Merge pull request #3291 from splunk/analytics_enhancement

analytics_enhancement

detections/endpoint/known_services_killed_by_ransomware.yml → detections/deprecated/known_services_killed_by_ransomware.yml

@@ -1,11 +1,11 @@
 name: Known Services Killed by Ransomware
 id: 3070f8e0-c528-11eb-b2a0-acde48001122
-version: 7
-date: '2024-12-10'
+version: 8
+date: '2025-02-07'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects the suspicious termination of known services
+description: This analytic has been deprecated in favor of a new analytic - Windows Security And Backup Services Stop. The following analytic detects the suspicious termination of known services
   commonly targeted by ransomware before file encryption. It leverages Windows System
   Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow
   Copy, backup, and antivirus services are stopped. This activity is significant because
@@ -75,4 +75,4 @@ tests:
   - data: 
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/windows-xml.log
     source: XmlWinEventLog:System
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/suspicious_driver_loaded_path.yml → detections/deprecated/suspicious_driver_loaded_path.yml

@@ -1,11 +1,11 @@
 name: Suspicious Driver Loaded Path
 id: f880acd4-a8f1-11eb-a53b-acde48001122
-version: 4
-date: '2024-11-13'
+version: 6
+date: '2025-02-06'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects the loading of drivers from suspicious
+description: This search has been deprecated in favour of - Windows Suspicious Driver Loaded Path. The following analytic detects the loading of drivers from suspicious
   paths, which is a technique often used by malicious software such as coin miners
   (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard
   directories. This activity is significant because legitimate drivers typically reside

detections/endpoint/suspicious_process_file_path.yml → detections/deprecated/suspicious_process_file_path.yml

@@ -1,11 +1,11 @@
 name: Suspicious Process File Path
 id: 9be25988-ad82-11eb-a14f-acde48001122
-version: 6
-date: '2024-12-10'
+version: 7
+date: '2025-02-10'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic identifies processes running from file paths not
+description: This search has been deprecated in favour of -  Windows Suspicious Process File Path. The following analytic identifies processes running from file  paths not
   typically associated with legitimate software. It leverages data from Endpoint Detection
   and Response (EDR) agents, focusing on specific process paths within the Endpoint
   data model. This activity is significant because adversaries often use unconventional
@@ -117,4 +117,4 @@ tests:
   - data: 
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml

@@ -1,10 +1,10 @@
 name: Linux Auditd File Permissions Modification Via Chattr
 id: f2d1110d-b01c-4a58-9975-90a9edeb083a
-version: 3
-date: '2025-01-16'
+version: 4
+date: '2025-02-03'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic detects suspicious file permissions modifications using the chattr command, which may indicate an attacker attempting to manipulate file attributes to evade detection or prevent alteration. The chattr command can be used to make files immutable or restrict deletion, which can be leveraged to protect malicious files or disrupt system operations. By monitoring for unusual or unauthorized chattr usage, this analytic helps identify potential tampering with critical files, enabling security teams to quickly respond to and mitigate threats associated with unauthorized file attribute changes.
 data_source:
 - Linux Auditd Execve
@@ -28,7 +28,7 @@ rba:
   risk_objects:
   - field: dest
     type: system
-    score: 49
+    score: 30
   threat_objects: []
 tags:
   analytic_story:

detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml

@@ -1,14 +1,14 @@
 name: Linux Auditd Find Credentials From Password Managers
 id: 784241aa-85a5-4782-a503-d071bd3446f9
-version: 3
-date: '2025-01-16'
+version: 4
+date: '2025-02-03'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 description: The following analytic detects suspicious attempts to find credentials stored in password managers, which may indicate an attacker's effort to retrieve sensitive login information. Password managers are often targeted by adversaries seeking to access stored passwords for further compromise or lateral movement within a network. By monitoring for unusual or unauthorized access to password manager files or processes, this analytic helps identify potential credential theft attempts, enabling security teams to respond quickly to protect critical accounts and prevent further unauthorized access.
 data_source:
 - Linux Auditd Execve
-search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where  (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%KeePass\.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_managers_filter`'
+search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where  (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_managers_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names  to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed
 known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.
 references:

detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml

@@ -1,10 +1,10 @@
 name: Linux Auditd Hidden Files And Directories Creation
 id: 555cc358-bf16-4e05-9b3a-0f89c73b7261
-version: 4
-date: '2025-01-16'
+version: 5
+date: '2025-02-03'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic detects suspicious creation of hidden files and directories, which may indicate an attacker's attempt to conceal malicious activities or unauthorized data. Hidden files and directories are often used to evade detection by security tools and administrators, providing a stealthy means for storing malware, logs, or sensitive information. By monitoring for unusual or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide malicious operations, enabling security teams to uncover and address hidden threats effectively.
 data_source:
 - Linux Auditd Execve
@@ -28,7 +28,7 @@ rba:
   risk_objects:
   - field: dest
     type: system
-    score: 64
+    score: 30
   threat_objects: []
 tags:
   analytic_story:

detections/endpoint/linux_auditd_service_started.yml

@@ -1,10 +1,10 @@
 name: Linux Auditd Service Started
 id: b5eed06d-5c97-4092-a3a1-fa4b7e77c71a
-version: 3
-date: '2024-11-13'
+version: 4
+date: '2025-02-03'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic detects the suspicious service started. This behavior
   is critical for a SOC to monitor because it may indicate attempts to gain unauthorized
   access or maintain control over a system. Such actions could be signs of malicious
@@ -53,7 +53,7 @@ rba:
   risk_objects:
   - field: dest
     type: system
-    score: 64
+    score: 40
   threat_objects: []
 tags:
   analytic_story:

detections/endpoint/permission_modification_using_takeown_app.yml

@@ -1,10 +1,10 @@
 name: Permission Modification using Takeown App
 id: fa7ca5c6-c9d8-11eb-bce9-acde48001122
-version: 4
-date: '2024-11-13'
+version: 5
+date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic detects the modification of file or directory
   permissions using the takeown.exe Windows application. It leverages data from Endpoint
   Detection and Response (EDR) agents, focusing on process execution logs that include
@@ -56,7 +56,7 @@ rba:
   risk_objects:
   - field: dest
     type: system
-    score: 56
+    score: 30
   threat_objects:
   - field: process_name
     type: process_name

detections/endpoint/windows_driver_load_non_standard_path.yml

@@ -1,7 +1,7 @@
 name: Windows Driver Load Non-Standard Path
 id: 9216ef3d-066a-4958-8f27-c84589465e62
-version: 5
-date: '2024-11-13'
+version: 6
+date: '2025-01-27'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -17,7 +17,7 @@ data_source:
 - Windows Event Log System 7045
 search: >-
   `wineventlog_system` EventCode=7045 ServiceType="kernel mode driver"
-  | regex ImagePath!="(?i)^(\w:\\\\Windows\\\\|\w:\\\\Program\sFile|\\\\systemroot\\\\|%SystemRoot%|system32\\\\)"
+  | regex ImagePath!="(?i)^(\w:\\\\Windows\\\\|\w:\\\\Program\sFile|\\\\systemroot\\\\|%SystemRoot%|system32\\\\|\\\\ProgramData\\\\Microsoft\\\\Windows\sDefender\\\\Definition\sUpdates\\\\)"
   | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode
   ImagePath ServiceName ServiceType  | rename Computer as dest  | `security_content_ctime(firstTime)`  |
   `security_content_ctime(lastTime)`  | `windows_driver_load_non_standard_path_filter`

