-4011-a911-e5f049b9e3d5
-version: 4
-date: '2025-08-07'
+version: 5
+date: '2025-10-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
-description: "The following analytic detects the creation or connection of anonymous\
-  \ pipes for inter-process communication (IPC) within a Windows environment. Anonymous\
-  \ pipes are commonly used by legitimate system processes, services, and applications\
-  \ to transfer data between related processes. However, adversaries frequently abuse\
-  \ anonymous pipes to facilitate stealthy process injection, command-and-control\
-  \ (C2) communication, credential theft, or privilege escalation. This detection\
-  \ monitors for unusual anonymous pipe activity, particularly involving non-system\
-  \ processes, unsigned executables, or unexpected parent-child process relationships.\
-  \ While legitimate use cases exist\u2014such as Windows services, software installers,\
-  \ or security tools\u2014unusual or high-frequency anonymous pipe activity should\
-  \ be investigated for potential malware, persistence mechanisms, or lateral movement\
-  \ techniques."
+description: "The following analytic detects the creation or connection of anonymous
+  pipes for inter-process communication (IPC) within a Windows environment. Anonymous
+  pipes are commonly used by legitimate system processes, services, and applications
+  to transfer data between related processes. However, adversaries frequently abuse
+  anonymous pipes to facilitate stealthy process injection, command-and-control (C2)
+  communication, credential theft, or privilege escalation. This detection monitors
+  for unusual anonymous pipe activity, particularly involving non-system processes,
+  unsigned executables, or unexpected parent-child process relationships. While legitimate
+  use cases exist—such as Windows services, software installers, or security tools—unusual
+  or high-frequency anonymous pipe activity should be investigated for potential malware,
+  persistence mechanisms, or lateral movement techniques."
 data_source:
 - Sysmon EventID 17
 - Sysmon EventID 18
 search: '`sysmon` EventCode IN (17,18) EventType IN ( "CreatePipe", "ConnectPipe")
-  PipeName="*Anonymous Pipe*" NOT( Image IN ("*\\Program Files\\*")) | stats  min(_time)
-  as firstTime max(_time) as lastTime count by dest EventCode PipeName ProcessGuid
-  ProcessId Image EventType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `windows_anonymous_pipe_activity_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting
-  logs with the process name and pipename from your endpoints. If you are using Sysmon,
-  you must have at least version 6.0.4 of the Sysmon TA. .
-known_false_positives: Automation tool might use anonymous pipe for task orchestration
-  or process communication.
+  PipeName="*Anonymous Pipe*" NOT( Image IN ("C:\\Program Files*", "C:\\Windows\\system32\\*","C:\\Windows\\syswow64\\*"))
+  | stats  min(_time) as firstTime max(_time) as lastTime count by dest EventCode
+  PipeName ProcessGuid ProcessId Image EventType | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `windows_anonymous_pipe_activity_filter`'
+how_to_implement: To successfully implement this search, you need to be 
+  ingesting logs with the process name and pipename from your endpoints. If you 
+  are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. .
+known_false_positives: Automation tool might use anonymous pipe for task 
+  orchestration or process communication.
 references:
 - https://www.trendmicro.com/en_nl/research/24/k/earth-estries.html
 drilldown_searches:
@@ -52,6 +51,7 @@ tags:
   - China-Nexus Threat Activity
   - SnappyBee
   - Interlock Rat
+  - Castle RAT
   asset_type: Endpoint
   mitre_attack_id:
   - T1559
@@ -63,6 +63,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1559/anonymous_pipe/anonymouspipe.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1559/anonymous_pipe/anonymouspipe.log
     sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     source: XmlWinEventLog
@@ -1,20 +1,20 @@
 name: Windows Disable or Stop Browser Process
 id: 220d34b7-b6c7-45fe-8dbb-c35cdd9fe6d5
-version: 6
-date: '2025-10-14'
+version: 7
+date: '2025-10-31'
 author: Teoderick Contreras, Splunk
 data_source:
 - Sysmon EventID 1
 type: TTP
 status: production
-description: The following analytic detects the use of the taskkill command in a process
-  command line to terminate several known browser processes, a technique commonly
-  employed by the Braodo stealer malware to steal credentials. By forcefully closing
-  browsers like Chrome, Edge, and Firefox, the malware can unlock files that store
-  sensitive information, such as passwords and login data. This detection focuses
-  on identifying taskkill commands targeting these browsers, signaling malicious intent.
-  Early detection allows security teams to investigate and prevent further credential
-  theft and system compromise.
+description: The following analytic detects the use of the taskkill command in a
+  process command line to terminate several known browser processes, a technique
+  commonly employed by the Braodo stealer malware to steal credentials. By 
+  forcefully closing browsers like Chrome, Edge, and Firefox, the malware can 
+  unlock files that store sensitive information, such as passwords and login 
+  data. This detection focuses on identifying taskkill commands targeting these 
+  browsers, signaling malicious intent. Early detection allows security teams to
+  investigate and prevent further credential theft and system compromise.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process = "*taskkill*"
   Processes.process IN("*chrome.exe","*firefox.exe","*brave.exe","*opera.exe","*msedge.exe","*chromium.exe")
@@ -25,17 +25,18 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `windows_disable_or_stop_browser_process_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
-  and Response (EDR) agents. These agents are designed to provide security-related
-  telemetry from the endpoints where the agent is installed. To implement this search,
-  you must ingest logs that contain the process GUID, process name, and parent process.
-  Additionally, you must ingest complete command-line executions. These logs must
-  be processed using the appropriate Splunk Technology Add-ons that are specific to
-  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
-  data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
-known_false_positives: Admin or user may choose to terminate browser via taskkill.exe.
-  Filter as needed.
+how_to_implement: The detection is based on data that originates from Endpoint 
+  Detection and Response (EDR) agents. These agents are designed to provide 
+  security-related telemetry from the endpoints where the agent is installed. To
+  implement this search, you must ingest logs that contain the process GUID, 
+  process name, and parent process. Additionally, you must ingest complete 
+  command-line executions. These logs must be processed using the appropriate 
+  Splunk Technology Add-ons that are specific to the EDR product. The logs must 
+  also be mapped to the `Processes` node of the `Endpoint` data model. Use the 
+  Splunk Common Information Model (CIM) to normalize the field names and speed 
+  up the data modeling process.
+known_false_positives: Admin or user may choose to terminate browser via 
+  taskkill.exe. Filter as needed.
 references:
 - https://x.com/suyog41/status/1825869470323056748
 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d
@@ -54,7 +55,8 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A process commandline- [$process$] that tries to kill browser on [$dest$].
+  message: A process commandline- [$process$] that tries to kill browser on 
+    [$dest$].
   risk_objects:
   - field: user
     type: user
@@ -68,6 +70,7 @@ tags:
   - Braodo Stealer
   - Scattered Lapsus$ Hunters
   - Hellcat Ransomware
+  - Castle RAT
   asset_type: Endpoint
   mitre_attack_id:
   - T1562.001
@@ -79,6 +82,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill_browser/braodo_taskkill.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill_browser/braodo_taskkill.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog