diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml similarity index 98% rename from detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml rename to detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml index 61374dd2a3..e96a336530 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml @@ -1,9 +1,9 @@ name: Attempt To Add Certificate To Untrusted Store id: 6bc5243e-ef36-45dc-9b12-f4a6be131159 -version: 18 -date: '2026-03-10' +version: 19 +date: '2026-03-26' author: Patrick Bareiss, Rico Valdez, Splunk -status: production +status: deprecated type: Anomaly description: | The following analytic detects attempts to add a certificate to the untrusted diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/deprecated/chcp_command_execution.yml similarity index 98% rename from detections/endpoint/chcp_command_execution.yml rename to detections/deprecated/chcp_command_execution.yml index e86dfef58b..abae5da199 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/deprecated/chcp_command_execution.yml @@ -1,9 +1,9 @@ name: CHCP Command Execution id: 21d236ec-eec1-11eb-b23e-acde48001122 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-23' author: Teoderick Contreras, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic detects the execution of the chcp.com utility, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration. data_source: diff --git a/detections/endpoint/processes_launching_netsh.yml b/detections/deprecated/processes_launching_netsh.yml similarity index 98% rename from detections/endpoint/processes_launching_netsh.yml rename to detections/deprecated/processes_launching_netsh.yml index f039d58470..52ec5e0e14 100644 --- a/detections/endpoint/processes_launching_netsh.yml +++ b/detections/deprecated/processes_launching_netsh.yml @@ -1,9 +1,9 @@ name: Processes launching netsh id: b89919ed-fe5f-492c-b139-95dbb162040e -version: 13 -date: '2026-03-10' +version: 14 +date: '2026-03-26' author: Michael Haag, Josef Kuepker, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic identifies processes launching netsh.exe, a command-line utility used to modify network configurations. It detects this activity by analyzing data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This behavior is significant because netsh.exe can be exploited to execute malicious helper DLLs, serving as a persistence mechanism. If confirmed malicious, an attacker could gain persistent access, modify network settings, and potentially escalate privileges, posing a severe threat to the network's integrity and security. data_source: diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/deprecated/sc_exe_manipulating_windows_services.yml similarity index 98% rename from detections/endpoint/sc_exe_manipulating_windows_services.yml rename to detections/deprecated/sc_exe_manipulating_windows_services.yml index ccfa9bbf9f..8be1c1e744 100644 --- a/detections/endpoint/sc_exe_manipulating_windows_services.yml +++ b/detections/deprecated/sc_exe_manipulating_windows_services.yml @@ -1,9 +1,9 @@ name: Sc exe Manipulating Windows Services id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d -version: 14 -date: '2026-03-10' +version: 15 +date: '2026-03-26' author: Rico Valdez, Splunk -status: production +status: deprecated type: TTP description: The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment. data_source: diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index d7a4b2cb42..38b6591253 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -1,7 +1,7 @@ name: Anomalous usage of 7zip id: 9364ee8e-a39a-11eb-8f1d-acde48001122 -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-03-26' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Anomaly @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z* + WHERE (Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z*) AND NOT Processes.process_path = "C:\\Program Files\\VMware\\VMware Tools\\7za.exe" BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml index 701b231d4d..1fe0bcf79c 100644 --- a/detections/endpoint/conti_common_exec_parameter.yml +++ b/detections/endpoint/conti_common_exec_parameter.yml @@ -1,7 +1,7 @@ name: Conti Common Exec parameter id: 624919bc-c382-11eb-adcc-acde48001122 -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: TTP @@ -12,13 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process = "*-m local*" - OR - Processes.process = "*-m net*" - OR - Processes.process = "*-m all*" - OR - Processes.process = "*-nomutex*" + WHERE Processes.process IN ("*-m local", "*-m local *", "*-m net", "*-m net *", "*-m all","*-m all *", "*-nomutex", "*-nomutex *") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml index 44085e0631..2321f75524 100644 --- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml +++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml @@ -1,7 +1,7 @@ name: Detect Rundll32 Inline HTA Execution id: 91c79f14-5b41-11eb-ae93-0242ac130002 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-26' author: Michael Haag, Splunk status: production type: TTP @@ -14,9 +14,7 @@ search: |- | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE `process_rundll32` (Processes.process=*vbscript* OR - Processes.process=*javascript* - OR - Processes.process=*about*) + Processes.process=*javascript*) BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml index 38fc0f18e5..7b5bbb24ae 100644 --- a/detections/endpoint/disable_schedule_task.yml +++ b/detections/endpoint/disable_schedule_task.yml @@ -1,10 +1,10 @@ name: Disable Schedule Task id: db596056-3019-11ec-a9ff-acde48001122 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the execution of a command to disable an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Disabling scheduled tasks is significant as it is a common tactic used by adversaries, including malware like IcedID, to disable security applications and evade detection. If confirmed malicious, this activity could allow attackers to persist undetected, disable critical security defenses, and further compromise the targeted host. data_source: - Sysmon EventID 1 diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index c451761088..3aeb92554a 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -1,7 +1,7 @@ name: Modify ACL permission To Files Or Folder id: 7e8458cc-acca-11eb-9e3f-acde48001122 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -19,7 +19,7 @@ search: | from datamodel=Endpoint.Processes where Processes.process_name IN ("icacls.exe", "cacls.exe", "xcacls.exe") Processes.process IN ("*/grant*", "*/g:*", "*/g *") - Processes.process IN ("* Everyone:*", "* SYSTEM:*", "* S-1-1-0:*") + Processes.process IN ("* SYSTEM:*", "* S-1-1-0:*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index f9cfba8f4d..e9dfe6dbd7 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -1,7 +1,7 @@ name: Possible Lateral Movement PowerShell Spawn id: cb909b3e-512b-11ec-aa31-3e22fbd008af -version: 13 -date: '2026-03-10' +version: 14 +date: '2026-03-26' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml index b54e6672d7..ddefa3e24e 100644 --- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml +++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml @@ -1,7 +1,7 @@ name: Reg exe Manipulating Windows Services Registry Keys id: 8470d755-0c13-45b3-bd63-387a373c10cf -version: 14 -date: '2026-03-10' +version: 15 +date: '2026-03-24' author: Rico Valdez, Splunk status: production type: TTP @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes - WHERE Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* + WHERE (Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services*) BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/revil_common_exec_parameter.yml b/detections/endpoint/revil_common_exec_parameter.yml index 68142a301a..9a0a84218e 100644 --- a/detections/endpoint/revil_common_exec_parameter.yml +++ b/detections/endpoint/revil_common_exec_parameter.yml @@ -1,7 +1,7 @@ name: Revil Common Exec Parameter id: 85facebe-c382-11eb-9c3e-acde48001122 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,10 +15,6 @@ search: |- WHERE Processes.process = "* -nolan *" OR Processes.process = "* -nolocal *" - OR - Processes.process = "* -fast *" - OR - Processes.process = "* -full *" BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml index a4f0db8ec7..c7f9517159 100644 --- a/detections/endpoint/ryuk_wake_on_lan_command.yml +++ b/detections/endpoint/ryuk_wake_on_lan_command.yml @@ -1,7 +1,7 @@ name: Ryuk Wake on LAN Command id: 538d0152-7aaa-11eb-beaa-acde48001122 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-24' author: Michael Haag, Splunk status: production type: TTP @@ -11,19 +11,28 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: |- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE ( - Processes.process="*8 LAN*" - OR - Processes.process="*9 REP*" - ) - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Endpoint.Processes WHERE + + Processes.process IN ( + "* 8 LAN", + "* 8 LAN *", + "* 9 REP", + "* 9 REP *" + ) + + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index 09eb46f4cd..300384c32c 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -1,7 +1,7 @@ name: SLUI Spawning a Process id: 879c4330-b3e0-11eb-b1b1-acde48001122 -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-24' author: Michael Haag, Splunk status: production type: TTP @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.parent_process_name=slui.exe + WHERE Processes.parent_process_name=slui.exe AND NOT Processes.process_name=slui.exe BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index 3097aeca9b..14f37c0c95 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -1,7 +1,7 @@ name: Suspicious Rundll32 StartW id: 9319dda5-73f2-4d43-a85a-67ce961bddb7 -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-03-24' author: Michael Haag, Splunk status: production type: TTP @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE `process_rundll32` Processes.process=*start* + WHERE `process_rundll32` Processes.process IN ("*startw", "*startw *") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index b1b6ad213b..63347f84e8 