detections/endpoint/windows_process_execution_in_temp_dir.yml

@@ -0,0 +1,88 @@
+name: Windows Process Execution in Temp Dir
+id: f6fbe929-4187-4ba4-901e-8a34be838443
+version: 1
+date: '2025-01-27'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic identifies processes running from %temp% directory file paths. 
+  It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process paths within the Endpoint
+  data model. This activity is significant because adversaries often use unconventional file paths to execute malicious code without requiring administrative privileges. If confirmed malicious, this behavior could indicate an attempt to bypass security controls, leading to unauthorized software execution, potential system compromise, and further malicious activities within the environment.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
+  where Processes.process_path IN("*\\temp\\*")
+  by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user 
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `windows_process_execution_in_temp_dir_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: Administrators may allow execution of specific binaries in
+  non-standard paths. Filter as needed.
+references:
+- https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/
+- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
+- https://twitter.com/pr0xylife/status/1590394227758104576
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
+- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Suspicious process $process_name$ running from temp directory-
+    $process_path$ on host- $dest$
+  risk_objects:
+  - field: dest
+    type: system
+    score: 30
+  threat_objects:
+  - field: process_path
+    type: process_name
+tags:
+  analytic_story:
+  - Ryuk Ransomware
+  - Trickbot
+  - Qakbot
+  - AgentTesla
+  - Remcos
+  - NjRAT
+  - Ransomware
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1543
+  - T1036
+  - T1036.005
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/process_temp_path/process_temp_path.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_security_and_backup_services_stop.yml

@@ -0,0 +1,78 @@
+name: Windows Security And Backup Services Stop
+id: 9c24aef6-cad9-4931-acce-74318aa5663b
+version: 1
+date: '2025-02-07'
+author: Teoderick Contreras, Splunk
+status: production
+type: TTP
+description: The following analytic detects the suspicious termination of known services
+  commonly targeted by ransomware before file encryption. It leverages Windows System
+  Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow
+  Copy, backup, and antivirus services are stopped. This activity is significant because
+  ransomware often disables these services to avoid errors and ensure successful file
+  encryption. If confirmed malicious, this behavior could lead to widespread data
+  encryption, rendering files inaccessible and potentially causing significant operational
+  disruption and data loss.
+data_source:
+- Windows Event Log System 7036
+search: '`wineventlog_system` `normalized_service_binary_field` 
+  | rename param1 as display_name
+  | where param2="stopped" AND (match(display_name, "(?i)(Volume Shadow Copy|VSS|backup|sophos|sql|memtas|mepocs|veeam|svc\$|DefWatch|ccEvtMgr|ccSetMgr|SavRoam|RTVscan|QBFCService|QBIDPService|Intuit\.QuickBooks\.FCS|QBCFMonitorService|YooBackup|YooIT|Veeam|PDVFSService|BackupExec|WdBoot|WdFilter|WdNisDrv|WdNisSvc|WinDefend|wscsvc|Sense|sppsvc|SecurityHealthService)") 
+  OR match(normalized_service_name, "(?i)(Volume Shadow Copy|VSS|backup|sophos|sql|memtas|mepocs|veeam|svc\$|DefWatch|ccEvtMgr|ccSetMgr|SavRoam|RTVscan|QBFCService|QBIDPService|Intuit\.QuickBooks\.FCS|QBCFMonitorService|YooBackup|YooIT|Veeam|PDVFSService|BackupExec|WdBoot|WdFilter|WdNisDrv|WdNisSvc|WinDefend|wscsvc|Sense|sppsvc|SecurityHealthService)"))
+  | stats count min(_time) as firstTime max(_time) as lastTime by EventCode display_name dest normalized_service_name
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_security_and_backup_services_stop_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the 7036 EventCode ScManager in System audit Logs from your endpoints.
+known_false_positives: Admin activities or installing related updates may do a sudden
+  stop to list of services we monitor.
+references:
+- https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/
+- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/
+- https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/
+- https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Known services $param1$ terminated by a potential ransomware on $dest$
+  risk_objects:
+  - field: dest
+    type: system
+    score: 72
+  threat_objects:
+  - field: display_name
+    type: service
+tags:
+  analytic_story:
+  - LockBit Ransomware
+  - Ransomware
+  - Compromised Windows Host
+  - BlackMatter Ransomware
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1490
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/windows-xml.log
+    source: XmlWinEventLog:System
+    sourcetype: XmlWinEventLog