From e556cac2791115e970af76856f3eb2d4781011aa Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Thu, 26 Mar 2026 07:46:49 +0100 Subject: [PATCH 01/18] Improved detections based on telemetry. --- ..._to_add_certificate_to_untrusted_store.yml | 2 +- .../chcp_command_execution.yml | 6 ++-- ...ible_lateral_movement_powershell_spawn.yml | 2 +- .../processes_launching_netsh.yml | 2 +- .../sc_exe_manipulating_windows_services.yml | 2 +- .../endpoint/anomalous_usage_of_7zip.yml | 4 +-- .../endpoint/conti_common_exec_parameter.yml | 8 +---- .../detect_rundll32_inline_hta_execution.yml | 4 +-- detections/endpoint/disable_schedule_task.yml | 2 +- ...dify_acl_permission_to_files_or_folder.yml | 6 ++-- ...ulating_windows_services_registry_keys.yml | 6 ++-- .../endpoint/revil_common_exec_parameter.yml | 8 ++--- .../endpoint/ryuk_wake_on_lan_command.yml | 8 ++--- .../endpoint/slui_spawning_a_process.yml | 6 ++-- .../endpoint/suspicious_rundll32_startw.yml | 6 ++-- .../system_user_discovery_with_whoami.yml | 20 ++---------- ...account_access_removal_via_logoff_exec.yml | 2 +- ...itelisting_bypass_attempt_via_rundll32.yml | 5 +-- ...dentials_from_password_stores_deletion.yml | 8 ++--- ...ndows_delete_or_modify_system_firewall.yml | 18 +---------- .../windows_indicator_removal_via_rmdir.yml | 6 ++-- .../windows_information_discovery_fsutil.yml | 20 ++---------- .../windows_net_system_service_discovery.yml | 27 ++-------------- ...dows_network_share_interaction_via_net.yml | 25 ++------------- .../windows_rundll32_webdav_request.yml | 29 ++--------------- ...dows_service_create_kernel_mode_driver.yml | 21 +------------ .../windows_service_stop_by_deletion.yml | 22 ++----------- .../windows_sqlservr_spawning_shell.yml | 29 ++--------------- .../windows_system_reboot_commandline.yml | 22 ++----------- ...ows_system_remote_discovery_with_query.yml | 31 ++----------------- ...pt_or_cscript_suspicious_child_process.yml | 6 ++-- removed/deprecation_mapping.YML | 15 +++++++++ 32 files changed, 86 insertions(+), 292 deletions(-) rename detections/{endpoint => deprecated}/attempt_to_add_certificate_to_untrusted_store.yml (99%) rename detections/{endpoint => deprecated}/chcp_command_execution.yml (98%) rename detections/{endpoint => deprecated}/possible_lateral_movement_powershell_spawn.yml (99%) rename detections/{endpoint => deprecated}/processes_launching_netsh.yml (99%) rename detections/{endpoint => deprecated}/sc_exe_manipulating_windows_services.yml (99%) diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml similarity index 99% rename from detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml rename to detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml index 61374dd2a3..db14e667bb 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml @@ -3,7 +3,7 @@ id: 6bc5243e-ef36-45dc-9b12-f4a6be131159 version: 18 date: '2026-03-10' author: Patrick Bareiss, Rico Valdez, Splunk -status: production +status: deprecated type: Anomaly description: | The following analytic detects attempts to add a certificate to the untrusted diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/deprecated/chcp_command_execution.yml similarity index 98% rename from detections/endpoint/chcp_command_execution.yml rename to detections/deprecated/chcp_command_execution.yml index e86dfef58b..abae5da199 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/deprecated/chcp_command_execution.yml @@ -1,9 +1,9 @@ name: CHCP Command Execution id: 21d236ec-eec1-11eb-b23e-acde48001122 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-23' author: Teoderick Contreras, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic detects the execution of the chcp.com utility, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration. data_source: diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/deprecated/possible_lateral_movement_powershell_spawn.yml similarity index 99% rename from detections/endpoint/possible_lateral_movement_powershell_spawn.yml rename to detections/deprecated/possible_lateral_movement_powershell_spawn.yml index f9cfba8f4d..5a3b088fc9 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/deprecated/possible_lateral_movement_powershell_spawn.yml @@ -3,7 +3,7 @@ id: cb909b3e-512b-11ec-aa31-3e22fbd008af version: 13 date: '2026-03-10' author: Mauricio Velazco, Michael Haag, Splunk -status: production +status: deprecated type: TTP description: The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. This activity is significant as it often indicates lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment. data_source: diff --git a/detections/endpoint/processes_launching_netsh.yml b/detections/deprecated/processes_launching_netsh.yml similarity index 99% rename from detections/endpoint/processes_launching_netsh.yml rename to detections/deprecated/processes_launching_netsh.yml index f039d58470..7d5f6c5821 100644 --- a/detections/endpoint/processes_launching_netsh.yml +++ b/detections/deprecated/processes_launching_netsh.yml @@ -3,7 +3,7 @@ id: b89919ed-fe5f-492c-b139-95dbb162040e version: 13 date: '2026-03-10' author: Michael Haag, Josef Kuepker, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic identifies processes launching netsh.exe, a command-line utility used to modify network configurations. It detects this activity by analyzing data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This behavior is significant because netsh.exe can be exploited to execute malicious helper DLLs, serving as a persistence mechanism. If confirmed malicious, an attacker could gain persistent access, modify network settings, and potentially escalate privileges, posing a severe threat to the network's integrity and security. data_source: diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/deprecated/sc_exe_manipulating_windows_services.yml similarity index 99% rename from detections/endpoint/sc_exe_manipulating_windows_services.yml rename to detections/deprecated/sc_exe_manipulating_windows_services.yml index ccfa9bbf9f..d4538c417f 100644 --- a/detections/endpoint/sc_exe_manipulating_windows_services.yml +++ b/detections/deprecated/sc_exe_manipulating_windows_services.yml @@ -3,7 +3,7 @@ id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d version: 14 date: '2026-03-10' author: Rico Valdez, Splunk -status: production +status: deprecated type: TTP description: The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment. data_source: diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index d7a4b2cb42..c74405f41b 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z* + WHERE (Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z*) AND NOT Processes.process_path = *VMWare* BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path @@ -25,7 +25,7 @@ search: |- | `security_content_ctime(lastTime)` | `anomalous_usage_of_7zip_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip. +known_false_positives: False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip. references: - https://attack.mitre.org/techniques/T1560/001/ - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml index 701b231d4d..8bbb0951a9 100644 --- a/detections/endpoint/conti_common_exec_parameter.yml +++ b/detections/endpoint/conti_common_exec_parameter.yml @@ -12,13 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process = "*-m local*" - OR - Processes.process = "*-m net*" - OR - Processes.process = "*-m all*" - OR - Processes.process = "*-nomutex*" + WHERE Processes.process IN ("*-m local","*-m local *") OR Processes.process IN ("*-m net","*-m net *") OR Processes.process IN ("*-m all","*-m all *") OR Processes.process IN ("*-nomutex","*-nomutex *") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml index 44085e0631..ac40dd2452 100644 --- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml +++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml @@ -14,9 +14,7 @@ search: |- | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE `process_rundll32` (Processes.process=*vbscript* OR - Processes.process=*javascript* - OR - Processes.process=*about*) + Processes.process=*javascript*) BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml index 38fc0f18e5..5b8268d3a5 100644 --- a/detections/endpoint/disable_schedule_task.yml +++ b/detections/endpoint/disable_schedule_task.yml @@ -4,7 +4,7 @@ version: 9 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the execution of a command to disable an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Disabling scheduled tasks is significant as it is a common tactic used by adversaries, including malware like IcedID, to disable security applications and evade detection. If confirmed malicious, this activity could allow attackers to persist undetected, disable critical security defenses, and further compromise the targeted host. data_source: - Sysmon EventID 1 diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index c451761088..3aeb92554a 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -1,7 +1,7 @@ name: Modify ACL permission To Files Or Folder id: 7e8458cc-acca-11eb-9e3f-acde48001122 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -19,7 +19,7 @@ search: | from datamodel=Endpoint.Processes where Processes.process_name IN ("icacls.exe", "cacls.exe", "xcacls.exe") Processes.process IN ("*/grant*", "*/g:*", "*/g *") - Processes.process IN ("* Everyone:*", "* SYSTEM:*", "* S-1-1-0:*") + Processes.process IN ("* SYSTEM:*", "* S-1-1-0:*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml index b54e6672d7..36177885a3 100644 --- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml +++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml @@ -1,7 +1,7 @@ name: Reg exe Manipulating Windows Services Registry Keys id: 8470d755-0c13-45b3-bd63-387a373c10cf -version: 14 -date: '2026-03-10' +version: 15 +date: '2026-03-24' author: Rico Valdez, Splunk status: production type: TTP @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes - WHERE Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* + WHERE (Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services*) AND NOT Processes.process=*Eventlog\\Application* BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/revil_common_exec_parameter.yml b/detections/endpoint/revil_common_exec_parameter.yml index 68142a301a..9a0a84218e 100644 --- a/detections/endpoint/revil_common_exec_parameter.yml +++ b/detections/endpoint/revil_common_exec_parameter.yml @@ -1,7 +1,7 @@ name: Revil Common Exec Parameter id: 85facebe-c382-11eb-9c3e-acde48001122 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,10 +15,6 @@ search: |- WHERE Processes.process = "* -nolan *" OR Processes.process = "* -nolocal *" - OR - Processes.process = "* -fast *" - OR - Processes.process = "* -full *" BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml index a4f0db8ec7..2ad57d4d8d 100644 --- a/detections/endpoint/ryuk_wake_on_lan_command.yml +++ b/detections/endpoint/ryuk_wake_on_lan_command.yml @@ -1,7 +1,7 @@ name: Ryuk Wake on LAN Command id: 538d0152-7aaa-11eb-beaa-acde48001122 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-24' author: Michael Haag, Splunk status: production type: TTP @@ -13,9 +13,9 @@ data_source: search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE ( - Processes.process="*8 LAN*" + Processes.process="* 8 LAN *" OR - Processes.process="*9 REP*" + Processes.process="* 9 REP *" ) BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index 09eb46f4cd..300384c32c 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -1,7 +1,7 @@ name: SLUI Spawning a Process id: 879c4330-b3e0-11eb-b1b1-acde48001122 -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-24' author: Michael Haag, Splunk status: production type: TTP @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.parent_process_name=slui.exe + WHERE Processes.parent_process_name=slui.exe AND NOT Processes.process_name=slui.exe BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index 3097aeca9b..27012a5f68 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -1,7 +1,7 @@ name: Suspicious Rundll32 StartW id: 9319dda5-73f2-4d43-a85a-67ce961bddb7 -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-03-24' author: Michael Haag, Splunk status: production type: TTP @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE `process_rundll32` Processes.process=*start* + WHERE `process_rundll32` Processes.process='* startw *'' BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index b1b6ad213b..59bdf52ff5 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -1,10 +1,10 @@ name: System User Discovery With Whoami id: 894fc43e-6f50-47d5-a68b-ee9ee23e18f4 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-24' author: Mauricio Velazco, Splunk status: production -type: Anomaly +type: Hunting description: The following analytic detects the execution of `whoami.exe` without any arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because both Red Teams and adversaries use `whoami.exe` to identify the current logged-in user, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could indicate an attacker is gathering information to further compromise the system, potentially leading to privilege escalation or lateral movement within the network. data_source: - Sysmon EventID 1 @@ -39,20 +39,6 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -rba: - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. - risk_objects: - - field: user - type: user - score: 20 - - field: dest - type: system - score: 20 - threat_objects: - - field: parent_process_name - type: parent_process_name - - field: process_name - type: process_name tags: analytic_story: - Winter Vivern diff --git a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml index 482d4a4f37..dcf88cb8a7 100644 --- a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml +++ b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml @@ -10,7 +10,7 @@ status: production description: "The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation." search: |- | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process_name = logoff.exe + WHERE Processes.process_name = logoff.exe Processes.parent_process_name In ('cmd.exe', 'powershell.exe') BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml b/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml index 55c0092e15..21e3f16795 100644 --- a/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml +++ b/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml @@ -1,7 +1,7 @@ name: Windows Application Whitelisting Bypass Attempt via Rundll32 id: 1ef5dab0-e1f1-495d-a272-d134583c10b1 -version: 3 -date: '2026-03-10' +version: 4 +date: '2026-03-24' author: Michael Haag, Splunk status: production type: TTP @@ -33,6 +33,7 @@ search: | `process_rundll32` Processes.process IN ("*syssetup*", "*advpack*", "*setupapi*") Processes.process IN ("*LaunchINFSection*", "*InstallHinfSection*", "*SetupInfObjectInstallAction*") + NOT Processes.process=*Netskope* by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec diff --git a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml index ab0b0de51a..2d5ee96492 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Deletion id: 46d676aa-40c6-4fe6-b917-d23b621f0f89 -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production type: TTP @@ -12,9 +12,9 @@ data_source: description: The following analytic detects the execution of the Windows OS tool cmdkey.exe with the /delete parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. The activity is significant because cmdkey.exe can be used by attackers to delete stored credentials, potentially leading to privilege escalation and persistence. If confirmed malicious, this behavior could allow attackers to remove stored user credentials, hindering incident response efforts and enabling further unauthorized access to the compromised system. search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process_name="cmdkey.exe" + WHERE (Processes.process_name="cmdkey.exe" OR - Processes.original_file_name = "cmdkey.exe" + Processes.original_file_name = "cmdkey.exe") AND Processes.process = "*/delete*" BY Processes.action Processes.dest Processes.original_file_name diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml index 28f6ecf34a..9cb34abcec 100644 --- a/detections/endpoint/windows_delete_or_modify_system_firewall.yml +++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml @@ -4,7 +4,7 @@ version: 10 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production -type: Anomaly +type: Hunting data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 @@ -28,22 +28,6 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Administrator may modify or delete firewall configuration. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat -drilldown_searches: - - name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: A $process_name$ deleted a firewall configuration on $dest$ - risk_objects: - - field: dest - type: system - score: 20 - threat_objects: [] tags: analytic_story: - NjRAT diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml index 29fe53f741..322383adb4 100644 --- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml +++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml @@ -1,7 +1,7 @@ name: Windows Indicator Removal Via Rmdir id: c4566d2c-b094-48a1-9c59-d66e22065560 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -10,7 +10,7 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 description: The following analytic detects the execution of the 'rmdir' command with '/s' and '/q' options to delete files and directory trees. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it may indicate malware attempting to remove traces or components during cleanup operations. If confirmed malicious, this behavior could allow attackers to eliminate forensic evidence, hinder incident response efforts, and maintain persistence by removing indicators of compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*rmdir*" Processes.process = "* /s *" Processes.process = "* /q *" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*rmdir*" Processes.process = "* /s *" Processes.process = "* /q *" Processes.parent_process_name NOT IN ("explorer.exe", "*HPDock*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: user and network administrator can execute this command. references: diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index 2fc731d408..f7cb17bfb6 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -1,10 +1,10 @@ name: Windows Information Discovery Fsutil id: 2181f261-93e6-4166-a5a9-47deac58feff version: 10 -date: '2026-03-10' +date: '2026-03-24' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production -type: Anomaly +type: Hunting description: | The following analytic identifies the execution of the Windows built-in tool FSUTIL with the "FSINFO" or "Volume" parameters, in order to discover file system and disk information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. @@ -51,22 +51,6 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ - https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ -drilldown_searches: - - name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: process $process_name$ with commandline $process$ is executed on $dest$ - risk_objects: - - field: dest - type: system - score: 20 - threat_objects: [] tags: analytic_story: - Windows Post-Exploitation diff --git a/detections/endpoint/windows_net_system_service_discovery.yml b/detections/endpoint/windows_net_system_service_discovery.yml index abcf3ce391..8082d1dd49 100644 --- a/detections/endpoint/windows_net_system_service_discovery.yml +++ b/detections/endpoint/windows_net_system_service_discovery.yml @@ -1,10 +1,10 @@ name: Windows Net System Service Discovery id: dd7da098-83b8-4c48-b09d-e51aeb621e81 version: 3 -date: '2026-03-10' +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production -type: Anomaly +type: Hunting description: The following analytic detects the enumeration of Windows services using the net start command, which is a built-in utility that lists all running services on a system. Adversaries, system administrators, or automated tools may use this command to gain situational awareness of what services are active, identify potential security software, or discover opportunities for privilege escalation and lateral movement. The execution of net start is often associated with reconnaissance activity during the early stages of an intrusion, as attackers attempt to map out the system’s defense mechanisms and operational services. By monitoring process execution for instances of cmd.exe /c net start or similar command-line usage, defenders can detect potentially suspicious activity. Correlating this behavior with other reconnaissance commands, such as tasklist or sc query, strengthens detection fidelity. While net start is not inherently malicious, unusual or repeated use in non-administrative contexts should be flagged for further investigation. data_source: - Sysmon EventID 1 @@ -30,29 +30,6 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://cert.gov.ua/article/6284730 -drilldown_searches: - - name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to enumerate list of running services. - risk_objects: - - field: user - type: user - score: 20 - - field: dest - type: system - score: 20 - threat_objects: - - field: parent_process_name - type: parent_process_name - - field: process_name - type: process_name tags: analytic_story: - LAMEHUG diff --git a/detections/endpoint/windows_network_share_interaction_via_net.yml b/detections/endpoint/windows_network_share_interaction_via_net.yml index 71e8c4d665..101a267dda 100644 --- a/detections/endpoint/windows_network_share_interaction_via_net.yml +++ b/detections/endpoint/windows_network_share_interaction_via_net.yml @@ -1,10 +1,10 @@ name: Windows Network Share Interaction Via Net id: e51fbdb0-0be0-474f-92ea-d289f71a695e -version: 5 -date: '2026-03-10' +version: 6 +date: '2026-03-24' author: Dean Luxton status: production -type: Anomaly +type: Hunting data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 @@ -35,25 +35,6 @@ how_to_implement: The detection is based on data originating from either Endpoin known_false_positives: Administrators or power users may use this command. Additional filters needs to be applied. references: - https://attack.mitre.org/techniques/T1135/ -drilldown_searches: - - name: View the detection results for - "$dest$" and "$user$" - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: User $user$ leveraged net.exe on $dest$ to interact with network shares, executed by parent process $parent_process$ - risk_objects: - - field: dest - type: system - score: 20 - - field: user - type: user - score: 20 - threat_objects: [] tags: analytic_story: - Active Directory Discovery diff --git a/detections/endpoint/windows_rundll32_webdav_request.yml b/detections/endpoint/windows_rundll32_webdav_request.yml index 720ff89c3e..1d4e008aa3 100644 --- a/detections/endpoint/windows_rundll32_webdav_request.yml +++ b/detections/endpoint/windows_rundll32_webdav_request.yml @@ -1,9 +1,9 @@ name: Windows Rundll32 WebDAV Request id: 320099b7-7eb1-4153-a2b4-decb53267de2 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-24' author: Michael Haag, Splunk -type: TTP +type: Hunting status: production data_source: - Sysmon EventID 1 @@ -19,29 +19,6 @@ references: - https://twitter.com/domchell/status/1635999068282408962?s=20 - https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/ - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/ -drilldown_searches: - - name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. - risk_objects: - - field: user - type: user - score: 50 - - field: dest - type: system - score: 50 - threat_objects: - - field: parent_process_name - type: parent_process_name - - field: process_name - type: process_name tags: analytic_story: - CVE-2023-23397 Outlook Elevation of Privilege diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml index 8cc1498311..ba78067f54 100644 --- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml +++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: | | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process IN ("*kernel*", "*filesys*") Processes.process="*type*" + where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process="*create*" Processes.process IN ("*kernel*", "*filesys*") Processes.process="*type*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path @@ -29,25 +29,6 @@ references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ - https://whiteknightlabs.com/2025/11/25/discreet-driver-loading-in-windows/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sc-config -drilldown_searches: - - name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: Service control, $process_name$, loaded a new kernel mode driver on $dest$ by $user$. - risk_objects: - - field: user - type: user - score: 50 - - field: dest - type: system - score: 50 - threat_objects: [] tags: analytic_story: - Windows Drivers diff --git a/detections/endpoint/windows_service_stop_by_deletion.yml b/detections/endpoint/windows_service_stop_by_deletion.yml index 37ba3dd442..c779e699f4 100644 --- a/detections/endpoint/windows_service_stop_by_deletion.yml +++ b/detections/endpoint/windows_service_stop_by_deletion.yml @@ -1,10 +1,10 @@ name: Windows Service Stop By Deletion id: 196ff536-58d9-4d1b-9686-b176b04e430b -version: 8 -date: '2026-03-10' +version: 9 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Hunting description: The following analytic detects the use of `sc.exe` to delete a Windows service. It leverages Endpoint Detection and Response (EDR) data, focusing on process execution logs that capture command-line arguments. This activity is significant because adversaries often delete services to disable security mechanisms or critical system functions, aiding in evasion and persistence. If confirmed malicious, this action could lead to the termination of essential security services, allowing attackers to operate undetected and potentially escalate their privileges or maintain long-term access to the compromised system. data_source: - Sysmon EventID 1 @@ -35,22 +35,6 @@ references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md -drilldown_searches: - - name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to delete a service. - risk_objects: - - field: dest - type: system - score: 50 - threat_objects: [] tags: analytic_story: - Azorult diff --git a/detections/endpoint/windows_sqlservr_spawning_shell.yml b/detections/endpoint/windows_sqlservr_spawning_shell.yml index 50663a7e70..1c09e7d6e1 100644 --- a/detections/endpoint/windows_sqlservr_spawning_shell.yml +++ b/detections/endpoint/windows_sqlservr_spawning_shell.yml @@ -1,10 +1,10 @@ name: Windows Sqlservr Spawning Shell id: d33aac9f-030c-4830-8701-0c2dd75bb6cb -version: 5 -date: '2026-03-10' +version: 6 +date: '2026-03-24' author: Michael Haag, Splunk status: production -type: TTP +type: Hunting description: This analytic detects instances where the sqlservr.exe process spawns a command shell (cmd.exe) or PowerShell process. This behavior is often indicative of command execution initiated from within the SQL Server process, potentially due to exploitation of SQL injection vulnerabilities or the use of extended stored procedures like xp_cmdshell. data_source: - Sysmon EventID 1 @@ -30,29 +30,6 @@ known_false_positives: Legitimate administrative activities or monitoring tools references: - https://attack.mitre.org/techniques/T1505/001/ - https://github.com/MHaggis/notes/tree/master/utilities/SQLSSTT -drilldown_searches: - - name: View the detection results for - "$dest$" and "$process_name$" - search: '%original_detection_search% | search dest = "$dest$" process_name = "$process_name$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: A command shell was spawned by sqlservr.exe on host $dest$ by user $user$. This may indicate unauthorized command execution. - risk_objects: - - field: dest - type: system - score: 50 - - field: user - type: user - score: 50 - threat_objects: - - field: parent_process_name - type: parent_process_name - - field: process_name - type: process_name tags: analytic_story: - SQL Server Abuse diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index a460d62962..66dee0ba4f 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -1,10 +1,10 @@ name: Windows System Reboot CommandLine id: 97fc2b60-c8eb-4711-93f7-d26fade3686f -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production -type: Anomaly +type: Hunting description: The following analytic identifies the execution of the Windows command line to reboot a host machine using "shutdown.exe" with specific parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it is often associated with advanced persistent threats (APTs) and remote access trojans (RATs) like dcrat, which may use system reboots to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed malicious, this could lead to system downtime, data loss, or hindered incident response efforts. data_source: - Sysmon EventID 1 @@ -34,22 +34,6 @@ known_false_positives: Administrator may execute this commandline to trigger shu references: - https://attack.mitre.org/techniques/T1529/ - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor -drilldown_searches: - - name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: Process $process_name$ that executed reboot via commandline on $dest$ - risk_objects: - - field: dest - type: system - score: 20 - threat_objects: [] tags: analytic_story: - XWorm diff --git a/detections/endpoint/windows_system_remote_discovery_with_query.yml b/detections/endpoint/windows_system_remote_discovery_with_query.yml index 4b746c5d55..98e572a9b9 100644 --- a/detections/endpoint/windows_system_remote_discovery_with_query.yml +++ b/detections/endpoint/windows_system_remote_discovery_with_query.yml @@ -1,10 +1,10 @@ name: Windows System Remote Discovery With Query id: 94859172-a521-474f-97ac-4cf4b09634a3 -version: 6 -date: '2026-03-10' +version: 7 +date: '2026-03-24' author: Steven Dick status: production -type: Anomaly +type: Hunting description: The following analytic detects the execution of `query.exe` with command-line arguments aimed at discovering data on remote devices. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use `query.exe` to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to identify various details about a system, aiding in further lateral movement and privilege escalation within the network. data_source: - Sysmon EventID 1 @@ -33,31 +33,6 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ -drilldown_searches: - - name: View the detection results for - "$dest$" and "$user$" - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: Investigate processes on $dest$ - search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_name = $process_name|s$' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ ran the Query command to enumerate the remote system $dest$ - risk_objects: - - field: user - type: user - score: 20 - - field: dest - type: system - score: 20 - threat_objects: - - field: process_name - type: process_name tags: analytic_story: - Active Directory Discovery diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index a952339f70..067e1547d6 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -1,10 +1,10 @@ name: Wscript Or Cscript Suspicious Child Process id: 1f35e1da-267b-11ec-90a9-acde48001122 -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-03-24' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that uses several application tools that are in the list of the child process it detects but a good pivot and indicator that a script may execute suspicious code. data_source: - Sysmon EventID 1 diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index 7583049521..f73d8f6bc7 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -1,4 +1,19 @@ detections: + - content: Sc exe Manipulating Windows Services + removed_in_version: 5.28.0 + reason: Detection is deprecated as the usage of sc.exe by itself is often used for legitimate purposes. + - content: Processes launching netsh + removed_in_version: 5.28.0 + reason: Detection is deprecated as the usage of netsh.exe by itself is often used for legitimate purposes. + - content: Possible Lateral Movement PowerShell Spawn + removed_in_version: 5.28.0 + reason: Detection is deprecated as the usage of PowerShell as a child process of svchost.exe is often used for legitimate purposes. + - content: CHCP Command Execution + removed_in_version: 5.28.0 + reason: Detection is deprecated as the usage of chcp.com by itself is not malicious. + - content: Attempt To Add Certificate To Untrusted Store + removed_in_version: 5.28.0 + reason: Detection is deprecated as the usage of certutil and addstore by itself is not malicious. - content: Abnormally High Number Of Cloud Infrastructure API Calls removed_in_version: 5.26.0 reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit(5.7.0) and Python for Scientific Computing for Linux 64-bit(4.3.0). From 1e0096296b4133851bb79e09b2e31bf97c78dfae Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Thu, 26 Mar 2026 07:52:19 +0100 Subject: [PATCH 02/18] bug fix --- ...dows_service_create_kernel_mode_driver.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml index ba78067f54..2aa4c998a7 100644 --- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml +++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml @@ -29,6 +29,25 @@ references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ - https://whiteknightlabs.com/2025/11/25/discreet-driver-loading-in-windows/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sc-config +drilldown_searches: + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Service control, $process_name$, loaded a new kernel mode driver on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 50 + - field: dest + type: system + score: 50 + threat_objects: [] tags: analytic_story: - Windows Drivers From e86354e45b34c9b508cf9dedd17f4d53a22ba0a1 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Thu, 26 Mar 2026 07:55:10 +0100 Subject: [PATCH 03/18] bug fix --- removed/deprecation_mapping.YML | 2 -- 1 file changed, 2 deletions(-) diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index f73d8f6bc7..4bda8c7aab 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -654,8 +654,6 @@ detections: - content: Processes created by netsh removed_in_version: 5.2.0 reason: Updated to a new detection name - replacement_content: - - Processes launching netsh - content: Office Product Spawning Wmic removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity From 90efd9a8efaf4961463f9ac8c33911c8a98a9425 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Thu, 26 Mar 2026 08:01:41 +0100 Subject: [PATCH 04/18] bumped version numbers and dates --- .../attempt_to_add_certificate_to_untrusted_store.yml | 4 ++-- .../deprecated/possible_lateral_movement_powershell_spawn.yml | 4 ++-- detections/deprecated/processes_launching_netsh.yml | 4 ++-- .../deprecated/sc_exe_manipulating_windows_services.yml | 4 ++-- detections/endpoint/anomalous_usage_of_7zip.yml | 4 ++-- detections/endpoint/conti_common_exec_parameter.yml | 4 ++-- detections/endpoint/detect_rundll32_inline_hta_execution.yml | 4 ++-- detections/endpoint/disable_schedule_task.yml | 4 ++-- .../windows_account_access_removal_via_logoff_exec.yml | 4 ++-- .../endpoint/windows_delete_or_modify_system_firewall.yml | 4 ++-- detections/endpoint/windows_information_discovery_fsutil.yml | 4 ++-- detections/endpoint/windows_net_system_service_discovery.yml | 4 ++-- .../endpoint/windows_service_create_kernel_mode_driver.yml | 4 ++-- 13 files changed, 26 insertions(+), 26 deletions(-) diff --git a/detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml b/detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml index db14e667bb..e96a336530 100644 --- a/detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml @@ -1,7 +1,7 @@ name: Attempt To Add Certificate To Untrusted Store id: 6bc5243e-ef36-45dc-9b12-f4a6be131159 -version: 18 -date: '2026-03-10' +version: 19 +date: '2026-03-26' author: Patrick Bareiss, Rico Valdez, Splunk status: deprecated type: Anomaly diff --git a/detections/deprecated/possible_lateral_movement_powershell_spawn.yml b/detections/deprecated/possible_lateral_movement_powershell_spawn.yml index 5a3b088fc9..9f13cb7499 100644 --- a/detections/deprecated/possible_lateral_movement_powershell_spawn.yml +++ b/detections/deprecated/possible_lateral_movement_powershell_spawn.yml @@ -1,7 +1,7 @@ name: Possible Lateral Movement PowerShell Spawn id: cb909b3e-512b-11ec-aa31-3e22fbd008af -version: 13 -date: '2026-03-10' +version: 14 +date: '2026-03-26' author: Mauricio Velazco, Michael Haag, Splunk status: deprecated type: TTP diff --git a/detections/deprecated/processes_launching_netsh.yml b/detections/deprecated/processes_launching_netsh.yml index 7d5f6c5821..52ec5e0e14 100644 --- a/detections/deprecated/processes_launching_netsh.yml +++ b/detections/deprecated/processes_launching_netsh.yml @@ -1,7 +1,7 @@ name: Processes launching netsh id: b89919ed-fe5f-492c-b139-95dbb162040e -version: 13 -date: '2026-03-10' +version: 14 +date: '2026-03-26' author: Michael Haag, Josef Kuepker, Splunk status: deprecated type: Anomaly diff --git a/detections/deprecated/sc_exe_manipulating_windows_services.yml b/detections/deprecated/sc_exe_manipulating_windows_services.yml index d4538c417f..8be1c1e744 100644 --- a/detections/deprecated/sc_exe_manipulating_windows_services.yml +++ b/detections/deprecated/sc_exe_manipulating_windows_services.yml @@ -1,7 +1,7 @@ name: Sc exe Manipulating Windows Services id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d -version: 14 -date: '2026-03-10' +version: 15 +date: '2026-03-26' author: Rico Valdez, Splunk status: deprecated type: TTP diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index c74405f41b..54abfa677f 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -1,7 +1,7 @@ name: Anomalous usage of 7zip id: 9364ee8e-a39a-11eb-8f1d-acde48001122 -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-03-26' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml index 8bbb0951a9..3e034f82aa 100644 --- a/detections/endpoint/conti_common_exec_parameter.yml +++ b/detections/endpoint/conti_common_exec_parameter.yml @@ -1,7 +1,7 @@ name: Conti Common Exec parameter id: 624919bc-c382-11eb-adcc-acde48001122 -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml index ac40dd2452..2321f75524 100644 --- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml +++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml @@ -1,7 +1,7 @@ name: Detect Rundll32 Inline HTA Execution id: 91c79f14-5b41-11eb-ae93-0242ac130002 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-26' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml index 5b8268d3a5..7b5bbb24ae 100644 --- a/detections/endpoint/disable_schedule_task.yml +++ b/detections/endpoint/disable_schedule_task.yml @@ -1,7 +1,7 @@ name: Disable Schedule Task id: db596056-3019-11ec-a9ff-acde48001122 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml index dcf88cb8a7..b39b9533d7 100644 --- a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml +++ b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml @@ -1,7 +1,7 @@ name: Windows Account Access Removal via Logoff Exec id: 223572ab-8768-4e20-9b39-c38707af80dc -version: 6 -date: '2026-03-10' +version: 7 +date: '2026-03-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml index 9cb34abcec..81b1e07e50 100644 --- a/detections/endpoint/windows_delete_or_modify_system_firewall.yml +++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml @@ -1,7 +1,7 @@ name: Windows Delete or Modify System Firewall id: b188d11a-eba7-419d-b8b6-cc265b4f2c4f -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index f7cb17bfb6..784b606d23 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -1,7 +1,7 @@ name: Windows Information Discovery Fsutil id: 2181f261-93e6-4166-a5a9-47deac58feff -version: 10 -date: '2026-03-24' +version: 11 +date: '2026-03-26' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_net_system_service_discovery.yml b/detections/endpoint/windows_net_system_service_discovery.yml index 8082d1dd49..a0f0c1f1bb 100644 --- a/detections/endpoint/windows_net_system_service_discovery.yml +++ b/detections/endpoint/windows_net_system_service_discovery.yml @@ -1,7 +1,7 @@ name: Windows Net System Service Discovery id: dd7da098-83b8-4c48-b09d-e51aeb621e81 -version: 3 -date: '2026-03-24' +version: 4 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml index 2aa4c998a7..5546d476f4 100644 --- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml +++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml @@ -1,7 +1,7 @@ name: Windows Service Create Kernel Mode Driver id: 0b4e3b06-1b2b-4885-b752-cf06d12a90cb -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-26' author: Michael Haag, Teoderick Contreras Splunk status: production type: TTP From fee2237a5fc9790b13da65124b040abc14beafb8 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Thu, 26 Mar 2026 08:44:26 +0100 Subject: [PATCH 05/18] bug fix --- detections/endpoint/ryuk_wake_on_lan_command.yml | 4 ++++ detections/endpoint/suspicious_rundll32_startw.yml | 2 +- .../windows_account_access_removal_via_logoff_exec.yml | 2 +- detections/endpoint/windows_indicator_removal_via_rmdir.yml | 2 +- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml index 2ad57d4d8d..1ea2b64069 100644 --- a/detections/endpoint/ryuk_wake_on_lan_command.yml +++ b/detections/endpoint/ryuk_wake_on_lan_command.yml @@ -13,8 +13,12 @@ data_source: search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE ( + Processes.process="* 8 LAN" + OR Processes.process="* 8 LAN *" OR + Processes.process="* 9 REP" + OR Processes.process="* 9 REP *" ) BY Processes.action Processes.dest Processes.original_file_name diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index 27012a5f68..241966d9eb 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE `process_rundll32` Processes.process='* startw *'' + WHERE `process_rundll32` Processes.process='* startw *' BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml index b39b9533d7..f7effa8631 100644 --- a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml +++ b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml @@ -10,7 +10,7 @@ status: production description: "The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation." search: |- | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process_name = logoff.exe Processes.parent_process_name In ('cmd.exe', 'powershell.exe') + WHERE Processes.process_name = logoff.exe Processes.parent_process_name IN ('cmd.exe', 'powershell.exe') BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml index 322383adb4..ddb33ef4bc 100644 --- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml +++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml @@ -10,7 +10,7 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 description: The following analytic detects the execution of the 'rmdir' command with '/s' and '/q' options to delete files and directory trees. