Enrich Detection PR security_content_automation_1648544400

detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml

@@ -74,3 +74,5 @@ tags:
   - Processes.parent_process_name
   risk_score: 36
   security_domain: endpoint
+  supported_tas:
+  - Splunk_TA_microsoft_sysmon

detections/endpoint/rubeus_command_line_parameters.yml

@@ -85,3 +85,5 @@ tags:
   - Processes.parent_process_name
   risk_score: 36
   security_domain: endpoint
+  supported_tas:
+  - Splunk_TA_microsoft_sysmon

detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml

@@ -17,12 +17,11 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint
   where `process_rundll32` by _time span=1h  Processes.process_id Processes.process_name
   Processes.dest Processes.process_path Processes.process Processes.parent_process_name
   Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | regex process="(?i)(rundll32\.exe.{0,4}$)" 
-  | join  process_id [| tstats `security_content_summariesonly`
-  count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id
-  All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ]
-  | table _time dest parent_process_name process_name process_path process process_id dest_port C2 
-  | `rundll32_with_no_command_line_arguments_with_network_filter`'
+  | `security_content_ctime(lastTime)` | regex process="(?i)(rundll32\.exe.{0,4}$)"
+  | join  process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic
+  where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port
+  | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name
+  process_name process_path process process_id dest_port C2 | `rundll32_with_no_command_line_arguments_with_network_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the process responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Processes` and `port` node.

detections/endpoint/rundll_loading_dll_by_ordinal.yml

@@ -82,3 +82,5 @@ tags:
   - Processes.parent_process_id
   risk_score: 49
   security_domain: endpoint
+  supported_tas:
+  - Splunk_TA_microsoft_sysmon

detections/endpoint/windows_disable_change_password_through_registry.yml

@@ -6,15 +6,19 @@ author: Teoderick Contreras, Splunk
 type: Anomaly
 datamodel:
 - Endpoint
-description: This analytic is to detect a suspicious registry modification to disable change password feature of the windows host. 
-  This registry modification may disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del). 
-  As a result, users cannot change their Windows password on demand. This technique was seen in some malware family like ransomware to prevent the user to change the password 
-  after ownning the network or a system during attack. This windows feature may implemented by administrator to prevent normal user to change the password of 
-  a critical host or server, In this type of scenario filter is needed to minimized false positive.
+description: This analytic is to detect a suspicious registry modification to disable
+  change password feature of the windows host. This registry modification may disables
+  the Change Password button on the Windows Security dialog box (which appears when
+  you press Ctrl+Alt+Del). As a result, users cannot change their Windows password
+  on demand. This technique was seen in some malware family like ransomware to prevent
+  the user to change the password after ownning the network or a system during attack.
+  This windows feature may implemented by administrator to prevent normal user to
+  change the password of a critical host or server, In this type of scenario filter
+  is needed to minimized false positive.
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry
   where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword"
-  Registry.registry_value_data = "0x00000001"
-  by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data
+  Registry.registry_value_data = "0x00000001" by _time span=1h Registry.dest Registry.user
+  Registry.registry_path Registry.registry_value_name Registry.registry_value_data
   Registry.process_guid | `drop_dm_object_name(Registry)` |rename process_guid as
   proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count
   FROM datamodel=Endpoint.Processes by _time span=1h Processes.process_id Processes.process_name
@@ -23,15 +27,15 @@ search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint
   proc_guid | fields _time dest user parent_process_name parent_process process_name
   process_path process proc_guid registry_path registry_value_name registry_value_data]
   | table _time dest user parent_process_name parent_process process_name process_path
-  process proc_guid registry_path registry_value_name registry_value_data 
-  | `windows_disable_change_password_through_registry_filter`'
+  process proc_guid registry_path registry_value_name registry_value_data | `windows_disable_change_password_through_registry_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the Filesystem responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node.
-known_false_positives: This windows feature may implemented by administrator to prevent normal user to change the password of 
-  a critical host or server, In this type of scenario filter is needed to minimized false positive.
+known_false_positives: This windows feature may implemented by administrator to prevent
+  normal user to change the password of a critical host or server, In this type of
+  scenario filter is needed to minimized false positive.
 references:
--  https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
 tags:
   analytic_story:
   - Ransomware
@@ -52,17 +56,16 @@ tags:
   - Registry.registry_path
   - Registry.registry_value_name
   - Registry.dest Registry.user
-  - Processes.process_id 
+  - Processes.process_id
   - Processes.process_name
-  - Processes.process 
-  - Processes.dest 
-  - Processes.parent_process_name 
+  - Processes.process
+  - Processes.dest
+  - Processes.parent_process_name
   - Processes.parent_process
-  - Processes.process_guid 
+  - Processes.process_guid
   security_domain: endpoint
   impact: 70
-  confidence: 70 
-  # (impact * confidence)/100
+  confidence: 70
   risk_score: 49
   context:
   - Source:Endpoint
@@ -79,4 +82,6 @@ tags:
   - CIS 3
   - CIS 5
   - CIS 16
-  asset_type: Endpoint
+  asset_type: Endpoint
+  supported_tas:
+  - Splunk_TA_microsoft_sysmon

detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml

@@ -6,13 +6,15 @@ author: Teoderick Contreras, Splunk
 type: Anomaly
 datamodel:
 - Endpoint
-description: This analytic is to detect a suspicious registry modification to disable Lock Computer windows features. 
-  This registry modification prevent the user from locking its screen or computer that are being abused by several malware for example ransomware. 
-  This technique was used by threat actor to make its payload more impactful to the compromised host.
+description: This analytic is to detect a suspicious registry modification to disable
+  Lock Computer windows features. This registry modification prevent the user from
+  locking its screen or computer that are being abused by several malware for example
+  ransomware. This technique was used by threat actor to make its payload more impactful
+  to the compromised host.
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry
   where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation"
-  Registry.registry_value_data = "0x00000001"
-  by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data
+  Registry.registry_value_data = "0x00000001" by _time span=1h Registry.dest Registry.user
+  Registry.registry_path Registry.registry_value_name Registry.registry_value_data
   Registry.process_guid | `drop_dm_object_name(Registry)` |rename process_guid as
   proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count
   FROM datamodel=Endpoint.Processes by _time span=1h Processes.process_id Processes.process_name
@@ -21,15 +23,14 @@ search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint
   proc_guid | fields _time dest user parent_process_name parent_process process_name
   process_path process proc_guid registry_path registry_value_name registry_value_data]
   | table _time dest user parent_process_name parent_process process_name process_path
-  process proc_guid registry_path registry_value_name registry_value_data 
-  | `windows_disable_lock_workstation_feature_through_registry_filter`'
+  process proc_guid registry_path registry_value_name registry_value_data | `windows_disable_lock_workstation_feature_through_registry_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the Filesystem responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node.
 known_false_positives: unknown
 references:
--  https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
--  https://heimdalsecurity.com/blog/fatalrat-targets-telegram/
+- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+- https://heimdalsecurity.com/blog/fatalrat-targets-telegram/
 tags:
   analytic_story:
   - Ransomware
@@ -50,17 +51,16 @@ tags:
   - Registry.registry_path
   - Registry.registry_value_name
   - Registry.dest Registry.user
-  - Processes.process_id 
+  - Processes.process_id
   - Processes.process_name
-  - Processes.process 
-  - Processes.dest 
-  - Processes.parent_process_name 
+  - Processes.process
+  - Processes.dest
+  - Processes.parent_process_name
   - Processes.parent_process
-  - Processes.process_guid 
+  - Processes.process_guid
   security_domain: endpoint
   impact: 70
-  confidence: 70 
-  # (impact * confidence)/100
+  confidence: 70
   risk_score: 49
   context:
   - Source:Endpoint
@@ -77,4 +77,6 @@ tags:
   - CIS 3
   - CIS 5
   - CIS 16
-  asset_type: Endpoint
+  asset_type: Endpoint
+  supported_tas:
+  - Splunk_TA_microsoft_sysmon