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -1,10 +1,10 @@ name: System User Discovery With Whoami id: 894fc43e-6f50-47d5-a68b-ee9ee23e18f4 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-24' author: Mauricio Velazco, Splunk status: production -type: Anomaly +type: Hunting description: The following analytic detects the execution of `whoami.exe` without any arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because both Red Teams and adversaries use `whoami.exe` to identify the current logged-in user, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could indicate an attacker is gathering information to further compromise the system, potentially leading to privilege escalation or lateral movement within the network. data_source: - Sysmon EventID 1 @@ -14,6 +14,8 @@ search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE ( Processes.process_name="whoami.exe" + OR + Processes.process_original_file_name="whoami.exe" ) BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid @@ -30,29 +32,6 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ -drilldown_searches: - - name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. - risk_objects: - - field: user - type: user - score: 20 - - field: dest - type: system - score: 20 - threat_objects: - - field: parent_process_name - type: parent_process_name - - field: process_name - type: process_name tags: analytic_story: - Winter Vivern diff --git a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml index 482d4a4f37..6e71f43651 100644 --- a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml +++ b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml @@ -1,7 +1,7 @@ name: Windows Account Access Removal via Logoff Exec id: 223572ab-8768-4e20-9b39-c38707af80dc -version: 6 -date: '2026-03-10' +version: 7 +date: '2026-03-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 @@ -10,7 +10,7 @@ status: production description: "The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation." search: |- | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process_name = logoff.exe + WHERE Processes.process_name = logoff.exe Processes.parent_process_name IN ("cmd.exe", "powershell.exe", "pwsh.exe") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml b/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml index 55c0092e15..c74bcbc5d4 100644 --- a/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml +++ b/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml @@ -1,7 +1,7 @@ name: Windows Application Whitelisting Bypass Attempt via Rundll32 id: 1ef5dab0-e1f1-495d-a272-d134583c10b1 -version: 3 -date: '2026-03-10' +version: 4 +date: '2026-03-24' author: Michael Haag, Splunk status: production type: TTP @@ -33,6 +33,7 @@ search: | `process_rundll32` Processes.process IN ("*syssetup*", "*advpack*", "*setupapi*") Processes.process IN ("*LaunchINFSection*", "*InstallHinfSection*", "*SetupInfObjectInstallAction*") + NOT (Processes.parent_process_name="msiexec.exe" Processes.process="* C:\\Program Files (x86)\\Netskope\\EPDLP Deployment\\*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec diff --git a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml index ab0b0de51a..2d5ee96492 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Deletion id: 46d676aa-40c6-4fe6-b917-d23b621f0f89 -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production type: TTP @@ -12,9 +12,9 @@ data_source: description: The following analytic detects the execution of the Windows OS tool cmdkey.exe with the /delete parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. The activity is significant because cmdkey.exe can be used by attackers to delete stored credentials, potentially leading to privilege escalation and persistence. If confirmed malicious, this behavior could allow attackers to remove stored user credentials, hindering incident response efforts and enabling further unauthorized access to the compromised system. search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process_name="cmdkey.exe" + WHERE (Processes.process_name="cmdkey.exe" OR - Processes.original_file_name = "cmdkey.exe" + Processes.original_file_name = "cmdkey.exe") AND Processes.process = "*/delete*" BY Processes.action Processes.dest Processes.original_file_name diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml index 28f6ecf34a..81b1e07e50 100644 --- a/detections/endpoint/windows_delete_or_modify_system_firewall.yml +++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml @@ -1,10 +1,10 @@ name: Windows Delete or Modify System Firewall id: b188d11a-eba7-419d-b8b6-cc265b4f2c4f -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production -type: Anomaly +type: Hunting data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 @@ -28,22 +28,6 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Administrator may modify or delete firewall configuration. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat -drilldown_searches: - - name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: A $process_name$ deleted a firewall configuration on $dest$ - risk_objects: - - field: dest - type: system - score: 20 - threat_objects: [] tags: analytic_story: - NjRAT diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml index 29fe53f741..ddb33ef4bc 100644 --- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml +++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml @@ -1,7 +1,7 @@ name: Windows Indicator Removal Via Rmdir id: c4566d2c-b094-48a1-9c59-d66e22065560 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -10,7 +10,7 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 description: The following analytic detects the execution of the 'rmdir' command with '/s' and '/q' options to delete files and directory trees. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it may indicate malware attempting to remove traces or components during cleanup operations. If confirmed malicious, this behavior could allow attackers to eliminate forensic evidence, hinder incident response efforts, and maintain persistence by removing indicators of compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*rmdir*" Processes.process = "* /s *" Processes.process = "* /q *" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*rmdir*" Processes.process = "* /s *" Processes.process = "* /q *" NOT Processes.parent_process_name IN ("explorer.exe", "*HPDock*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: user and network administrator can execute this command. references: diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index 2fc731d408..f2cab5ced7 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -1,7 +1,7 @@ name: Windows Information Discovery Fsutil id: 2181f261-93e6-4166-a5a9-47deac58feff -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-26' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_net_system_service_discovery.yml b/detections/endpoint/windows_net_system_service_discovery.yml index abcf3ce391..a0f0c1f1bb 100644 --- a/detections/endpoint/windows_net_system_service_discovery.yml +++ b/detections/endpoint/windows_net_system_service_discovery.yml @@ -1,10 +1,10 @@ name: Windows Net System Service Discovery id: dd7da098-83b8-4c48-b09d-e51aeb621e81 -version: 3 -date: '2026-03-10' +version: 4 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production -type: Anomaly +type: Hunting description: The following analytic detects the enumeration of Windows services using the net start command, which is a built-in utility that lists all running services on a system. Adversaries, system administrators, or automated tools may use this command to gain situational awareness of what services are active, identify potential security software, or discover opportunities for privilege escalation and lateral movement. The execution of net start is often associated with reconnaissance activity during the early stages of an intrusion, as attackers attempt to map out the system’s defense mechanisms and operational services. By monitoring process execution for instances of cmd.exe /c net start or similar command-line usage, defenders can detect potentially suspicious activity. Correlating this behavior with other reconnaissance commands, such as tasklist or sc query, strengthens detection fidelity. While net start is not inherently malicious, unusual or repeated use in non-administrative contexts should be flagged for further investigation. data_source: - Sysmon EventID 1 @@ -30,29 +30,6 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://cert.gov.ua/article/6284730 -drilldown_searches: - - name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to enumerate list of running services. - risk_objects: - - field: user - type: user - score: 20 - - field: dest - type: system - score: 20 - threat_objects: - - field: parent_process_name - type: parent_process_name - - field: process_name - type: process_name tags: analytic_story: - LAMEHUG diff --git a/detections/endpoint/windows_network_share_interaction_via_net.yml b/detections/endpoint/windows_network_share_interaction_via_net.yml index 71e8c4d665..101a267dda 100644 --- a/detections/endpoint/windows_network_share_interaction_via_net.yml +++ b/detections/endpoint/windows_network_share_interaction_via_net.yml @@ -1,10 +1,10 @@ name: Windows Network Share Interaction Via Net id: e51fbdb0-0be0-474f-92ea-d289f71a695e -version: 5 -date: '2026-03-10' +version: 6 +date: '2026-03-24' author: Dean Luxton status: production -type: Anomaly +type: Hunting data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 @@ -35,25 +35,6 @@ how_to_implement: The detection is based on data originating from either Endpoin known_false_positives: Administrators or power users may use this command. Additional filters needs to be applied. references: - https://attack.mitre.org/techniques/T1135/ -drilldown_searches: - - name: View the detection results for - "$dest$" and "$user$" - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: User $user$ leveraged net.exe on $dest$ to interact with network shares, executed by parent process $parent_process$ - risk_objects: - - field: dest - type: system - score: 