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it may indicate malware attempting to remove traces or components during cleanup operations. If confirmed malicious, this behavior could allow attackers to eliminate forensic evidence, hinder incident response efforts, and maintain persistence by removing indicators of compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*rmdir*" Processes.process = "* /s *" Processes.process = "* /q *" Processes.parent_process_name NOT IN ("explorer.exe", "*HPDock*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*rmdir*" Processes.process = "* /s *" Processes.process = "* /q *" NOT Processes.parent_process_name IN ("explorer.exe", "*HPDock*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: user and network administrator can execute this command. references: From 106a9ba5ca9ffaae92df3453d75f8bde0322a359 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Thu, 26 Mar 2026 09:28:52 +0100 Subject: [PATCH 06/18] bug fixes --- detections/endpoint/suspicious_rundll32_startw.yml | 2 +- .../endpoint/windows_account_access_removal_via_logoff_exec.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index 241966d9eb..f1a34ddcf6 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE `process_rundll32` Processes.process='* startw *' + WHERE `process_rundll32` Processes.process="* startw *" BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml index f7effa8631..a73b9ee565 100644 --- a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml +++ b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml @@ -10,7 +10,7 @@ status: production description: "The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation." search: |- | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process_name = logoff.exe Processes.parent_process_name IN ('cmd.exe', 'powershell.exe') + WHERE Processes.process_name = logoff.exe Processes.parent_process_name IN (cmd.exe, powershell.exe) BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path From dc3f50b24bcc6e22be2ecb48daf84d16df8976af Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Thu, 26 Mar 2026 10:13:15 +0100 Subject: [PATCH 07/18] bug fix --- detections/endpoint/suspicious_rundll32_startw.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index f1a34ddcf6..14f37c0c95 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE `process_rundll32` Processes.process="* startw *" + WHERE `process_rundll32` Processes.process IN ("*startw", "*startw *") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path From 520bfc060c7e9581e0a5fc5b227ed7b563d324a7 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Thu, 26 Mar 2026 10:19:11 +0100 Subject: [PATCH 08/18] bug fix --- detections/endpoint/anomalous_usage_of_7zip.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index 54abfa677f..1b7a64b67b 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -25,7 +25,7 @@ search: |- | `security_content_ctime(lastTime)` | `anomalous_usage_of_7zip_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip. +known_false_positives: False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip. references: - https://attack.mitre.org/techniques/T1560/001/ - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ From 6d5d970ee6f5dfbc292d1bc5153a0fdb0a9181a1 Mon Sep 17 00:00:00 2001 From: p4t12ick Date: Thu, 26 Mar 2026 16:43:13 +0100 Subject: [PATCH 09/18] Update detections/endpoint/anomalous_usage_of_7zip.yml Co-authored-by: Nasreddine Bencherchali --- detections/endpoint/anomalous_usage_of_7zip.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index 1b7a64b67b..38b6591253 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE (Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z*) AND NOT Processes.process_path = *VMWare* + WHERE (Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z*) AND NOT Processes.process_path = "C:\\Program Files\\VMware\\VMware Tools\\7za.exe" BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path From b4c800deb28fc179c8ec66fe4bef3dca48398d83 Mon Sep 17 00:00:00 2001 From: p4t12ick Date: Thu, 26 Mar 2026 16:43:29 +0100 Subject: [PATCH 10/18] Update detections/endpoint/conti_common_exec_parameter.yml Co-authored-by: Nasreddine Bencherchali --- detections/endpoint/conti_common_exec_parameter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml index 3e034f82aa..1fe0bcf79c 100644 --- a/detections/endpoint/conti_common_exec_parameter.yml +++ b/detections/endpoint/conti_common_exec_parameter.yml @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process IN ("*-m local","*-m local *") OR Processes.process IN ("*-m net","*-m net *") OR Processes.process IN ("*-m all","*-m all *") OR Processes.process IN ("*-nomutex","*-nomutex *") + WHERE Processes.process IN ("*-m local", "*-m local *", "*-m net", "*-m net *", "*-m all","*-m all *", "*-nomutex", "*-nomutex *") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path From 4912e0918476dedee14c09a8bcf5f42f96011dff Mon Sep 17 00:00:00 2001 From: p4t12ick Date: Thu, 26 Mar 2026 16:44:53 +0100 Subject: [PATCH 11/18] Update detections/endpoint/system_user_discovery_with_whoami.yml Co-authored-by: Nasreddine Bencherchali --- detections/endpoint/system_user_discovery_with_whoami.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index 59bdf52ff5..52ae36ba3f 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -14,6 +14,8 @@ search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE ( Processes.process_name="whoami.exe" + OR + Processes.process_original_file_name="whoami.exe" ) BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid From 3c1d41e219bc1775e9521df8135a6c1df128106c Mon Sep 17 00:00:00 2001 From: p4t12ick Date: Thu, 26 Mar 2026 16:45:40 +0100 Subject: [PATCH 12/18] Update detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml Co-authored-by: Nasreddine Bencherchali --- ...ows_application_whitelisting_bypass_attempt_via_rundll32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml b/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml index 21e3f16795..3264641fb1 100644 --- a/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml +++ b/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml @@ -33,7 +33,7 @@ search: | `process_rundll32` Processes.process IN ("*syssetup*", "*advpack*", "*setupapi*") Processes.process IN ("*LaunchINFSection*", "*InstallHinfSection*", "*SetupInfObjectInstallAction*") - NOT Processes.process=*Netskope* + NOT (Processes.parent_process_name="msiexec.exe" Processes.process=* C:\\Program Files (x86)\\Netskope\\EPDLP Deployment\\*) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec From b4c002efb5be12858636f8529681c9e5a64872a3 Mon Sep 17 00:00:00 2001 From: p4t12ick Date: Thu, 26 Mar 2026 16:45:57 +0100 Subject: [PATCH 13/18] Update detections/endpoint/windows_account_access_removal_via_logoff_exec.yml Co-authored-by: Nasreddine Bencherchali --- .../endpoint/windows_account_access_removal_via_logoff_exec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml index a73b9ee565..6e71f43651 100644 --- a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml +++ b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml @@ -10,7 +10,7 @@ status: production description: "The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation." search: |- | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process_name = logoff.exe Processes.parent_process_name IN (cmd.exe, powershell.exe) + WHERE Processes.process_name = logoff.exe Processes.parent_process_name IN ("cmd.exe", "powershell.exe", "pwsh.exe") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path From c40b390d3f5406c5157f12635ddf6454a4036a26 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 27 Mar 2026 07:58:29 +0100 Subject: [PATCH 14/18] updated suggestions --- .../possible_lateral_movement_powershell_spawn.yml | 2 +- .../reg_exe_manipulating_windows_services_registry_keys.yml | 2 +- removed/deprecation_mapping.YML | 3 --- 3 files changed, 2 insertions(+), 5 deletions(-) rename detections/{deprecated => endpoint}/possible_lateral_movement_powershell_spawn.yml (99%) diff --git a/detections/deprecated/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml similarity index 99% rename from detections/deprecated/possible_lateral_movement_powershell_spawn.yml rename to detections/endpoint/possible_lateral_movement_powershell_spawn.yml index 9f13cb7499..e9dfe6dbd7 100644 --- a/detections/deprecated/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -3,7 +3,7 @@ id: cb909b3e-512b-11ec-aa31-3e22fbd008af version: 14 date: '2026-03-26' author: Mauricio Velazco, Michael Haag, Splunk -status: deprecated +status: production type: TTP description: The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. This activity is significant as it often indicates lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment. data_source: diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml index 36177885a3..fff43be548 100644 --- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml +++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes - WHERE (Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services*) AND NOT Processes.process=*Eventlog\\Application* + WHERE (Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services*) BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index 4bda8c7aab..ddfac7a29c 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -5,9 +5,6 @@ detections: - content: Processes launching netsh removed_in_version: 5.28.0 reason: Detection is deprecated as the usage of netsh.exe by itself is often used for legitimate purposes. - - content: Possible Lateral Movement PowerShell Spawn - removed_in_version: 5.28.0 - reason: Detection is deprecated as the usage of PowerShell as a child process of svchost.exe is often used for legitimate purposes. - content: CHCP Command Execution removed_in_version: 5.28.0 reason: Detection is deprecated as the usage of chcp.com by itself is not malicious. From 8be3693cf3dc824e48f90769a0922564fd9a37cb Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 27 Mar 2026 08:00:36 +0100 Subject: [PATCH 15/18] changed back to Anomaly --- .../windows_information_discovery_fsutil.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index 784b606d23..f2cab5ced7 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -4,7 +4,7 @@ version: 11 date: '2026-03-26' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production -type: Hunting +type: Anomaly description: | The following analytic identifies the execution of the Windows built-in tool FSUTIL with the "FSINFO" or "Volume" parameters, in order to discover file system and disk information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. @@ -51,6 +51,22 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ - https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: process $process_name$ with commandline $process$ is executed on $dest$ + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation From 0b219a6b1e66ec1a723f23b84ff0e6e9b30e89c2 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 27 Mar 2026 08:28:10 +0100 Subject: [PATCH 16/18] bug fix --- .../reg_exe_manipulating_windows_services_registry_keys.yml | 2 +- ...ows_application_whitelisting_bypass_attempt_via_rundll32.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml index fff43be548..ddefa3e24e 100644 --- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml +++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes - WHERE (Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services*) + WHERE (Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services*) BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml b/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml index 3264641fb1..c74bcbc5d4 100644 --- a/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml +++ b/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml @@ -33,7 +33,7 @@ search: | `process_rundll32` Processes.process IN ("*syssetup*", "*advpack*", "*setupapi*") Processes.process IN ("*LaunchINFSection*", "*InstallHinfSection*", "*SetupInfObjectInstallAction*") - NOT (Processes.parent_process_name="msiexec.exe" Processes.process=* C:\\Program Files (x86)\\Netskope\\EPDLP Deployment\\*) + NOT (Processes.parent_process_name="msiexec.exe" Processes.process="* C:\\Program Files (x86)\\Netskope\\EPDLP Deployment\\*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec From 44f3125d350fbaa24fdcef2fa88058c6c937286c Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 27 Mar 2026 10:13:56 +0100 Subject: [PATCH 17/18] bug fix --- .../endpoint/system_user_discovery_with_whoami.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index 52ae36ba3f..63347f84e8 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -32,15 +32,6 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ -drilldown_searches: - - name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ tags: analytic_story: - Winter Vivern From 30e0c541985c548f53a94879cd42755aa035eec5 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Fri, 27 Mar 2026 12:21:22 +0100 Subject: [PATCH 18/18] Update ryuk_wake_on_lan_command.yml --- .../endpoint/ryuk_wake_on_lan_command.yml | 39 +++++++++++-------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml index 1ea2b64069..c7f9517159 100644 --- a/detections/endpoint/ryuk_wake_on_lan_command.yml +++ b/detections/endpoint/ryuk_wake_on_lan_command.yml @@ -11,23 +11,28 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: |- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE ( - Processes.process="* 8 LAN" - OR - Processes.process="* 8 LAN *" - OR - Processes.process="* 9 REP" - OR - Processes.process="* 9 REP *" - ) - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Endpoint.Processes WHERE + + Processes.process IN ( + "* 8 LAN", + "* 8 LAN *", + "* 9 REP", + "* 9 REP *" + ) + + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`