detections/endpoint/windows_disable_logoff_button_through_registry.yml

@@ -6,33 +6,35 @@ author: Teoderick Contreras, Splunk
 type: Anomaly
 datamodel:
 - Endpoint
-description: This analytic is to detect a suspicious registry modification to disable logoff feature in windows host. 
-  This registry when enable will prevent users to log off of the system by using any method, 
-  including programs run from the command line, such as scripts. It also disables or removes 
-  all menu items and buttons that log the user off of the system. This technique was seen abused by ransomware malware 
-  to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect.
-  This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine 
-  and users that can modify this registry is needed.
+description: This analytic is to detect a suspicious registry modification to disable
+  logoff feature in windows host. This registry when enable will prevent users to
+  log off of the system by using any method, including programs run from the command
+  line, such as scripts. It also disables or removes all menu items and buttons that
+  log the user off of the system. This technique was seen abused by ransomware malware
+  to make the compromised host un-useful and hard to remove other registry modification
+  made on the machine that needs restart to take effect. This windows feature may
+  implement by administrator in some server where shutdown is critical. In that scenario
+  filter of machine and users that can modify this registry is needed.
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry
-  where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" 
-  Registry.registry_value_name IN ("NoLogOff", "StartMenuLogOff")
-  Registry.registry_value_data = "0x00000001" by _time span=1h Registry.dest Registry.user
-  Registry.registry_path Registry.registry_value_name Registry.registry_value_data
-  Registry.process_guid | `drop_dm_object_name(Registry)` |rename process_guid as
-  proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count
-  FROM datamodel=Endpoint.Processes by _time span=1h Processes.process_id Processes.process_name
-  Processes.process Processes.dest Processes.parent_process_name Processes.parent_process
-  Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as
-  proc_guid | fields _time dest user parent_process_name parent_process process_name
-  process_path process proc_guid registry_path registry_value_name registry_value_data]
-  | table _time dest user parent_process_name parent_process process_name process_path
-  process proc_guid registry_path registry_value_name registry_value_data
-  | `windows_disable_logoff_button_through_registry_filter`'
+  where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*"
+  Registry.registry_value_name IN ("NoLogOff", "StartMenuLogOff") Registry.registry_value_data
+  = "0x00000001" by _time span=1h Registry.dest Registry.user Registry.registry_path
+  Registry.registry_value_name Registry.registry_value_data Registry.process_guid
+  | `drop_dm_object_name(Registry)` |rename process_guid as proc_guid |join proc_guid,
+  _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
+  by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest
+  Processes.parent_process_name Processes.parent_process Processes.process_guid |
+  `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | fields _time
+  dest user parent_process_name parent_process process_name process_path process proc_guid
+  registry_path registry_value_name registry_value_data] | table _time dest user parent_process_name
+  parent_process process_name process_path process proc_guid registry_path registry_value_name
+  registry_value_data | `windows_disable_logoff_button_through_registry_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the Filesystem responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node.
-known_false_positives: This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine 
-  and users that can modify this registry is needed.
+known_false_positives: This windows feature may implement by administrator in some
+  server where shutdown is critical. In that scenario filter of machine and users
+  that can modify this registry is needed.
 references:
 - https://www.hybrid-analysis.com/sample/e2d4018fd3bd541c153af98ef7c25b2bf4a66bc3bfb89e437cde89fd08a9dd7b/5b1f4d947ca3e10f22714774
 - https://malwiki.org/index.php?title=DigiPop.xp
@@ -56,17 +58,16 @@ tags:
   - Registry.registry_path
   - Registry.registry_value_name
   - Registry.dest Registry.user
-  - Processes.process_id 
+  - Processes.process_id
   - Processes.process_name
-  - Processes.process 
-  - Processes.dest 
-  - Processes.parent_process_name 
+  - Processes.process
+  - Processes.dest
+  - Processes.parent_process_name
   - Processes.parent_process
-  - Processes.process_guid 
+  - Processes.process_guid
   security_domain: endpoint
   impact: 70
-  confidence: 70 
-  # (impact * confidence)/100
+  confidence: 70
   risk_score: 49
   context:
   - Source:Endpoint
@@ -83,4 +84,6 @@ tags:
   - CIS 3
   - CIS 5
   - CIS 16
-  asset_type: Endpoint
+  asset_type: Endpoint
+  supported_tas:
+  - Splunk_TA_microsoft_sysmon

detections/endpoint/windows_disable_memory_crash_dump.yml

@@ -96,3 +96,5 @@ tags:
   risk_score: 90
   security_domain: endpoint
   asset_type: Endpoint
+  supported_tas:
+  - Splunk_TA_microsoft_sysmon