20 - - field: user - type: user - score: 20 - threat_objects: [] tags: analytic_story: - Active Directory Discovery diff --git a/detections/endpoint/windows_rundll32_webdav_request.yml b/detections/endpoint/windows_rundll32_webdav_request.yml index 720ff89c3e..1d4e008aa3 100644 --- a/detections/endpoint/windows_rundll32_webdav_request.yml +++ b/detections/endpoint/windows_rundll32_webdav_request.yml @@ -1,9 +1,9 @@ name: Windows Rundll32 WebDAV Request id: 320099b7-7eb1-4153-a2b4-decb53267de2 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-24' author: Michael Haag, Splunk -type: TTP +type: Hunting status: production data_source: - Sysmon EventID 1 @@ -19,29 +19,6 @@ references: - https://twitter.com/domchell/status/1635999068282408962?s=20 - https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/ - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/ -drilldown_searches: - - name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. - risk_objects: - - field: user - type: user - score: 50 - - field: dest - type: system - score: 50 - threat_objects: - - field: parent_process_name - type: parent_process_name - - field: process_name - type: process_name tags: analytic_story: - CVE-2023-23397 Outlook Elevation of Privilege diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml index 8cc1498311..5546d476f4 100644 --- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml +++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml @@ -1,7 +1,7 @@ name: Windows Service Create Kernel Mode Driver id: 0b4e3b06-1b2b-4885-b752-cf06d12a90cb -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-26' author: Michael Haag, Teoderick Contreras Splunk status: production type: TTP @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: | | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process IN ("*kernel*", "*filesys*") Processes.process="*type*" + where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process="*create*" Processes.process IN ("*kernel*", "*filesys*") Processes.process="*type*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/windows_service_stop_by_deletion.yml b/detections/endpoint/windows_service_stop_by_deletion.yml index 37ba3dd442..c779e699f4 100644 --- a/detections/endpoint/windows_service_stop_by_deletion.yml +++ b/detections/endpoint/windows_service_stop_by_deletion.yml @@ -1,10 +1,10 @@ name: Windows Service Stop By Deletion id: 196ff536-58d9-4d1b-9686-b176b04e430b -version: 8 -date: '2026-03-10' +version: 9 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Hunting description: The following analytic detects the use of `sc.exe` to delete a Windows service. It leverages Endpoint Detection and Response (EDR) data, focusing on process execution logs that capture command-line arguments. This activity is significant because adversaries often delete services to disable security mechanisms or critical system functions, aiding in evasion and persistence. If confirmed malicious, this action could lead to the termination of essential security services, allowing attackers to operate undetected and potentially escalate their privileges or maintain long-term access to the compromised system. data_source: - Sysmon EventID 1 @@ -35,22 +35,6 @@ references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md -drilldown_searches: - - name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to delete a service. - risk_objects: - - field: dest - type: system - score: 50 - threat_objects: [] tags: analytic_story: - Azorult diff --git a/detections/endpoint/windows_sqlservr_spawning_shell.yml b/detections/endpoint/windows_sqlservr_spawning_shell.yml index 50663a7e70..1c09e7d6e1 100644 --- a/detections/endpoint/windows_sqlservr_spawning_shell.yml +++ b/detections/endpoint/windows_sqlservr_spawning_shell.yml @@ -1,10 +1,10 @@ name: Windows Sqlservr Spawning Shell id: d33aac9f-030c-4830-8701-0c2dd75bb6cb -version: 5 -date: '2026-03-10' +version: 6 +date: '2026-03-24' author: Michael Haag, Splunk status: production -type: TTP +type: Hunting description: This analytic detects instances where the sqlservr.exe process spawns a command shell (cmd.exe) or PowerShell process. This behavior is often indicative of command execution initiated from within the SQL Server process, potentially due to exploitation of SQL injection vulnerabilities or the use of extended stored procedures like xp_cmdshell. data_source: - Sysmon EventID 1 @@ -30,29 +30,6 @@ known_false_positives: Legitimate administrative activities or monitoring tools references: - https://attack.mitre.org/techniques/T1505/001/ - https://github.com/MHaggis/notes/tree/master/utilities/SQLSSTT -drilldown_searches: - - name: View the detection results for - "$dest$" and "$process_name$" - search: '%original_detection_search% | search dest = "$dest$" process_name = "$process_name$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: A command shell was spawned by sqlservr.exe on host $dest$ by user $user$. This may indicate unauthorized command execution. - risk_objects: - - field: dest - type: system - score: 50 - - field: user - type: user - score: 50 - threat_objects: - - field: parent_process_name - type: parent_process_name - - field: process_name - type: process_name tags: analytic_story: - SQL Server Abuse diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index a460d62962..66dee0ba4f 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -1,10 +1,10 @@ name: Windows System Reboot CommandLine id: 97fc2b60-c8eb-4711-93f7-d26fade3686f -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production -type: Anomaly +type: Hunting description: The following analytic identifies the execution of the Windows command line to reboot a host machine using "shutdown.exe" with specific parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it is often associated with advanced persistent threats (APTs) and remote access trojans (RATs) like dcrat, which may use system reboots to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed malicious, this could lead to system downtime, data loss, or hindered incident response efforts. data_source: - Sysmon EventID 1 @@ -34,22 +34,6 @@ known_false_positives: Administrator may execute this commandline to trigger shu references: - https://attack.mitre.org/techniques/T1529/ - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor -drilldown_searches: - - name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: Process $process_name$ that executed reboot via commandline on $dest$ - risk_objects: - - field: dest - type: system - score: 20 - threat_objects: [] tags: analytic_story: - XWorm diff --git a/detections/endpoint/windows_system_remote_discovery_with_query.yml b/detections/endpoint/windows_system_remote_discovery_with_query.yml index 4b746c5d55..98e572a9b9 100644 --- a/detections/endpoint/windows_system_remote_discovery_with_query.yml +++ b/detections/endpoint/windows_system_remote_discovery_with_query.yml @@ -1,10 +1,10 @@ name: Windows System Remote Discovery With Query id: 94859172-a521-474f-97ac-4cf4b09634a3 -version: 6 -date: '2026-03-10' +version: 7 +date: '2026-03-24' author: Steven Dick status: production -type: Anomaly +type: Hunting description: The following analytic detects the execution of `query.exe` with command-line arguments aimed at discovering data on remote devices. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use `query.exe` to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to identify various details about a system, aiding in further lateral movement and privilege escalation within the network. data_source: - Sysmon EventID 1 @@ -33,31 +33,6 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ -drilldown_searches: - - name: View the detection results for - "$dest$" and "$user$" - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: Investigate processes on $dest$ - search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_name = $process_name|s$' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ ran the Query command to enumerate the remote system $dest$ - risk_objects: - - field: user - type: user - score: 20 - - field: dest - type: system - score: 20 - threat_objects: - - field: process_name - type: process_name tags: analytic_story: - Active Directory Discovery diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index a952339f70..067e1547d6 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -1,10 +1,10 @@ name: Wscript Or Cscript Suspicious Child Process id: 1f35e1da-267b-11ec-90a9-acde48001122 -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that uses several application tools that are in the list of the child process it detects but a good pivot and indicator that a script may execute suspicious code. data_source: - Sysmon EventID 1 diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index 7583049521..ddfac7a29c 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -1,4 +1,16 @@ detections: + - content: Sc exe Manipulating Windows Services + removed_in_version: 5.28.0 + reason: Detection is deprecated as the usage of sc.exe by itself is often used for legitimate purposes. + - content: Processes launching netsh + removed_in_version: 5.28.0 + reason: Detection is deprecated as the usage of netsh.exe by itself is often used for legitimate purposes. + - content: CHCP Command Execution + removed_in_version: 5.28.0 + reason: Detection is deprecated as the usage of chcp.com by itself is not malicious. + - content: Attempt To Add Certificate To Untrusted Store + removed_in_version: 5.28.0 + reason: Detection is deprecated as the usage of certutil and addstore by itself is not malicious. - content: Abnormally High Number Of Cloud Infrastructure API Calls removed_in_version: 5.26.0 reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit(5.7.0) and Python for Scientific Computing for Linux 64-bit(4.3.0). @@ -639,8 +651,6 @@ detections: - content: Processes created by netsh removed_in_version: 5.2.0 reason: Updated to a new detection name - replacement_content: - - Processes launching netsh - content: Office Product Spawning Wmic removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity